Solved: system infected with spyware/virus/trojans

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

dinok159

Thread Starter
Joined
Jul 1, 2007
Messages
5
Hi All,

I wish i was writing under happier cirumstances but unfortuntaely I am not. Since last night system has been taken over by various pop ups for the following: drivecleaner, privacy protector, helpyourpcnow, winantiviruspro, amaena.com, systemdoctor etc.

I have installed and run spyware dcotor with anti virus which seems to pick them up, but when I reboot, everything is back again. I have attatched a spyware doctor report and also the hijack this report is below.

I hope someone can help!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:13:11 PM, on 7/1/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\MSTMON_S.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\BT Business Hub\Wireless Configuration\WirelessDaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David\Desktop\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\system32\cscript.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.bbc.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.bbc.co.uk
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSVPS System - {49CF52D7-8D58-4E22-A874-AAD721F5B523} - C:\WINDOWS\ddesupport.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\WINDOWS\System32\MSTMON_S.EXE STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} (Stm Class) - http://affiliates.bookmaker.com/Iovation/StmOCXiovation.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
O21 - SSODL: msole - {DC9709F3-7662-439F-B0A8-AEFB5B4DC98E} - C:\WINDOWS\msole.dll
O21 - SSODL: msdde - {F63565C4-ABDB-41CC-80C8-DB5F95EC5A8C} - C:\WINDOWS\msdde.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Wireless Adapter Configurator - Unknown owner - C:\Program Files\BT Business Hub\Wireless Configuration\WirelessDaemon.exe

--
End of file - 7130 bytes
 

Attachments

Joined
Sep 7, 2004
Messages
49,014
Download http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
· Restart your computer
· After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
· Instead of Windows loading as normal, the Advanced Options Menu should appear;
· Select the first option, to run Windows in Safe Mode, then press Enter.
· Choose your usual account.
· Open the extracted SDFix folder and double click RunThis.bat to start the script.
· Type Y to begin the cleanup process.
· It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
· Press any Key and it will restart the PC.
· When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
· Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
· Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
================
Download Superantispyware (SAS) free home version

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new HijackThis log.

This will take some time!!!!!!!!
 

dinok159

Thread Starter
Joined
Jul 1, 2007
Messages
5
Hi, thanks for replying,

Before I follow your instruction, I noticed on another post you said that one guts problem could be that he was running more than 1 AV, I'm only running one AV, but in my feeble efforts to try and solve this I have x3 spyware software set up, is this a problem?
 

dinok159

Thread Starter
Joined
Jul 1, 2007
Messages
5
Hi there,

I've done this 1st bit, here are the files. The dodgy icons have gobe from my desktop

SD Fix Report:

SDFix: Version 1.88

Run by David on Sun 07/01/2007 at 07:55 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Documents and Settings\David\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\David\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\David\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\David\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\David\Desktop\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\David\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\avp.exe - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\ddesupport.dll - Deleted
C:\WINDOWS\main_uninstaller.exe - Deleted
C:\WINDOWS\mgrs.exe - Deleted
C:\WINDOWS\msdde.dll - Deleted
C:\WINDOWS\msole.dll - Deleted
C:\WINDOWS\rs.txt - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINDOWS
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Documents and Settings\David\NetHood\travelinsurance on www.moneysupermarket.com\Desktop.ini
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe

Listing User Accounts:


Administrator David Guest
HelpAssistant SUPPORT_388945a0


Finished


HJT report:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 8:02:18 PM, on 7/1/2007Platform: Windows XP (WinNT 5.01.2600)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\Program Files\Spyware Doctor\svcntaux.exeC:\Program Files\Spyware Doctor\swdsvc.exeC:\Program Files\Spyware Doctor\SDTrayApp.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\wdfmgr.exeC:\Program Files\BT Business Hub\Wireless Configuration\WirelessDaemon.exeC:\WINDOWS\System32\wbem\wmiprvse.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\Java\jre1.5.0_11\bin\jusched.exeC:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exeC:\WINDOWS\System32\MSTMON_S.EXEC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\Documents and Settings\David\Desktop\HiJackThis_v2.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.bbc.co.ukR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.bbc.co.ukO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dllO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\WINDOWS\System32\MSTMON_S.EXE STARTUPO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exeO4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dllO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cabO16 - DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} (Stm Class) - http://affiliates.bookmaker.com/Iovation/StmOCXiovation.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cabO16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cabO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dllO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exeO23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exeO23 - Service: Wireless Adapter Configurator - Unknown owner - C:\Program Files\BT Business Hub\Wireless Configuration\WirelessDaemon.exe --End of file - 6579 bytesLoading... No message is selected
Click any message to view it in the reading pane. Attachments, pictures, and links from unknown senders are blocked to help protect your privacy and safety.

To show messages automatically when you select a folder, change your reading pane settings
1 message is selected
Mark as safe | Mark as unsafe
Show Cc & Bcc From: To...
To...
Cc...
Cc...
Bcc...
Bcc...
Subject:

Attachments:

Your sent message won't be saved. Save sent messages
Scanning & uploading More information | Cancel
Message body
Loading... To add photos to your message, first click on the folder where they are stored. Select the photos you'd like to add, and then click Upload Now. Your photos will be reduced in size so they are at most 600 pixels wide or tall. To send full-size photos, click Cancel and use Attach Files.
Import contacts
Multiple contacts are selected.Hi, andrew!Sunday, July 1

Mailbox usage: 1% of 2 GB Get newsletters You're using the full version of Windows Live Hotmail.
Click here to try the classic version, which is good for slow connections.
MSN TodayRecent updatesHoe, Hoe, Hoe
It's hardly the weather for actual gardening, so why not try a spot of virtual horticulture? This ace sim game allows you to grow, tend and sell your own!
Also on MSN Today

Ogre and out: why third Shrek film should be the last
From Lara to Lemmings: the greatest gaming icons
The Simpsons Movie: should they have bothered?
Reasons 40 has become the new 30
Fib or fab: unlikely weight-loss wonder trends
Butt Out
That's it. From today smoking is illegal in almost every enclosed public space - more than enough reason, for those afflicted by the habit, to quit the weed for good.
Newsletters and featured offers
Get the latest right to your inbox!
Manage your subscriptions
Contacts
Recently updated contacts (0)
You have no contacts.
Click here to add contacts.
Spaces
Recently updated spaces (0)
You have no contacts.
Click here to add contacts.

Contacts
Contacts
Find messages with this subject (in all folders):
Find messages with this sender (in all folders):
Find Reading pane settings
Right
Bottom
Off
Sort contacts
Last, First
First Last
Last, First (Company)
Company (Last, First)
Import contacts
Export contacts
Themes
Windows Live
Blue
Red
Black
Silver
Pink
Green
Purple
Orange
Turn-off Tips
Re-activate Tips
© 2007 Microsoft
Legal
Send us feedback
More options...Rename folder...
Delete folder
Empty folder
New folder...Message...
Folder...
Contact...
Group...Reply
Reply all
Forward
Mark as read
Mark as unread
Delete
Junk
Print
View source[New folder...]
Inbox
Junk
Drafts
Sent
DeletedSort by
Date
From
Subject
Size
Show only messages
With subject...
From sender...
With attachmentsFile
PhotoSpell check on
Spell check offE-mail group
Rename group
Delete group
New group...[New group...]


cheers for this.
 

dinok159

Thread Starter
Joined
Jul 1, 2007
Messages
5
ok, boss. here we go:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/01/2007 at 09:21 PM

Application Version : 3.9.1008

Core Rules Database Version : 3263
Trace Rules Database Version: 1274

Scan type : Complete Scan
Total Scan Time : 00:52:37

Memory items scanned : 378
Memory threats detected : 0
Registry items scanned : 4303
Registry threats detected : 37
File items scanned : 42108
File threats detected : 39

Adware.Tracking Cookie
C:\Documents and Settings\David\Cookies\[email protected][2].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][2].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][2].txt
C:\Documents and Settings\David\Cookies\[email protected][3].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][2].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][3].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][2].txt
C:\Documents and Settings\David\Cookies\[email protected][2].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][2].txt
C:\Documents and Settings\David\Cookies\[email protected][2].txt
C:\Documents and Settings\David\Cookies\[email protected][2].txt
C:\Documents and Settings\David\Cookies\[email protected][3].txt
C:\Documents and Settings\David\Cookies\[email protected][2].txt
C:\Documents and Settings\David\Cookies\[email protected][1].txt
C:\Documents and Settings\David\Cookies\[email protected][2].txt

Trojan.VideoCach/Gen
HKCR\NewMediaCodec.VideoSupport
HKCR\NewMediaCodec.VideoSupport\CLSID
HKCR\CLSID\{150EA8E7-A97C-4816-AD02-4865EEF8C5FF}
HKCR\CLSID\{150EA8E7-A97C-4816-AD02-4865EEF8C5FF}\Control
HKCR\CLSID\{150EA8E7-A97C-4816-AD02-4865EEF8C5FF}\Implemented Categories
HKCR\CLSID\{150EA8E7-A97C-4816-AD02-4865EEF8C5FF}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{150EA8E7-A97C-4816-AD02-4865EEF8C5FF}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID\{150EA8E7-A97C-4816-AD02-4865EEF8C5FF}\InprocServer32
HKCR\CLSID\{150EA8E7-A97C-4816-AD02-4865EEF8C5FF}\InprocServer32#ThreadingModel
HKCR\CLSID\{150EA8E7-A97C-4816-AD02-4865EEF8C5FF}\MiscStatus
HKCR\CLSID\{150EA8E7-A97C-4816-AD02-4865EEF8C5FF}\MiscStatus\1
HKCR\CLSID\{150EA8E7-A97C-4816-AD02-4865EEF8C5FF}\ProgID
HKCR\CLSID\{150EA8E7-A97C-4816-AD02-4865EEF8C5FF}\ToolboxBitmap32
HKCR\CLSID\{150EA8E7-A97C-4816-AD02-4865EEF8C5FF}\TypeLib
HKCR\CLSID\{150EA8E7-A97C-4816-AD02-4865EEF8C5FF}\Version
HKCR\CLSID\{BABA5BDB-4EFF-48DB-B443-679651D37128}
HKCR\CLSID\{BABA5BDB-4EFF-48DB-B443-679651D37128}\InprocServer32
HKCR\TypeLib\{CDC0999C-999C-4EE1-875B-5C3542641768}
HKCR\TypeLib\{CDC0999C-999C-4EE1-875B-5C3542641768}\1.0
HKCR\TypeLib\{CDC0999C-999C-4EE1-875B-5C3542641768}\1.0\0
HKCR\TypeLib\{CDC0999C-999C-4EE1-875B-5C3542641768}\1.0\0\win32
HKCR\TypeLib\{CDC0999C-999C-4EE1-875B-5C3542641768}\1.0\FLAGS
HKCR\TypeLib\{CDC0999C-999C-4EE1-875B-5C3542641768}\1.0\HELPDIR
HKCR\Interface\{B6A3935F-8FE4-49A4-B987-A1C09E53589F}
HKCR\Interface\{B6A3935F-8FE4-49A4-B987-A1C09E53589F}\ProxyStubClsid
HKCR\Interface\{B6A3935F-8FE4-49A4-B987-A1C09E53589F}\ProxyStubClsid32
HKCR\Interface\{B6A3935F-8FE4-49A4-B987-A1C09E53589F}\TypeLib
HKCR\Interface\{B6A3935F-8FE4-49A4-B987-A1C09E53589F}\TypeLib#Version
HKCR\Interface\{EF94A58F-599B-4602-9C34-99683C5859B1}
HKCR\Interface\{EF94A58F-599B-4602-9C34-99683C5859B1}\ProxyStubClsid
HKCR\Interface\{EF94A58F-599B-4602-9C34-99683C5859B1}\ProxyStubClsid32
HKCR\Interface\{EF94A58F-599B-4602-9C34-99683C5859B1}\TypeLib
HKCR\Interface\{EF94A58F-599B-4602-9C34-99683C5859B1}\TypeLib#Version
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewMediaCodec
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewMediaCodec#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewMediaCodec#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewMediaCodec#uninstallString

Adware.TradeDoubler
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4D1CC9C9-F909-433B-9FB4-B890CBCC40CC}\RP265\A0041698.LNK

Trojan.Downloader-Gen/AVP
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4D1CC9C9-F909-433B-9FB4-B890CBCC40CC}\RP312\A0070535.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4D1CC9C9-F909-433B-9FB4-B890CBCC40CC}\RP312\A0071603.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4D1CC9C9-F909-433B-9FB4-B890CBCC40CC}\RP312\A0071612.EXE

Desktop Hijacker.AboutYourPrivacy
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4D1CC9C9-F909-433B-9FB4-B890CBCC40CC}\RP312\A0071607.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4D1CC9C9-F909-433B-9FB4-B890CBCC40CC}\RP312\A0071608.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4D1CC9C9-F909-433B-9FB4-B890CBCC40CC}\RP312\A0071616.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{4D1CC9C9-F909-433B-9FB4-B890CBCC40CC}\RP312\A0071617.DLL


HJT:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:28:15 PM, on 7/1/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\MSTMON_S.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\BT Business Hub\Wireless Configuration\WirelessDaemon.exe
C:\Documents and Settings\David\Desktop\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.bbc.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.bbc.co.uk
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor 2400W STD] C:\WINDOWS\System32\MSTMON_S.EXE STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {7A0D1738-10EA-47FF-92BE-4E137B5BE1A4} (Stm Class) - http://affiliates.bookmaker.com/Iovation/StmOCXiovation.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Wireless Adapter Configurator - Unknown owner - C:\Program Files\BT Business Hub\Wireless Configuration\WirelessDaemon.exe

--
End of file - 6814 bytes

fingers crossed
 

dinok159

Thread Starter
Joined
Jul 1, 2007
Messages
5
seems ok now. didn't take a restore point but all looks good with no pop ups and icons gone and home page stays the same.

I will let you know if anything else happens, but fixed for now!!

thanks very much for your time and effort.
 
Joined
Sep 7, 2004
Messages
49,014
You want to do the restore point things so that the infected points a cleared out and a new clean one is set.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top