View Full Version : Regedit, cmd, taskmanager help
Hi I am new to this so apologies for any mistakes etc.
I have started having trouble with cmd and regedit, both errors read (being used by another programme). Also task manager will never open at all.
I have run a spybot S&D and fixed all infected files except NewDotNet cannot be fixed.
I have a HJthis file below but I have absolutely no idea what to do with it, i don't want to fix/delete anything which could harm my computer.
If anyone could have a look at the details of the scan and give me a step by step guide of what to do or just any advice it would be very much appreciated. I realise its a lot of reading but any help would be good.
Thanks very much
here is the log
Logfile of HijackThis v1.99.1
Scan saved at 14:07:49, on 07/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\New Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,%windir%\system32\Userinit.exe,
O1 - Hosts: 127.0.0.22 mcafee.net
O1 - Hosts: 127.0.0.22 www.mcafee.net
O1 - Hosts: 127.0.0.22 mcafee.org
O1 - Hosts: 127.0.0.22 www.mcafee.org
O1 - Hosts: 127.0.0.22 mcafeesecurity.com
O1 - Hosts: 127.0.0.22 www.mcafeesecurity.com
O1 - Hosts: 127.0.0.22 mcafeesecurity.net
O1 - Hosts: 127.0.0.22 www.mcafeesecurity.net
O1 - Hosts: 127.0.0.22 mcafeesecurity.org
O1 - Hosts: 127.0.0.22 www.mcafeesecurity.org
O1 - Hosts: 127.0.0.22 mcafeeb2b.com
O1 - Hosts: 127.0.0.22 www.mcafeeb2b.com
O1 - Hosts: 127.0.0.22 mcafeeb2b.net
O1 - Hosts: 127.0.0.22 www.mcafeeb2b.net
O1 - Hosts: 127.0.0.22 mcafeeb2b.org
O1 - Hosts: 127.0.0.22 www.mcafeeb2b.org
O1 - Hosts: 127.0.0.22 nai.net
O1 - Hosts: 127.0.0.22 www.nai.net
O1 - Hosts: 127.0.0.22 nai.org
O1 - Hosts: 127.0.0.22 www.nai.org
O1 - Hosts: 127.0.0.22 vil.nai.net
O1 - Hosts: 127.0.0.22 www.vil.nai.net
O1 - Hosts: 127.0.0.22 vil.nai.org
O1 - Hosts: 127.0.0.22 www.vil.nai.org
O1 - Hosts: 127.0.0.22 grisoft.net
O1 - Hosts: 127.0.0.22 www.grisoft.net
O1 - Hosts: 127.0.0.22 grisoft.org
O1 - Hosts: 127.0.0.22 www.grisoft.org
O1 - Hosts: 127.0.0.22 kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 kaspersky.net
O1 - Hosts: 127.0.0.22 www.kaspersky.net
O1 - Hosts: 127.0.0.22 kaspersky.org
O1 - Hosts: 127.0.0.22 www.kaspersky.org
O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads1.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads1.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads2.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads2.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads3.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads3.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.net
O1 - Hosts: 127.0.0.22 downloads4.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 www.downloads4.kaspersky-labs.org
O1 - Hosts: 127.0.0.22 download.mcafee.net
O1 - Hosts: 127.0.0.22 www.download.mcafee.net
O1 - Hosts: 127.0.0.22 download.mcafee.org
O1 - Hosts: 127.0.0.22 www.download.mcafee.org
O1 - Hosts: 127.0.0.22 norton.net
O1 - Hosts: 127.0.0.22 www.norton.net
O1 - Hosts: 127.0.0.22 norton.org
O1 - Hosts: 127.0.0.22 www.norton.org
O1 - Hosts: 127.0.0.22 symantec.net
O1 - Hosts: 127.0.0.22 www.symantec.net
O1 - Hosts: 127.0.0.22 symantec.org
O1 - Hosts: 127.0.0.22 www.symantec.org
O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.net
O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.net
O1 - Hosts: 127.0.0.22 liveupdate.symantecliveupdate.org
O1 - Hosts: 127.0.0.22 www.liveupdate.symantecliveupdate.org
O1 - Hosts: 127.0.0.22 liveupdate.symantec.net
O1 - Hosts: 127.0.0.22 www.liveupdate.symantec.net
O1 - Hosts: 127.0.0.22 liveupdate.symantec.org
O1 - Hosts: 127.0.0.22 www.liveupdate.symantec.org
O1 - Hosts: 127.0.0.22 update.symantec.net
O1 - Hosts: 127.0.0.22 www.update.symantec.net
O1 - Hosts: 127.0.0.22 update.symantec.org
O1 - Hosts: 127.0.0.22 www.update.symantec.org
O1 - Hosts: 127.0.0.22 securityresponse.symantec.net
O1 - Hosts: 127.0.0.22 www.securityresponse.symantec.net
O1 - Hosts: 127.0.0.22 securityresponse.symantec.org
O1 - Hosts: 127.0.0.22 www.securityresponse.symantec.org
O1 - Hosts: 127.0.0.22 sarc.com
O1 - Hosts: 127.0.0.22 www.sarc.com
O1 - Hosts: 127.0.0.22 sarc.net
O1 - Hosts: 127.0.0.22 www.sarc.net
O1 - Hosts: 127.0.0.22 sarc.org
O1 - Hosts: 127.0.0.22 www.sarc.org
O1 - Hosts: 127.0.0.22 vaksin.com
O1 - Hosts: 127.0.0.22 www.vaksin.com
O1 - Hosts: 127.0.0.22 vaksin.net
O1 - Hosts: 127.0.0.22 www.vaksin.net
O1 - Hosts: 127.0.0.22 vaksin.org
O1 - Hosts: 127.0.0.22 www.vaksin.org
O1 - Hosts: 127.0.0.22 forum.vaksin.com
O1 - Hosts: 127.0.0.22 www.forum.vaksin.com
O1 - Hosts: 127.0.0.22 forum.vaksin.net
O1 - Hosts: 127.0.0.22 www.forum.vaksin.net
O1 - Hosts: 127.0.0.22 forum.vaksin.org
O1 - Hosts: 127.0.0.22 www.forum.vaksin.org
O1 - Hosts: 127.0.0.22 norman.com
O1 - Hosts: 127.0.0.22 www.norman.com
O1 - Hosts: 127.0.0.22 norman.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: svchost.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/pages/scanner/ErrorSafeNewReleaseInstall.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\f22mlcf11f2.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
pskelley
2007-02-09, 14:41
Hello Andrew and welcome to the forum. If you are not receiving help elsewhere, I would like to try to help you. I am not 100% sure about this infection, but we can remove it if we work together. I need a little information first.
Do you still need help, if so please look at the log and tell me if you had anything to to with the 01 items, did you create that hosts file? Post that information and I will respond with instructions as soon as possible after you post. Please use Post Reply, stay in the same topic.
Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm
I will also suggest you keep this computer offline except when troubleshooting, this junk will install more.
Thanks
Hello, thanks for your response, I still require your help if possible.
no i don't think i had anything to do with the 01 hosts, not even sure what they are to be honest.
Andrew
pskelley
2007-02-10, 19:19
Hi Andrew, I will assume you moved the HJT to the postition I suggested. This is a new infection so I will be learning with you. The junk resets the host file so you can not access any of those sites for help. I was wondering if you know where you got this junk? There is so much of it I am not sure where to start. Let me start by saying you would be wise to keep this computer offline when you are not troubelshooting, this junk will attract more and you have your share just now.
Let's start like this.
Download HostsXpert v3.8 (http://www.funkytoad.com/content/view/13/)
Unzip HostXpert to your desktop
Open up the HostXpert program.
Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
Click Create Back Up
Then click on Restore Microsoft's Host Files
Close the HostXpert program
Thanks to Metallica and any others who helped with this fix
1. Please download AVG Anti-Spyware (http://www.ewido.net/en/download/)
Install AVG Anti-Spyware
Launch the program, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
You will need to update AVG Anti-Spyware to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit AVG Anti-Spyware, do not run the scan yet!
2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
4. Once in Safe Mode, Open AVG Anti-Spyware:
Click on scanner
Click on Complete System Scan and the scan will begin.
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware
5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of AVG Anti-Spyware text report that you saved and a new HiJackThis log.
Thanks
Hi I have followed your instructions and here are the new logs
Thanks very much
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:07:57 13/02/2007
+ Scan result:
C:\Program Files\DeluxeCommunications -> Adware.DeluxeCommunications : Ignored.
C:\Program Files\DeluxeCommunications\Dxc.exe -> Adware.DeluxeCommunications : Ignored.
C:\Program Files\DeluxeCommunications\DxcBho.dll -> Adware.DeluxeCommunications : Ignored.
C:\Program Files\DeluxeCommunications\DxcCore.dll -> Adware.DeluxeCommunications : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} -> Adware.DeluxeCommunications : Ignored.
HKLM\SOFTWARE\DeluxeCommunications -> Adware.DeluxeCommunications : Ignored.
HKLM\SOFTWARE\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\DeluxeCommunications -> Adware.DeluxeCommunications : Ignored.
HKU\S-1-5-21-1454471165-1788223648-725345543-1004\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Ignored.
HKU\S-1-5-21-1454471165-1788223648-725345543-1004\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Ignored.
HKU\S-1-5-21-1454471165-1788223648-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Run\\DeluxeCommunications -> Adware.DeluxeCommunications : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002833.dll -> Adware.NewDotNet : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002834.exe -> Adware.NewDotNet : Ignored.
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Ignored.
C:\WINDOWS\NDNuninstall7_44.exe -> Adware.NewDotNet : Ignored.
C:\WINDOWS\NDNuninstall7_48.exe -> Adware.NewDotNet : Ignored.
C:\Program Files\Deskbar -> Adware.Softomate : Ignored.
C:\deskbar.exe -> Adware.Softomate : Ignored.
C:\DXC9.exe -> Adware.SurfSide : Ignored.
C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
[820] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002837.exe -> Downloader.Adload.fk : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002838.exe -> Downloader.Adload.fk : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002839.exe -> Downloader.Adload.fk : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002840.exe -> Downloader.Adload.fk : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002847.exe -> Downloader.Adload.fk : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002848.exe -> Downloader.Adload.fk : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002851.exe -> Downloader.Adload.fk : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002853.exe -> Downloader.Adload.fk : Ignored.
C:\nwnmff_e20.exe -> Downloader.Adload.fk : Ignored.
C:\nwnmff_e28.exe -> Downloader.Adload.fk : Ignored.
C:\nwnmff_e30.exe -> Downloader.Adload.fk : Ignored.
C:\nwnmff_e31.exe -> Downloader.Adload.fk : Ignored.
C:\mc44a1.exe -> Downloader.Adload.fu : Ignored.
C:\mc44a2.exe -> Downloader.Adload.fu : Ignored.
C:\mc44a3.exe -> Downloader.Adload.fu : Ignored.
C:\nwnmff_e25.exe -> Downloader.Adload.fv : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002843.exe -> Downloader.Adload.fy : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002842.exe -> Downloader.Adload.gg : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002852.exe -> Downloader.Adload.gg : Ignored.
C:\nwnmff_e24.exe -> Downloader.Adload.gg : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002850.exe -> Downloader.Adload.gm : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002841.exe -> Downloader.Adload.gn : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002835.exe -> Downloader.Adload.gw : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002836.exe -> Downloader.Adload.gw : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002849.exe -> Downloader.Adload.hh : Ignored.
C:\WINDOWS\system32\aaa00000.dll -> Downloader.Agent.awb : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002855.exe -> Downloader.Agent.azc : Ignored.
C:\Program Files\Common Files\{00456A2C-063B-2057-0804-05050331002c}\services.dll -> Downloader.Banloa.ak : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002844.exe -> Downloader.DollarRev.d : Ignored.
C:\141ts.exe -> Downloader.TSUpdate.o : Ignored.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe -> Dropper.VB.lu : Ignored.
THERE WERE A LOT MORE FILES IN THE DIRECTORY
C:\Documents and Settings\New Owner\Shared
BUT I THINK BECAUSE THERE ARE SO MANY WHEN I TRY AND COPY THE WHOLE REPORT THE INTERNET DOES NOT RESPOND SO I HAVE EXCLUDED THEM....THERE ARE A LOT, PROBABLY OVER 15,000
AVG cont....
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002854.exe -> Hijacker.VB.ly : Ignored.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\K2EIA006\slide657[1].htm -> Not-A-Virus.Exploit.JS.CVE20061359.b : Ignored.
C:\Documents and Settings\LocalService\Cookies\system@2o7[1].txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@adbrite[1].txt -> TrackingCookie.Adbrite : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@adrevolver[3].txt -> TrackingCookie.Adrevolver : Ignored.
C:\Documents and Settings\LocalService\Cookies\system@atdmt[1].txt -> TrackingCookie.Atdmt : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@ad1.clickhype[2].txt -> TrackingCookie.Clickhype : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Ignored.
C:\WINDOWS\Temp\Cookies\new owner@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Ignored.
C:\WINDOWS\Temp\Cookies\new owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@e-2dj6wfmycpczckp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Ignored.
C:\Documents and Settings\LocalService\Cookies\system@findwhat[1].txt -> TrackingCookie.Findwhat : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@findwhat[1].txt -> TrackingCookie.Findwhat : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@hypertracker[1].txt -> TrackingCookie.Hypertracker : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@searchportal.information[1].txt -> TrackingCookie.Information : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@komtrack[2].txt -> TrackingCookie.Komtrack : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@image.masterstats[1].txt -> TrackingCookie.Masterstats : Ignored.
C:\WINDOWS\Temp\Cookies\new owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Ignored.
C:\WINDOWS\Temp\Cookies\new owner@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@tacoda[1].txt -> TrackingCookie.Tacoda : Ignored.
C:\Documents and Settings\New Owner\Cookies\new owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Ignored.
C:\WINDOWS\Temp\Cookies\new owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Ignored.
C:\pp4ico.exe -> Trojan.Favadd : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002845.exe -> Trojan.Pakes : Ignored.
C:\System Volume Information\_restore{D67C12CA-FC02-4923-803D-ECD9AECD10DB}\RP9\A0002846.exe -> Trojan.Pakes : Ignored.
C:\nwnmff_e32.exe -> Trojan.Pakes : Ignored.
C:\nwnmff_e33.exe -> Trojan.Pakes : Ignored.
::Report end
HJT
Logfile of HijackThis v1.99.1
Scan saved at 11:18:25, on 13/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,%windir%\system32\Userinit.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/pages/scanner/ErrorSafeNewReleaseInstall.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\f22mlcf11f2.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
Thanks, sorry there is so much
Andrew
not sure if this is of any use but here is the BFU report
BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 11:10:44, on 13/02/2007
Option Unload Explorer: Yes
Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: DllUnregister C:\Program Files\Deskbar\deskbar.dll|1 (file not found)
Failed: DllUnregister \asappsrv.dll|1 (file not found)
Failed: DllUnregister \MyToolBar.dll|1 (file not found)
Failed: DllUnregister \888Bar.dll|1 (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (service not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable cmdService (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\update.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\services.dll (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\activate.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-1033-*-*}\MyToolBar.dll (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\update.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\services.dll (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\activate.exe (operation failed)
Failed: FileDelete C:\Program Files\common files\{*-*-2057-*-*}\MyToolBar.dll (operation failed)
Failed: FolderDelete C:\Program Files\toolbar888 (folder not found)
Failed: FolderDelete C:\Program Files\e-mailpaysu toolbar (folder not found)
Failed: FolderDelete C:\Program Files\EMUSIC TOOLBAR (folder not found)
Failed: FolderDelete C:\Program Files\find dvd toolbar (folder not found)
Failed: FolderDelete C:\Program Files\GULESIDER VERKTøYLINJE (folder not found)
Failed: FolderDelete C:\Program Files\sesam-p4 toolbar (folder not found)
Failed: FolderDelete C:\Program Files\slownik ling (folder not found)
Failed: FolderDelete C:\Program Files\MediaPipe (folder not found)
Failed: FolderDelete C:\Program Files\p2pnetworks (folder not found)
Failed: FileDelete C:\DOCUME~1\NEWOWN~1\LOCALS~1\Temp\Perflib_Perfdata_3b0.dat (operation failed)
Failed: FileDelete C:\DOCUME~1\NEWOWN~1\LOCALS~1\Temp\~DF97FE.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\PSCastor (folder not found)
Failed: FolderDelete C:\Program Files\CMIntex (folder not found)
Failed: FolderDelete C:\Program Files\PadsysAssistant (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\simtest (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)
Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20000 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FolderDelete C:\Program Files\Update03 (folder not found)
Failed: FolderDelete C:\Program Files\Update04 (folder not found)
Failed: FolderDelete C:\Program Files\Update08 (folder not found)
Failed: FolderDelete C:\Program Files\W-Update (folder not found)
Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\Program Files\Cas (folder not found)
Failed: FolderDelete C:\Program Files\CasStub (folder not found)
Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)
Failed: FolderDelete C:\Program Files\ipwins (folder not found)
Failed: FolderDelete C:\Program Files\Ipwindows (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\Snowball Wars (folder not found)
Failed: FolderDelete C:\Program Files\folder.js (folder not found)
Failed: FolderDelete C:\Program Files\ini.ini (folder not found)
Failed: FolderDelete C:\temp (folder not found)
Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)
Failed: FolderDelete C:\WINDOWS\system32\crunner (folder not found)
Failed: FolderDelete C:\Program Files\PECarlin (folder not found)
Failed: FolderDelete C:\Program Files\AXVenore (folder not found)
Failed: FolderDelete C:\Program Files\SDVita (folder not found)
Failed: FolderDelete C:\Program Files\EQBranch (folder not found)
Failed: FolderDelete C:\Program Files\EQArticle (folder not found)
Failed: FolderDelete C:\Program Files\PSHope (folder not found)
Failed: FolderDelete C:\Program Files\Batty (folder not found)
Failed: FolderDelete C:\Program Files\Batty2 (folder not found)
Failed: FolderDelete C:\Program Files\AXFibula (folder not found)
Failed: FolderDelete C:\Program Files\CMFibula (folder not found)
Failed: FolderDelete C:\Program Files\PSLister (folder not found)
Failed: FolderDelete C:\Program Files\PSCloner (folder not found)
Failed: FolderDelete C:\Program Files\PSDream (folder not found)
Failed: FolderDelete C:\Program Files\cmapp (folder not found)
Failed: FolderDelete C:\Program Files\cmman (folder not found)
Failed: FolderDelete C:\Program Files\cmsystem (folder not found)
Failed: FolderDelete C:\Program Files\fcengine (folder not found)
Failed: FolderDelete C:\Program Files\wincmapp (folder not found)
Failed: FolderDelete C:\Program Files\Deskbar\Cache (folder not found)
Failed: FolderDelete C:\Program Files\popupwithcast (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\cloader (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\misc001 (folder not found)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.
Thanks
Andrew
pskelley
2007-02-13, 14:39
Hello andrew, you have a nasty infection and during the run of AVG Anti-Spyware I see this: Ignored.
The program will not remove the junk and it found plenty, if you choose Ignore.
Look at this tutorial and this time delete what you find, if there is an item you are not sure about, quarantine it, I will tell you if it is bad.
http://forums.security-central.us/showthread.php?t=3165
When you post the next AVG Anti-Spyware scan results I do no need to see any C:\System Volume Information\_restore (that is stuff in System Restore we will clean before we are finished) and I do not need to see any C:\Documents and Settings\New Owner\Cookies\ just make sure they are all deleted. Edit all of those from the scan report before you post it.
Make sure you restart the computer once this has been done before you create the HJT log to post so the changes can go into effect.
__________________________________________________
It is very important the directions are followed in the order they are posted. Run the programs exactly as described. The BFU is used to run a simple script to remove certain items dealing with the alcan worm. The instructions must be performed exactly as posted. You must save Alcra PLUS Remover to the same folder on C:\ where you extracted BFU to:
Save it in the same folder you made earlier (c:\BFU).If this is done correctly, it will work.
Here is a tutorial if it helps, please be aware the script showing in this tuorial is for example only, it is not the script you need to use. You need to use alcanshorty.bfu
http://metallica.geekstogo.com/BFUinstructions.html
I also need to say that it may be you ran the script properly, I do not need to see those results. It may be the items were not located because they were not present. I can see the results of the script in the HJT log.
A final note, this is a nasty infection and there is no easier way to clean it. If you are not understanding the instructions, you may wish to ask someone with more computer knowledge to assist during this or post to ask me to explain what you do not understand.
Thanks
Hi, I have followed the steps as you said but could not save the report of AVG as once it had deleted some of the infections or all of them (i couldn't check) it became unresponsive. Also BFU still says files not found both BFU and the alcanshorty file are downloaded to C:/BFU so not sure why its not working?
Here is a new HJT log, I hope it helps and if its the same thing again and i made another mistake I'll try again, thanks
Logfile of HijackThis v1.99.1
Scan saved at 22:25:42, on 13/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,%windir%\system32\Userinit.exe,
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/pages/scanner/ErrorSafeNewReleaseInstall.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\f22mlcf11f2.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
Andrew
just seen in AVG the following files are quarantined, shall i finally remove these?
C:\program files\Duluxe communication\Dxc.exe ( there are 2 of these)
C:\WINDOWS\system32\dxclib303562752.dll (3 of these)
all medium risk
Thanks
Andrew
pskelley
2007-02-14, 02:13
OK and thanks for the feedback, we will do it manually. As far as your questions about the AVG Quarantine, you can delete anything in there.
1. Launch AVG Anti-Spyware and click the "Infections" button.
2. Click the "Quarantine" tab, choose "Select All" and click "Remove finally".
3. A window will pop up asking "Are you sure you want to remove the selected files...??"
4. Choose "Yes".
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Start > Control Panel > Add Remove Programs and uninstall DeluxeCommunications. Please uninstall any other programs you know do not belong there.
4) AVG Anti-Spyware 7.5: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
5) Spyware Doctor: From within Spyware Doctor, click the "OnGuard" button on the left side.
Uncheck "Activate OnGuard".
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,%windir%\system32\Userinit.exe,
(file missing, if you use this BHO download it again once we are finished)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\f22mlcf11f2.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
7) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Program Files\DeluxeCommunications\ <<< delete that folder
C:\WINDOWS\system32\dxclib303562752.dll <<< delete that file
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log, let me know how the computer is running now and add any comments you think will help.
Thanks
Thanks for the last post, have done what you said...
Here is the new log
For some reason i can't click on the start menu now, it just makes that bong error sound.
Any suggestions? it might work on next reboot, i'll try but if no re-post from me in 5 mins then we'll just say its still not working.
Also shall i put on guard and the shield back on for ACG and spyware doc?
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 02:10:05, on 14/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/pages/scanner/ErrorSafeNewReleaseInstall.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
it works again and so does command prompt, and task mangager. Not sure about regedit I'll have to try and install something that uses it, but I'll wait for your reply first as that might be the problem in the first place.
Any suggestions on how to prevent this happening again?
How does the log look?
Thanks very very much for all your work. It's very appreciated, especially as I kept getting things wrong.
Andrew
:bigthumb:
P.S. Can i start using my internet again apart from troubleshooting?
pskelley
2007-02-14, 13:27
Hello Andrew, yes turn on all of your protection. You HJT log looks clean of malware, how is the computer running?
Any suggestions on how to prevent this happening again?If I had to guess I would say it looks like this was Alcan worm. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ALCAN.A
This worm propagates via peer-to-peer networks by dropping a copy of itself in certain folders.But you had so much junk it is hard to tell. It is a good possibility an infected file that was downloaded caused the problems. I will post links from experts, review that information and if you have questions at that point, post them and I will do my best to give you answers.
I also see no antivuris program running on the computer?? If this is the case, here is a free one, download, update and run a complete scan right away: Make sure you download this one: AVG Anti-Virus Free, and this has nothing to do with the AVG Spyware program we used which will expire after the trial. You need to have at least one good spyware program, only one anti-virus programs and a good firewall. Open the Security Center in the Control Panel...all three items should be green.
http://free.grisoft.com/doc/1 <<< AVG Anti-Virus Free
P.S. Can i start using my internet again apart from troubleshooting?Yes but clean those System Restore files first, then turn your spyware programs back on. If you do not have one, get AVG Anti-Virus Free right away, do not surf or go anywhere else until you have that program installed, updated and have run a complete scan.
Read those links next for additional safety information.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
My computer runs fine and i now have AVG free and done a scan with no infections found. Hopefully I will be free from problems for a while. Thank you very much, you are a true soldier!
Andrew