Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Solved: Serious Hidden Virus Infection

2K views 17 replies 2 participants last post by  ronbeal 
#1 ·
Dear Techguy,
Please can you help. My PC is infected with a hidden Virus program that is slowing my broadband connection speed and also appears to be seizing control of my computer.
A few days ago I used SpyBot to quarantine the Zlob Video Active X Object virus, along with Microsoft Security Centre AntiVirus Override. News Update. Pest Trap. Spyware Bot and Wild Tangent.. I also removed a program named' Antivermins' from the Add and Remove in Control Panel. I am left with a flashing ? in the taskbar and every so often I am being warned that my PC is infected with spyware and I should download anti spyware removal tools, then the page is redirected to a Web page called AntiVermins. I have exhausted many forums trying to see if others have had similar problems, but really without too much success. Will appreciate any help you can offer before desperation finally resorts to a reformat.
kind regards
Ron.
I have listed my HJL.:

Logfile of HijackThis v1.99.1
Scan saved at 03:05:58, on 09/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\A4Tech\Mouse\Amoumain.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\DRIVERS\WtSrv.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\WINDOWS\system32\WService.EXE
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\101Clips\101clips.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Ron Beal\Desktop\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DeskalertsBHO - {65E03378-E22E-4f50-BE9D-588A889B24C9} - D:\Program Files\DeskAlerts\deskbar.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WheelMouse] "D:\Program Files\A4Tech\Mouse\Amoumain.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 101clips.lnk = D:\Program Files\101Clips\101clips.exe
O4 - Global Startup: e-phone.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165439466093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170889365671
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - D:\WINDOWS\system32\cwgppb.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinTab Service (WinTabService) - Unknown owner - D:\WINDOWS\system32\DRIVERS\WtSrv.exe
 
See less See more
#2 ·
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.
=============================

Download Superantispyware

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.
 
#3 ·
Dear MFDnSC,
thank you very much for your kind help. I have followed your instructions to the letter, and it would appear the virus has been removed, except that my computer is still running really slow especially compared to the speed it would normally go, and bearing in mind I have a very fast setup: double core 3.06 GHz processor, 1GB Ram Nvidia graphics card, My operating system is Windows XP validated original.,and even using 10MG blueyonder broadband. I thought when all traces of the virus was eliminated, the computer would revert to full speed again, but not so. I don't know whether you can perhaps throw any light on this problem. your help is appreciated. I have enclosed copies of the three logs as suggested.
kind regards
Ron Beal

Logfile of HijackThis v1.99.1
Scan saved at 17:02:59, on 09/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\system32\DRIVERS\WtSrv.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\A4Tech\Mouse\Amoumain.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\WService.EXE
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\101Clips\101clips.exe
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Ron Beal\Desktop\My Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DeskalertsBHO - {65E03378-E22E-4f50-BE9D-588A889B24C9} - D:\Program Files\DeskAlerts\deskbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WheelMouse] "D:\Program Files\A4Tech\Mouse\Amoumain.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: 101clips.lnk = D:\Program Files\101Clips\101clips.exe
O4 - Global Startup: e-phone.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165439466093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170889365671
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WinTab Service (WinTabService) - Unknown owner - D:\WINDOWS\system32\DRIVERS\WtSrv.exe

SmitFraudFix v2.141

Scan done at 15:38:59.09, 09/02/2007
Run from D:\Documents and Settings\Ron Beal\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2acf3add-34a1-4f2f-99cf-cc69785d1e90}"="exemplars"

[HKEY_CLASSES_ROOT\CLSID\{2acf3add-34a1-4f2f-99cf-cc69785d1e90}\InProcServer32]
@="D:\WINDOWS\system32\cwgppb.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2acf3add-34a1-4f2f-99cf-cc69785d1e90}\InProcServer32]
@="D:\WINDOWS\system32\cwgppb.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

D:\WINDOWS\system32\cwgppb.dll -> Hoax.Win32.Renos.gen.i
D:\WINDOWS\system32\cwgppb.dll -> Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

D:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
D:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
D:\DOCUME~1\RONBEA~1\FAVORI~1\Online Security Test.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

SUPERAntiSpyware Scan Log
Generated 02/09/2007 at 04:47 PM

Application Version : 3.5.1016

Core Rules Database Version : 3181
Trace Rules Database Version: 1191

Scan type : Complete Scan
Total Scan Time : 00:50:28

Memory items scanned : 382
Memory threats detected : 0
Registry items scanned : 6346
Registry threats detected : 0
File items scanned : 59476
File threats detected : 28

Adware.Tracking Cookie
D:\Documents and Settings\Ron Beal\Cookies\ron_beal@banner.eurogrand[2].txt
D:\Documents and Settings\Ron Beal\Cookies\ron_beal@revsci[3].txt
D:\Documents and Settings\Ron Beal\Cookies\ron_beal@sitestats.tiscali.co[3].txt
D:\Documents and Settings\Ron Beal\Cookies\ron_beal@www.virginmedia[2].txt
D:\Documents and Settings\Ron Beal\Cookies\ron_beal@virginmedia[2].txt
D:\Documents and Settings\Ron Beal\Cookies\ron_beal@ad.uk.tangozebra[2].txt
C:\Documents and Settings\Ron Beal\Cookies\ron beal@a.websponsors[1].txt
C:\Documents and Settings\Ron Beal\Cookies\ron beal@ad.yieldmanager[1].txt
C:\Documents and Settings\Ron Beal\Cookies\ron beal@adbrite[2].txt
C:\Documents and Settings\Ron Beal\Cookies\ron beal@clicktorrent[1].txt
C:\Documents and Settings\Ron Beal\Cookies\ron beal@cts.metricsdirect[1].txt
C:\Documents and Settings\Ron Beal\Cookies\ron beal@indextools[2].txt
C:\Documents and Settings\Ron Beal\Cookies\ron beal@saletrack.co[1].txt
C:\Documents and Settings\Ron Beal\Cookies\ron beal@tracking.dc-storm[1].txt
C:\Documents and Settings\Ron Beal\Local Settings\Temp\Cookies\ron beal@revsci[2].txt
D:\Documents and Settings\Ron Beal\Cookies\ron_beal@ad.uk.tangozebra[1].txt
D:\Documents and Settings\Ron Beal\Cookies\ron_beal@banner.eurogrand[1].txt
D:\Documents and Settings\Ron Beal\Cookies\ron_beal@revsci[2].txt
D:\Documents and Settings\Ron Beal\Cookies\ron_beal@sitestats.tiscali.co[1].txt
D:\Documents and Settings\Ron Beal\Cookies\ron_beal@virginmedia[1].txt
D:\Documents and Settings\Ron Beal\Cookies\ron_beal@www.virginmedia[1].txt

Adware.Casino Games (Golden Palace Casino)
D:\PROGRAM FILES\ZONE.COM DELUXE GAMES\HARD ROCK CASINO DELUXE\CASINO.EXE
C:\DOCUMENTS AND SETTINGS\RON BEAL\DESKTOP\GAMES\HARD ROCK CASINO DELUXE.LNK
C:\PROGRAM FILES\ZONE.COM DELUXE GAMES\HARD ROCK CASINO DELUXE\CASINO.EXE
D:\DOCUMENTS AND SETTINGS\RON BEAL\DESKTOP\PROGRAMS 1\GAMES\HARD ROCK CASINO DELUXE.LNK

Adware.180solutions/Seekmo
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP32\A0004866.DLL

Malware.SpywareBot
D:\DOCUMENTS AND SETTINGS\RON BEAL\DESKTOP\MY DOWNLOADS\SPYWAREBOT.EXE

Trojan Downloader-SystemAlert.Process
D:\SYSTEM VOLUME INFORMATION\_RESTORE{0111E087-EF1C-4B01-96EE-B82E0D0BBC3B}\RP107\A0019950.DLL
 
#4 ·
I've been thinking that perhaps I should have mentioned that I have two operating systems which I have had for quite some time now and until this virus situation a few days ago all has been well with both systems. I have partitioned my hard drive and have XP pro on the C drive which is a student free copy which is used soley by my son for his studies. and XP home on the D drive which is used soley by me. I make quite certain nothing is saved into the C drive when I'm using the D drive and vise-versa just so there could be no conflicts. between the two operating systems. XP pro on the C drives still goes like lightening. also we have a laptop connected by netgear wireless router which doesn't appear to be compromised either.
 
#5 ·
IE - Block Third party cookies
1. Click on the Tools button on the Internet Explorer tool bar.
2. Highlight and click on Internet options at the bottom of the Tools menu.
3. Select the Privacy Tab of the Internet Options menu.
4. Select the Advanced... button at the bottom of the screen.
5. Select override automatic cookie handling button.
6. To block third party cookies select block under "Third-party cookies".
7. Select "always allow session cookies".
8. Click on the OK button at the bottom of the screen.
====================
DownLoad EasyCleaner http://www.majorgeeks.com/download414.html

Use the clear files and Unnecessary files buttons – I do not recommend
using the Duplicates files button
as many dupes are there on purpose.

Not all files will delete – that is normal.

In the unnecessary button I check the top 4 entries
===========================
Go ahead and remove SuperAntiSpy since you have SpySweeper

=================
Clean

If you feel its is fixed mark it solved via Thread Tools above

Turn off restore points, boot, turn them back on – here’s how

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam
 
#6 ·
The helpful advice provided by 'MFDnSC' in eliminating the infections has been so very much appreciated. 'Thank you so very much. The last piece of advice has positively helped my PC run considerable faster but still nowhere near what it was. To give you an idea,: I click on the Google Web page and it is still taking around 20 seconds before it opens. once open some sites will connect faster than others. but realising I have a 10Mg connection. then something is still amiss somewhere, and it has only slowed since my PC became infected.
regards
ronbeal
 
#7 ·
I missed one

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O4 - HKLM\..\Run: [WService] WService.EXE

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

D:\WINDOWS\system32\WService.EXE

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot

Run ActiveScan online virus scan

http://www.pandasoftware.com/products/activescan.htm

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Post a new HiJackThis log along with the results from ActiveScan

Please give feedback on what worked/didn’t work and the current status of your system
 
#8 ·
hello again, I 'm a little unsure on these latest instructions, in that first you suggested I should fix 'THESE' with Hyjack this.I assume you meant just to fix the one line :O4 - HKLM\..\Run: [WService] WService.EXE...then you went on to say that in safe mode opening the program Killbox I am to delete: D:\WINDOWS\system32\WService.EXE after pasting it into the "full path of file to delete" box but then you say I should continue with the same procedure until I have copied and pasted all of these. I don't understand what is meant by this, I only see the one file to delete, which is :D:\WINDOWS\system32\WService.EXE.....I then went on to press 'START - RUN - type in %temp% - OK - Edit - Select all - File - Delete still in safe mode. I restarted the Pc then tried to get back to you to verify the instructions, and found that what I had done so far was making it even more difficult to access the net. Up to this point I've not yet run the ative scan.
regards
ronbeal
 
#10 ·
Hi it's me again. I have completed the Panda online scan which incidentlally, took nearly two hours to complete. I am totally amazed at the fast number of infected files it found in the C Drive, these would appear to be system files which has been identified as viruses, so I'm unsure about them. My Pc is running just as slow as before with little or no improvement on brousing speed. The Hyjack log and Panda log is as follows.
regards
ronbeal

Logfile of HijackThis v1.99.1
Scan saved at 02:25:30, on 12/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\A4Tech\Mouse\Amoumain.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\101Clips\101clips.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
D:\Documents and Settings\Ron Beal\Desktop\Programs 1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DeskalertsBHO - {65E03378-E22E-4f50-BE9D-588A889B24C9} - D:\Program Files\DeskAlerts\deskbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WheelMouse] "D:\Program Files\A4Tech\Mouse\Amoumain.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: 101clips.lnk = D:\Program Files\101Clips\101clips.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165439466093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170889365671
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
#11 ·
Panda log much too long for post, so I have had to post it in two parts.

Incident Status Location

Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Ron Beal\Cookies\ron beal@anm.co[2].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Ron Beal\Cookies\ron beal@tucows[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ron Beal\Local Settings\Temp\Cookies\ron beal@com[1].txt
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000058.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000061.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000073.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000089.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000093.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000094.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000099.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000100.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000108.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000109.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000113.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000114.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000116.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000134.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000136.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000140.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000166.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000172.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000180.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000184.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000187.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000190.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000191.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000192.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000193.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000194.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000195.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000196.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000197.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000198.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000199.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000200.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000201.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000202.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000203.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000204.EXE
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000205.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP2\A0000206.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000208.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000209.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000210.EXE
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000211.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000212.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000213.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000214.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000215.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000216.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000217.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000218.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000219.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000220.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000221.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000222.exe
 
#12 ·
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000224.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000225.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000226.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000227.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000228.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000229.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000230.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000231.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000232.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000233.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000234.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000235.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000236.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000242.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000244.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000245.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000246.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000247.EXE
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000248.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000254.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000282.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000293.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000307.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000309.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000310.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000311.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000312.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000313.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000314.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000315.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000316.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000318.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000326.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000327.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000328.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000329.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000330.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000331.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000332.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000333.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000351.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000355.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000358.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000359.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000360.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000361.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000362.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000363.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000364.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000365.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000366.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000367.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000439.exe
Virus:W32/Virutas.B Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP3\A0000446.exe
Adware:Adware/PurityScan Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP31\A0004836.exe[YazzleBundle-1461.exe]
Adware:Adware/PurityScan Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP31\A0004836.exe[YazzleBundle-1461.exe][¦++\Yazzle1461OinAdmin.exe]
Adware:Adware/PurityScan Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP31\A0004837.exe[YazzleBundle-1461.exe]
Adware:Adware/PurityScan Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP31\A0004837.exe[YazzleBundle-1461.exe][¦++\Yazzle1461OinAdmin.exe]
Adware:Adware/PurityScan Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP31\A0004838.exe[YazzleBundle-1461.exe]
Adware:Adware/PurityScan Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP31\A0004838.exe[YazzleBundle-1461.exe][¦++\Yazzle1461OinAdmin.exe]
Virus:Trj/Lineage.BSJ Disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP31\A0004859.exe
Adware:Adware/Zango Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP32\A0004865.exe
Adware:Adware/Seekmo Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP32\A0004867.exe
Adware:Adware/Zango Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP32\A0004871.dll
Spyware:Cookie/YieldManager Not disinfected D:\Documents and Settings\Ron Beal\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 02-09-2007 - 16-55-17\{D92FB38F-A6CE-491A-A8F7-44E08EAA3DA3}
Potentially unwanted tool:Application/Processor Not disinfected D:\Documents and Settings\Ron Beal\Desktop\Programs 1\Protection Software\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected D:\WINDOWS\system32\Process.exe
 
#13 ·
Fix this

O2 - BHO: DeskalertsBHO - {65E03378-E22E-4f50-BE9D-588A889B24C9} - D:\Program Files\DeskAlerts\deskbar.dll

delete this folder

D:\Program Files\DeskAlerts
=================
Turn off restore points, boot, turn them back on – here’s how

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam
====================
DownLoad EasyCleaner http://www.majorgeeks.com/download414.html

Use the clear files and Unnecessary files buttons – I do not recommend
using the Duplicates files button
as many dupes are there on purpose.

Not all files will delete – that is normal.

In the unnecessary button I check the top 4 entries
 
#14 ·
I am grateful for your help. You have exercised such patience trying to fix my PC. Indeed you are most kind. Unfortunately no matter what I try at the moment nothing seems to be improving the speed. If you can of course think of anything else that may have been missed which could be causing this rediculous problem, I will of be very grateful to follow further instructions. I realise by now you are probably completely fed up with me and likely be glad to see the back of me. Regrettably I am somewhat reluctant to resort to a re-format of the system, mainly because there's so much important data and programs that I didn't keep copies of, and would now very likely get over-looked trying to back up the system before a re-format.
kind regards
ronbeal
 
#16 ·
Hi MFDnSC,
Again my appreciation for your continued support.
kind regards
ronbeal :

Logfile of HijackThis v1.99.1
Scan saved at 04:26:00, on 14/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\WINDOWS\system32\devldr32.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\A4Tech\Mouse\Amoumain.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\101Clips\101clips.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Webroot\Spy Sweeper\SSU.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Ron Beal\Desktop\Programs 1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [AVG7_CC] "D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WheelMouse] "D:\Program Files\A4Tech\Mouse\Amoumain.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: 101clips.lnk = D:\Program Files\101Clips\101clips.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165439466093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170889365671
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - D:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Incident Status Location

Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Ron Beal\Cookies\ron beal@anm.co[2].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Ron Beal\Cookies\ron beal@tucows[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ron Beal\Local Settings\Temp\Cookies\ron beal@com[1].txt
Adware:Adware/PurityScan Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP31\A0004836.exe[YazzleBundle-1461.exe]
Adware:Adware/PurityScan Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP31\A0004836.exe[YazzleBundle-1461.exe][¦++\Yazzle1461OinAdmin.exe]
Adware:Adware/PurityScan Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP31\A0004837.exe[YazzleBundle-1461.exe]
Adware:Adware/PurityScan Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP31\A0004837.exe[YazzleBundle-1461.exe][¦++\Yazzle1461OinAdmin.exe]
Adware:Adware/PurityScan Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP31\A0004838.exe[YazzleBundle-1461.exe]
Adware:Adware/PurityScan Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP31\A0004838.exe[YazzleBundle-1461.exe][¦++\Yazzle1461OinAdmin.exe]
Adware:Adware/Zango Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP31\A0004839.exe
Adware:Adware/Zango Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP32\A0004865.exe
Adware:Adware/Zango Not disinfected C:\System Volume Information\_restore{6A70C330-E551-4DE7-9057-858E79AD50E3}\RP32\A0004871.dll
Spyware:Cookie/YieldManager Not disinfected D:\Documents and Settings\Ron Beal\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 02-09-2007 - 16-55-17\{D92FB38F-A6CE-491A-A8F7-44E08EAA3DA3}
Potentially unwanted tool:Application/Processor Not disinfected D:\Documents and Settings\Ron Beal\Desktop\Programs 1\Protection Software\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected D:\WINDOWS\system32\Process.exe
 
#18 ·
Hi MFDnSC,
I am delighted that I can tell you I have just discovered what has been causing this huge problem.""" Internet Explorer 7""" I have just installed "Mozilla Firefox" and to my astonishment my pc is now completely back to normal speed again. I can't imagine what caused IE7 to fail because it worked fine for ages. I will be contacting Microsoft in due course , and I will be expressing an opinion of IE7 in our daily newspapers.
As I said earlier I am immensely grateful for your kind help. Thank you.
kind regards
ronbeal
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top