View Full Version : Bagle and other viruses have trashed my system!
Hi,
I'm posting here as a last resort really. I've tried everything I could find and it seems nothing can remove this virus. I believe it is a bagle worm but there might be others!
1) Virus disabled McAffe Security Suite and trashed the anti-virus scanner. I removed and tried to reinstall but the installation fails.
2) I've tried to install AVG Anti-virus but the installation fails
3) I've run Windows Defender, AVG Spyware removal, Avast Cleaner, BagleGUI and FxBagle (Symantec) with no positives. Installation of Spybot S&D completes but the exe reports missing.
4) Virus keeps trying to load iexplore.exe and connect to a website. It also spawns files in the temp folder (eg. ~05.exe)
5) The system will no longer boot in safe mode - all I get is the blue screen
6) Will no longer connect to internet, simply because I cannot get access to the list of available wireless networks in order to select the correct one. For some reason the View Wireless Network has become unavailable (locked by another program?).
I completed a Kaspersky scan before the connect went down and it reported several viruses in the restore files, plus the Win32.Bagle.hw and Win32.Bagle.hx in the files:
C:\WINDOWS\exefld\1051375.exe
C:\WINDOWS\exefld\1116953.exe
C:\WINDOWS\exefld\1119312.exe etc tec - 12 in total
I have HijackThis on the machine but at the moment have no way of posting the log (My laptop has a floppy drive and my desktop has a cd!).
Is there anyone able to help me sort this mess out!
Many thanks, Paul
Angelfire777
2007-02-14, 15:13
I have HijackThis on the machine but at the moment have no way of posting the log (My laptop has a floppy drive and my desktop has a cd!).
I'm sorry but I do not understand...Is the problem on another machine or your laptop? You could always use a diskette or a flash drive to move the HijackThis log to another pc if you need to..
Sorry.
The problem is my desktop pc. I'm using my laptop to post to the forum as the desktop has lost connectivity. I will try and use some other method to get a Hijackthis log on here.
Here is the Hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 14:25:13, on 14/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theonemillionmasterpiece.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB2.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\Paul\LOCALS~1\Temp\svchost.exe 1
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [XPRepairBusiness] C:\Program Files\XP Repair Pro\xprepairpro.exe /s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093018633843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow.com/voice/voice.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Angelfire777
2007-02-16, 08:05
Hi,
*Since HijackThis creates backups of all it fixes and we want them safe and secured should they be required later, we need to move HijackThis to a permanent folder.
a.) While in your Desktop, right click in the background > Go to New > click Folder > Name the Folder HJT
b.) After creating the folder, find your HijackThis.exe (it looks like a detonator with some dynamites). Then, drag and drop that file to the new folder you created.
*Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". In 2006, this may change, read Viewpoint to Plunge Into Adware (http://www.clickz.com/showPage.html?page=3561546).
If you decided to remove Viewpoint,
Please download Viewpoint Killer (http://bellsouthpwp.net/p/r/prprogramsstudios/viewpointkiller.zip)
Save it to your Desktop
Create a new folder in your desktop by right clicking on the background > New > Folder > name the folder Viewpoint Killer
Unzip the contents of the zip file to the newly created folder.
Open the Viewpoint Killer folder then run ViewpointKiller, and select File > Do All Killings.
Follow the prompts, selecting Yes or No, depending on which selection you are most comfortable with.
A logfile will be created in the folder you unzipped ViewpointKiller to, please copy and paste the contents of the logfile here.
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB2.dll (file missing)
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/scri...ons/mailto.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
________________________
*Configure your machine to view hidden files:
Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.
*Using Windows Explorer, find and delete these folders
C:\WINDOWS\exefld
Empty your Recycle bin.
________________________
*Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune
Important: Make sure all your browsers are closed before running ATF Cleaner..
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
*First download AVG Anti-Spyware from HERE (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Antispyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system.
*Download ComboScan (http://www.techsupportforum.com/sectools/Deckard/comboscan.exe) to your Desktop.
1. Close all applications and windows.
2. Double-click on comboscan.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - ComboScan.txt
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread in the HijackThis Log Help Forum.
5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
6. Please copy and paste the contents of Supplementary.txt to your post.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.
On your next reply, please include a fresh HijackThis log, AVG Antispyware log and the comboscan log.
Thank you so much for your help.
Here are the Viewpoint Killer log
############################################
Viewpoint Killer:
----------------------------------
ViewpointKiller is now attempting to remove VIEWPOINT MEDIA PLAYER...
The removal process was started at Fri Feb 16 09:29:44 2007
ViewpointKiller determined that "aim.exe" was not running.
ViewpointKiller determined that "aolsoftware.exe" was not running.
ViewpointKiller determined that "aim6.exe" was not running.
ViewpointKiller determined that "aol.exe" was not running.
ViewpointKiller determined that "MtsAxInstaller.exe" was not running.
ViewpointKiller was not able to close "ViewpointService.exe"!
Trying again, ViewpointKiller was not able to close "ViewpointService.exe"!
Ran registry removal functions.
ViewpointKiller determined that the PROGRAMFILES variable was set to "C:\Program Files".
ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Media Player" does exist.
ViewpointKiller was able to remove the "C:\Program Files\Viewpoint\Viewpoint Media Player" folder successfully.
ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Experience Technology" does not exist.
ViewpointKiller did not find the folder "C:\Program Files\Viewpoint\Viewpoint Experience Technology".
ViewpointKiller determined that the path "C:\Documents and Settings\All Users\Application Data\Viewpoint" does exist.
ViewpointKiller was able to remove the "C:\Documents and Settings\All Users\Application Data\Viewpoint" folder successfully.
ViewpointKiller determined that the path "C:\Program Files\MetaStream" does not exist.
ViewpointKiller did not find the folder "C:\Program Files\MetaStream".
ViewpointKiller determined that the path "C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint" does not exist.
ViewpointKiller did not find the folder "C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint".
ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Common" does exist.
ViewpointKiller was unable to delete a file in the folder "C:\Program Files\Viewpoint\Common". The error was ACCESS_DENIED.
Finished reporting.
----------------------------------
----------------------------------
ViewpointKiller is now attempting to remove VIEWPOINT MANAGER...
The removal process was started at Fri Feb 16 09:30:36 2007
ViewpointKiller was not able to close "ViewMgr.exe"!
Call to ShellExecute("msconfig.exe") returned 42.
Ran registry removal functions.
ViewpointKiller determined that the PROGRAMFILES variable was set to "C:\Program Files".
ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Manager" does exist.
ViewpointKiller was unable to delete a file in the folder "C:\Program Files\Viewpoint\Viewpoint Manager". The error was ACCESS_DENIED.
ViewpointKiller determined that the path "C:\Documents and Settings\All Users\Application Data\Viewpoint" does not exist.
ViewpointKiller did not find the folder "C:\Documents and Settings\All Users\Application Data\Viewpoint".
Finished reporting.
----------------------------------
----------------------------------
ViewpointKiller is now attempting to remove VIEWPOINT TOOLBAR...
The removal process was started at Fri Feb 16 09:33:13 2007
ViewpointKiller determined that "FotomatDeviceConnect.exe" was not running.
ViewpointKiller determined that "iexplore.exe" was not running.
Call to ShellExecute("msconfig.exe") returned 42.
Ran registry removal functions.
ViewpointKiller determined that the PROGRAMFILES varible was set to "C:\Program Files".
Attempting to rename "C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewpointPhotosShellExt.dll" to "C:\Program Files\Viewpoint\Viewpoint Toolbar V35\KillMe.dll". The error returned was 1026.
ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Toolbar V35" does not exist.
ViewpointKiller did not find the folder "C:\Program Files\Viewpoint\Viewpoint Toolbar V35".
ViewpointKiller determined that the path "C:\Documents and Settings\Paul\Local Settings\Application Data\Viewpoint" does exist.
ViewpointKiller was able to remove the "C:\Documents and Settings\Paul\Local Settings\Application Data\Viewpoint" folder successfully.
ViewpointKiller determined that the path "C:\Program Files\Viewpoint\Viewpoint Toolbar" does exist.
ViewpointKiller was able to remove the "C:\Program Files\Viewpoint\Viewpoint Toolbar" folder successfully.
ViewpointKiller determined that the path "C:\Program Files\Common Files\Viewpoint" does exist.
ViewpointKiller was able to remove the "C:\Program Files\Common Files\Viewpoint" folder successfully.
ViewpointKiller determined that the path "C:\Documents and Settings\All Users\Application Data\Viewpoint" does not exist.
ViewpointKiller did not find the folder "C:\Documents and Settings\All Users\Application Data\Viewpoint".
Finished reporting.
----------------------------------
Here is the AVG Log
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:37:13 16/02/2007
+ Scan result:
HKU\S-1-5-21-590106497-879705582-844896293-1006_Classes\Interface\{8148A489-F54E-4D74-B6F3-81901D0AA54A}\TypeLib\\Version -> Adware.ActivityMonitor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Alexa Internet -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Alexa Internet\Hosts -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AlxTB.BHO -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AlxTB.BHO.1 -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AlxTB.BHO\CLSID -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AlxTB.BHO\CurVer -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PopMenu.Menu -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PopMenu.Menu.1 -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PopMenu.Menu\CLSID -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PopMenu.Menu\CurVer -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.HTMLEvent -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.HTMLEvent.1 -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.HTMLEvent\CLSID -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.HTMLEvent\CurVer -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.PopupKiller.1 -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.PopupKiller\CLSID -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.PopupKiller\CurVer -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alexa -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EMediaCodec.Chl -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\EMediaCodec.Chl\CLSID -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-590106497-879705582-844896293-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-590106497-879705582-844896293-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F1FABE79-25FC-46DE-8C5A-2C6DB9D64333} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP811\A0104085.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP812\A0104963.dll -> Dialer.BT.c : Cleaned with backup (quarantined).
:mozilla.62:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.63:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.66:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.67:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.68:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.69:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.70:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.71:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.26:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.27:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.79:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.80:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.81:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.82:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.83:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.88:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.92:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\george@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.90:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.91:C:\Documents and Settings\Paul_2\Application Data\Mozilla\Firefox\Profiles\ngo8i69u.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
::Report end
Here is the ComboScan supplimental log:
############################################
ComboScan v20070212.14 run by Paul on 2007-02-16 at 10:39:30
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information -----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Celeron(R) CPU 2.50GHz
Percentage of Memory in Use: 83%
Physical Memory (total/avail): 254 MiB / 41.22 MiB
Pagefile Memory (total/avail): 624.93 MiB / 407.65 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1994.71 MiB
C: is Fixed (NTFS) - 37.2 GiB total, 15.81 GiB free.
D: is CDROM (No Media)
-- Security Center --------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
-- Environment Variables --------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Paul\Application Data
CLIENTNAME=Console
COLLECTIONID=wuclient
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FISHER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HMSERVER=https://h30083.www3.hp.com/wuss/servlet/WUSSServlet
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Paul
ITEMID=wuclienten
LANG=2057
LOGONSERVER=\\FISHER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
OSVER=winXPP
Path=C:\Program Files\Mozilla Firefox\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONID=1092867070440wuws04-l189c036:fe878bcabd:-38a5
SESSIONNAME=Console
SWUTVER=1.0.22.20030804
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Paul\LOCALS~1\Temp
TIMEOUT=0
TMP=C:\DOCUME~1\Paul\LOCALS~1\Temp
TOOLPATH=/C:\Program%20Files\HP\HP%20Software%20Update\install.htm
UPDATEDIR=C:\DOCUME~1\Paul\LOCALS~1\Temp\rad25345.tmp
USERDOMAIN=FISHER
USERNAME=Paul
USERPROFILE=C:\Documents and Settings\Paul
VERSION=2.0.35
windir=C:\WINDOWS
-- User Profiles ----------------------------------------------------------------
Paul (admin)
George (admin)
Paul_2 (admin)
Administrator (admin)
-- Add/Remove Programs ----------------------------------------------------------
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Atmosphere Player for Acrobat and Adobe Reader --> C:\WINDOWS\atmoUn.exe
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Reader for Palm OS, 3.05 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adobe\Adobe Reader for Palm OS\AcroDesk.isu" -c"C:\Program Files\Adobe\Adobe Reader for Palm OS\unpdf.dll"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Belkin Wireless Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{80CD64AA-7406-4508-BFDF-2DFE7F1F8EF0}\setup.exe" -l0x9
Broadcom Management Programs --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{89EE857B-8970-4F9F-AB58-A1C873AC72B3} /l1033
Crimson Editor (remove only) --> C:\Program Files\Crimson Editor\uninstall.exe
CuteFTP 6 Professional --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{AB18B0BA-A08F-48B8-8D0E-AA9DDDCA22EA}
CutePDF Writer 2.2 --> C:\WINDOWS\System32\uninscpw.exe C:\Program Files\
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Documents To Go --> MsiExec.exe /X{4E7E8E6A-15F1-4E26-9352-26AD235131E9}
eMedia Codec 4.0 --> C:\Program Files\eMedia Codec\uninst.exe
eMule --> "C:\Program Files\emule\Uninstall.exe"
FUJIFILM DS SERIAL TWAIN --> C:\WINDOWS\uninst.exe -fC:\WINDOWS\DeIsL1.isu
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 1.99.1 --> C:\Documents and Settings\Paul\Desktop\HijackThis.exe /uninstall
HP Image Zone 3.5 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 3.5 --> "C:\Program Files\HP\Digital Imaging\{0FABD3D7-3036-4e78-B29D-58957ADB0A12}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
Intel A/V Codecs V2.0 --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\system32\CDUninst.isu
Intel(R) 537EP V9x DF PCI Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel(R) 537EP V9x DF PCI Modem"
Intel(R) Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.1_04 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACD27BF3-7CDC-11D7-9D4D-00010240CE95}\Setup.exe" Anytext
Kaspersky Online Scanner --> C:\WINDOWS\system32\KASPER~1\KASPER~1\kavuninstall.exe
Macromedia Dreamweaver MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash 8 --> MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Macromedia Flash 8 Video Encoder --> MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash Player 8 --> MsiExec.exe /X{885A63EA-382B-4DD4-A755-14809B8557D6}
Macromedia Flash Player 8 Plugin --> MsiExec.exe /X{91057632-CA70-413C-B628-2D3CDBBB906B}
Macromedia Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.log
MaxBulk Mailer 4.3 --> "C:\Program Files\MaxBulk Mailer\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Project Professional 2002 --> MsiExec.exe /I{913B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Publisher 2002 --> MsiExec.exe /I{90190409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (1.5.0.9) --> C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5.0.9 (en-GB)"
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
My DSC --> C:\Program Files\InstallShield Installation Information\{225af9a1-b556-88d5-94aa-0010b5426419}\setup.exe
MySQL-Front 3.2 --> "C:\Program Files\MySQL-Front\unins000.exe"
overland --> MsiExec.exe /I{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}
Paint Shop Pro 7 ESD --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
Palm Desktop --> MsiExec.exe /X{4D8314D2-11FE-4397-A7CC-7015CFF50BCE}
Palm VersaMail(tm) --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{7B0ADD54-01D9-45E7-964A-B4A334F12034} /l1033
PocketMirror 3.1.7 (Professional XT Edition) --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Chapura\PocketMirror XT\DeIsL1.isu" -cC:\PROGRA~1\Chapura\POCKET~1\UninXTEx.dll
QuickBooks Product Listing Service --> MsiExec.exe /I{55584E16-4D70-44EE-93DD-F144E8B7D4B7}
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Sage Accounts V10.00 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{CD442089-F88D-4F46-8E3C-E4B2964B2415}
Sage Instant Accounting 6.0 --> C:\WINDOWS\IsUninst.exe -f"c:\program files\insacc\UNINST.ISU"
Sage MIS 3.01 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Informer50\Uninst.isu"
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Sky Broadband --> C:\Program Files\Sky Broadband\Bin\uninstall.exe
Web CEO 6.0 --> "C:\Program Files\Web CEO\Uninstall\unins000.exe"
Web Savings from Ebates --> javaw -cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates" ls: deletefeature ld: feature=ebateswebsavings0.xml
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
-- End of ComboScan: finished at 2007-02-16 at 10:41:01 -------------------------
And finally, the fresh Hijack This log
############################################
Logfile of HijackThis v1.99.1
Scan saved at 10:44:10, on 16/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wltray.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Paul\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theonemillionmasterpiece.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\Paul\LOCALS~1\Temp\svchost.exe 1
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [XPRepairBusiness] C:\Program Files\XP Repair Pro\xprepairpro.exe /s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093018633843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow.com/voice/voice.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Angelfire777
2007-02-16, 15:29
Hi, the comboscan log you posted was incomplete...You only posted Supplementary.txt... Try to search yor machine for ComboScan.txt then copy and paste all the contents of that text file to your next post :bigthumb:
Sorry, here it is. I will have to split into two seperate posts as it exceeds the maximum limit:
ComboScan v20070212.14 run by Paul on 2007-02-16 at 14:21:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Successfully created restore point.
Performed disk cleanup.
-- HijackThis log (run as Paul.com) ---------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 14:22:16, on 16/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\emule\emule.exe
C:\Documents and Settings\Paul\Desktop\comboscan.exe
C:\DOCUME~1\Paul\LOCALS~1\Temp\~eqqzfxm.tmp\Paul.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theonemillionmasterpiece.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\Paul\LOCALS~1\Temp\svchost.exe 1
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [XPRepairBusiness] C:\Program Files\XP Repair Pro\xprepairpro.exe /s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://uk.mcafee.com
O15 - Trusted Zone: http://www.thepaulfisherblog.com
O15 - Trusted Zone: http://www.webcamnow.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093018633843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow.com/voice/voice.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
-- HijackThis Fixed Entries (C:\Documents and Settings\Paul\Desktop\backups\) ---
backup-20070212-195815-495 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20070212-195815-569 O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\System32\vnmispoisn_downloader.exe
backup-20070212-195815-789 O4 - HKLM\..\Run: [searchbar] C:\WINDOWS\System32\vnmispoisn_downloader.exe
backup-20070212-195815-934 O3 - Toolbar: (no name) - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - (no file)
backup-20070213-104724-284 O4 - HKLM\..\Run: [AutoConnect] "C:\Documents and Settings\Paul\Local Settings\Temp\{33DF18DE-8DC7-4FEE-8FD8-E97000244912}\{80CD64AA-7406-4508-BFDF-2DFE7F1F8EF0}\AutoConnect.exe" BCMALL
backup-20070216-093831-120 O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB2.dll (file missing)
backup-20070216-093831-225 O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
backup-20070216-093831-399 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
backup-20070216-093831-709 O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
backup-20070216-093831-844 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
and the second part...
-- File Associations ------------------------------------------------------------
.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - "C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe" "%1"
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------
4 abp480n5 - \SystemRoot\System32\DRIVERS\ABP480N5.SYS
4 adpu160m - \SystemRoot\System32\DRIVERS\adpu160m.sys
3 aeaudio - system32\drivers\aeaudio.sys
2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - system32\DRIVERS\AegisP.sys
4 agpCPQ (Compaq AGP Bus Filter) - \SystemRoot\System32\DRIVERS\agpCPQ.sys
4 Aha154x - \SystemRoot\System32\DRIVERS\aha154x.sys
4 aic78u2 - \SystemRoot\System32\DRIVERS\aic78u2.sys
4 aic78xx - \SystemRoot\System32\DRIVERS\aic78xx.sys
4 AliIde - \SystemRoot\System32\DRIVERS\aliide.sys
4 alim1541 (ALI AGP Bus Filter) - \SystemRoot\System32\DRIVERS\alim1541.sys
4 amdagp (AMD AGP Bus Filter Driver) - \SystemRoot\System32\DRIVERS\amdagp.sys
4 amsint - \SystemRoot\System32\DRIVERS\amsint.sys
4 asc - \SystemRoot\System32\DRIVERS\asc.sys
4 asc3350p - \SystemRoot\System32\DRIVERS\asc3350p.sys
4 asc3550 - \SystemRoot\System32\DRIVERS\asc3550.sys
1 AvgAsCln (AVG Anti-Spyware Clean Driver) - System32\DRIVERS\AvgAsCln.sys
3 b57w2k (Broadcom NetXtreme Gigabit Ethernet) - System32\DRIVERS\b57xp32.sys
3 bcm4sbxp (Broadcom 440x 10/100 Integrated Controller XP Driver) - System32\DRIVERS\bcm4sbxp.sys
4 cbidf - \SystemRoot\System32\DRIVERS\cbidf2k.sys
3 CCDECODE (Closed Caption Decoder) - System32\DRIVERS\CCDECODE.sys
3 CD-Lock - \??\D:\cdm.sys
4 cd20xrnt - \SystemRoot\System32\DRIVERS\cd20xrnt.sys
4 CmdIde - \SystemRoot\System32\DRIVERS\cmdide.sys
4 Cpqarray - \SystemRoot\System32\DRIVERS\cpqarray.sys
4 dac2w2k - \SystemRoot\System32\DRIVERS\dac2w2k.sys
4 dac960nt - \SystemRoot\System32\DRIVERS\dac960nt.sys
3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - System32\Drivers\SQcaptur.sys
4 dpti2o - \SystemRoot\System32\DRIVERS\dpti2o.sys
3 EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - System32\DRIVERS\el90xbc5.sys
4 hpn - \SystemRoot\System32\DRIVERS\hpn.sys
3 HPZid412 (IEEE-1284.4 Driver HPZid412) - System32\DRIVERS\HPZid412.sys
3 HPZipr12 (Print Class Driver for IEEE-1284.4 HPZipr12) - System32\DRIVERS\HPZipr12.sys
3 HPZius12 (USB to IEEE-1284.4 Translation Driver HPZius12) - System32\DRIVERS\HPZius12.sys
4 i2omp - \SystemRoot\System32\DRIVERS\i2omp.sys
3 i81x - System32\DRIVERS\i81xnt5.sys
3 iAimFP0 - System32\DRIVERS\wADV01nt.sys
3 iAimFP1 - System32\DRIVERS\wADV02NT.sys
3 iAimFP2 - System32\DRIVERS\wADV05NT.sys
3 iAimFP3 - System32\DRIVERS\wSiINTxx.sys
3 iAimFP4 - System32\DRIVERS\wVchNTxx.sys
3 iAimTV0 - System32\DRIVERS\wATV01nt.sys
3 iAimTV1 - System32\DRIVERS\wATV02NT.sys
3 iAimTV2 - System32\DRIVERS\wATV03nt.sys
3 iAimTV3 - System32\DRIVERS\wATV04nt.sys
3 iAimTV4 - System32\DRIVERS\wCh7xxNT.sys
3 ialm - System32\DRIVERS\ialmnt5.sys
4 ini910u - \SystemRoot\System32\DRIVERS\ini910u.sys
3 IntelC51 - System32\DRIVERS\IntelC51.sys
3 IntelC52 - System32\DRIVERS\IntelC52.sys
3 IntelC53 - System32\DRIVERS\IntelC53.sys
1 intelppm (Intel Processor Driver) - System32\DRIVERS\intelppm.sys
3 MODEMCSA (Unimodem Streaming Filter Device) - system32\drivers\MODEMCSA.sys
3 mohfilt - System32\DRIVERS\mohfilt.sys
4 mraid35x - \SystemRoot\System32\DRIVERS\mraid35x.sys
3 MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - system32\drivers\MSTEE.sys
4 m_hook (Empty) - \??\C:\Documents and Settings\Paul\Application Data\hidires\m_hook.sys
3 NABTSFEC (NABTS/FEC VBI Codec) - System32\DRIVERS\NABTSFEC.sys
3 NdisIP (Microsoft TV/Video Connection) - System32\DRIVERS\NdisIP.sys
3 nv - System32\DRIVERS\nv4_mini.sys
1 omci (OMCI WDM Device Driver) - System32\DRIVERS\omci.sys
1 P3 (Intel PentiumIII Processor Driver) - System32\DRIVERS\p3.sys
3 PalmUSBD - system32\drivers\PalmUSBD.sys
0 PCIIde - System32\DRIVERS\pciide.sys
4 perc2 - \SystemRoot\System32\DRIVERS\perc2.sys
4 perc2hib - \SystemRoot\System32\DRIVERS\perc2hib.sys
4 ql1080 - \SystemRoot\System32\DRIVERS\ql1080.sys
4 Ql10wnt - \SystemRoot\System32\DRIVERS\ql10wnt.sys
4 ql12160 - \SystemRoot\System32\DRIVERS\ql12160.sys
4 ql1240 - \SystemRoot\System32\DRIVERS\ql1240.sys
4 ql1280 - \SystemRoot\System32\DRIVERS\ql1280.sys
3 RT2500 (Belkin RT2500 Wireless Driver) - system32\DRIVERS\RT2500.sys
4 sisagp (SIS AGP Bus Filter) - \SystemRoot\System32\DRIVERS\sisagp.sys
3 SLIP (BDA Slip De-Framer) - System32\DRIVERS\SLIP.sys
3 smwdm - system32\drivers\smwdm.sys
4 Sparrow - \SystemRoot\System32\DRIVERS\sparrow.sys
3 streamip (BDA IPSink) - System32\DRIVERS\StreamIP.sys
4 symc810 - \SystemRoot\System32\DRIVERS\symc810.sys
4 symc8xx - \SystemRoot\System32\DRIVERS\symc8xx.sys
4 sym_hi - \SystemRoot\System32\DRIVERS\sym_hi.sys
4 sym_u3 - \SystemRoot\System32\DRIVERS\sym_u3.sys
4 TosIde - \SystemRoot\System32\DRIVERS\toside.sys
4 ultra - \SystemRoot\System32\DRIVERS\ultra.sys
3 usbccgp (Microsoft USB Generic Parent Driver) - System32\DRIVERS\usbccgp.sys
3 usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - System32\DRIVERS\usbehci.sys
3 usbprint (Microsoft USB PRINTER Class) - System32\DRIVERS\usbprint.sys
3 usbscan (USB Scanner Driver) - System32\DRIVERS\usbscan.sys
3 USBSTOR (USB Mass Storage Driver) - System32\DRIVERS\USBSTOR.SYS
4 viaagp (VIA AGP Bus Filter) - \SystemRoot\System32\DRIVERS\viaagp.sys
4 ViaIde - \SystemRoot\System32\DRIVERS\viaide.sys
4 vsdatant -
3 w810bus (Sony Ericsson W810 Driver driver (WDM)) - system32\DRIVERS\w810bus.sys
3 w810obex (Sony Ericsson W810 USB WMC OBEX Interface) - system32\DRIVERS\w810obex.sys
3 WpdUsb - System32\Drivers\wpdusb.sys
4 WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - \SystemRoot\System32\drivers\ws2ifsl.sys
3 WSTCODEC (World Standard Teletext Codec) - System32\DRIVERS\WSTCODEC.SYS
0 WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - system32\DRIVERS\WudfPf.sys
3 WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - system32\DRIVERS\wudfrd.sys
3 {6080A529-897E-4629-A488-ABA0C29B635E} (Intel(R) Graphics Platform (SoftBIOS) Driver) - system32\drivers\ialmsbw.sys
3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (Intel(R) Graphics Chipset (KCH) Driver) - system32\drivers\ialmkchw.sys
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
3 Adobe LM Service - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
3 aspnet_state (ASP.NET State Service) - %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
2 Fax - %systemroot%\system32\fxssvc.exe
2 IISADMIN (IIS Admin) - C:\WINDOWS\System32\inetsrv\inetinfo.exe
2 LexBceS (LexBce Server) - C:\WINDOWS\system32\LEXBCES.EXE
3 Macromedia Licensing Service - "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"
2 MDM (Machine Debug Manager) - "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
3 Pml Driver HPZ12 - C:\WINDOWS\System32\HPZipm12.exe
2 SMTPSVC (Simple Mail Transfer Protocol (SMTP)) - C:\WINDOWS\System32\inetsrv\inetinfo.exe
2 W3SVC (World Wide Web Publishing) - %SystemRoot%\System32\inetsrv\inetinfo.exe
2 WinDefend (Windows Defender) - "C:\Program Files\Windows Defender\MsMpEng.exe"
2 wltrysvc (Broadcom Wireless LAN Tray Service) - %SystemRoot%\System32\wltrysvc.exe %SystemRoot%\System32\bcmwltry.exe
3 WMPNetworkSvc (Windows Media Player Network Sharing Service) - "C:\Program Files\Windows Media Player\WMPNetwk.exe"
2 WudfSvc (Windows Driver Foundation - User-mode Driver Framework) - %SystemRoot%\system32\svchost.exe -k WudfServiceGroup
-- Scheduled Tasks --------------------------------------------------------------
2007-02-16 10:59:09 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job<MPSCHE~1.JOB>
-- Files created between 2007-01-16 and 2007-02-16 ------------------------------
2007-02-16 10:57:10 0 d-------- C:\WINDOWS\exefld
2007-02-16 09:30:46 0 d-------- C:\WINDOWS\pss
2007-02-14 14:20:19 6176 -ra------ C:\WINDOWS\system32\drivers\w810cmnt.sys<Signed: MCCI>
2007-02-14 14:20:19 6176 -ra------ C:\WINDOWS\system32\drivers\w810cm.sys<Signed: MCCI>
2007-02-14 14:20:18 83344 -ra------ C:\WINDOWS\system32\drivers\w810obex.sys<Signed: MCCI>
2007-02-14 14:17:26 5808 -ra------ C:\WINDOWS\system32\drivers\w810whnt.sys<Signed: MCCI>
2007-02-14 14:17:26 5808 -ra------ C:\WINDOWS\system32\drivers\w810wh.sys<Signed: MCCI>
2007-02-14 14:17:25 58288 -ra------ C:\WINDOWS\system32\drivers\w810bus.sys<Signed: MCCI>
2007-02-13 12:51:02 0 d-------- C:\Documents and Settings\Paul\Application Data\Uniblue
2007-02-12 20:18:49 0 d-------- C:\WINDOWS\system32\Kaspersky Lab<KASPER~1>
2007-02-12 19:48:58 0 d-------- C:\Program Files\Windows Defender<WIFD1F~1>
2007-02-12 19:28:00 385024 --a------ C:\WINDOWS\system32\IKAutoUp.exe<Unsigned: Ikarus Software Wien>
2007-02-12 19:28:00 57748 --a------ C:\WINDOWS\system32\GuardRights.exe<GUARDR~1.EXE><Unsigned: n/a>
2007-02-12 19:27:57 385024 --a------ C:\WINDOWS\system32\IkAutoUp.dat
2007-02-12 17:20:33 3968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys<Unsigned: GRISOFT, s.r.o.>
2007-02-12 10:07:42 0 d--hs---- C:\WINDOWS\CSC
2007-02-09 12:21:27 0 d-------- C:\Documents and Settings\Paul\Application Data\Intuit
2007-02-09 12:18:57 1933312 --a------ C:\WINDOWS\system32\cdintf251.dll<CDINTF~1.DLL><Signed: Amyuni Technologies>
2007-02-09 12:05:58 0 d-------- C:\Program Files\Common Files\Intuit
2007-02-09 12:05:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2007-02-09 11:59:06 0 d-------- C:\Documents and Settings\All Users\Application Data\COMMON FILES<COMMON~1>
2007-02-09 11:56:56 0 d-------- C:\Program Files\Common Files\SWF Studio<SWFSTU~1>
-- Find3M Report ----------------------------------------------------------------
2007-02-16 14:21:13 0 d-------- C:\Program Files\emule
2007-02-16 13:36:36 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-16 09:43:12 0 d-------- C:\Program Files\Grisoft
2007-02-16 09:33:38 0 d-------- C:\Program Files\Viewpoint<VIEWPO~1>
2007-02-16 09:10:54 0 d-------- C:\Program Files\Google
2007-02-14 09:02:59 0 d-------- C:\Program Files\Alexa Toolbar<ALEXAT~1>
2007-02-13 14:51:48 0 d-------- C:\Program Files\Paint Shop Pro 7<PAINTS~1>
2007-02-12 15:42:11 0 d-------- C:\Program Files\McAfee.com
2007-02-12 11:42:06 0 d-------- C:\Documents and Settings\Paul\Application Data\McAfee.com Personal Firewall<MCAFEE~1.COM>
2007-01-12 09:20:59 0 d-------- C:\Program Files\e-Campaign<E-CAMP~1>
2007-01-11 13:04:26 0 d-------- C:\Documents and Settings\Paul\Application Data\AdobeUM
2007-01-10 23:47:27 0 d-------- C:\Program Files\MaxBulk Mailer<MAXBUL~1>
2007-01-10 22:50:10 37 --ah----- C:\Documents and Settings\Paul\Application Data\MaxBulk registration.ini<MAXBUL~1.INI>
2007-01-10 22:49:40 0 d-------- C:\Documents and Settings\Paul\Application Data\Maxprog
2007-01-10 14:58:36 0 d-------- C:\Program Files\Java
2007-01-10 14:58:34 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-01-10 14:57:34 0 d-------- C:\Program Files\Email-Business<EMAIL-~1>
2007-01-10 14:13:15 0 d-------- C:\Program Files\WorldCast<WORLDC~1>
2007-01-10 14:11:21 0 d-------- C:\Program Files\Atomic Mail Sender<ATOMIC~1>
2007-01-02 22:38:10 5224 --a------ C:\WINDOWS\mozver.dat
2007-01-02 20:28:08 0 d-------- C:\Program Files\Windows Media Connect 2<WINDOW~4>
2007-01-02 09:20:58 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2006-12-17 21:15:45 17801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys<Unsigned: Meetinghouse Data Communications>
2006-12-17 21:14:57 0 d-------- C:\Program Files\Belkin
2006-12-17 14:35:49 0 d-------- C:\Program Files\McAfee
2006-12-17 14:29:01 0 d-------- C:\Program Files\Sky Broadband<SKYBRO~1>
-- Registry Dump ----------------------------------------------------------------
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"XPRepairBusiness"="C:\\Program Files\\XP Repair Pro\\xprepairpro.exe /s"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Error Nuker"="C:\\Program Files\\Error Nuker\\bin\\ErrorNuker.exe autostart"
"removecpl"="RemoveCpl.exe"
"wltray.exe"="C:\\WINDOWS\\system32\\wltray.exe"
"WindowsServicesStartup"="C:\\DOCUME~1\\Paul\\LOCALS~1\\Temp\\svchost.exe 1"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
SafeBoot registry key needs to be repaired. This machine cannot enter Safe Mode.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_M_HOOK
-- End of ComboScan: finished at 2007-02-16 at 14:23:09 -------------------------
Angelfire777
2007-02-16, 16:44
Before we continue, I want you to run one more scan..
Download Gmer (http://www.majorgeeks.com/downloadget.php?id=5198&file=15&evp=3f18075291813a665b2a25536a70b307)
Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click "Rootkit" tab and click "Scan"
Once done, click "Copy"
Open Notepad and hit "ctrl+v" to paste the log.
Reconnect to the internet and post the log back to this thread please.
The file created by gmer was massive and I couldn't post it, so I have uploaded it to:
http://www.theonemillionmasterpiece.com/log.txt
Hope that's ok?
Angelfire777
2007-02-18, 14:23
Hi, I'm asking some experts about the GMER log you sent me..I'll have something for you soon :)
Angelfire777
2007-02-20, 15:19
Hi, I apologize for the delay...The gmer log you uploaded got expired and I didn't have a copy here in my machine..Can you please upload the whole log again and we'll have something for you soon :)
Hello, sorry for the delay. I have reposted at http://www.millionmasterpiece.com/help/comboscan.txt
Angelfire777
2007-02-22, 12:16
Hi, I'm sorry but the log you uploaded was comboscan log..What I need is the GMER log which I asked you to run on post # 13..
here it is http://www.millionmasterpiece.com/help/log.txt
Angelfire777
2007-02-24, 11:03
*Download avz4en.zip here (http://z-oleg.com/avz4en.zip)
Unzip it to a folder on your desktop
Double click on AVZ.exe
Click on the file tab and then click on System recovery
Put a checkmark next to Restore SafeBoot registry keys
Click on Execute selected operations
*You may want to print these instructions here or save them in notepad since you'll work offline.
Reboot into Safe Mode.
To enter Safe Mode..
Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
_____________________
*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type gmer.bat in the File name and save it to your desktop.
gmer.exe -del service m_hook
gmer.exe -del file "C:\Documents and Settings\Paul\Application Data\hidires\m_hook.sys"
gmer.exe -del file "C:\WINDOWS\SYSTEM32\wintems.exe"
gmer.exe -del file "C:\WINDOWS\SYSTEM32\hldrrr.exe"
gmer.exe -del file "C:\Documents and Settings\Paul\Application Data\hidires\hidr.exe"
gmer.exe -del file "C:\Documents and Settings\Paul\Local Settings\temp\svchost.exe"
Locate gmer.bat on your Desktop and double-click on it.
*Configure your machine to view hidden files:
Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.
*Using Windows Explorer, find and delete these folders
C:\WINDOWS\exefld
C:\Documents and Settings\Paul\Application Data\hidires
Empty your Recycle bin.
Reboot to normal mode.
_______________________
I would like you to scan a few files for me.
Please go HERE (http://virusscan.jotti.org/). Click browse then, navigate to this file:
C:\WINDOWS\system32\drivers\w810cmnt.sys
Then click submit.
Please post the results to your next reply.
If Jotti is too busy, you can go HERE (www.virustotal.com) and do the same as above.
After all those, I want you to try and see if the Antivirus will install or work..If they work, please uninstall all other antivirus except for one.
We still have a lot to do after this..I just want to make sure that rootkit is gone so that nothing will interefere with the other fixes..
Please post back with a new HijackThis log, GMER log, jotti scan results and a description on how your machine is running.
OK all done.
VirusTotal found that w810cmnt.sys did not contain a virus.
I will post the GMER scan when finished.
Here is the fresh hijackthis log. The pc seems to be running ok and AVG Antivirus has successfully installed. I still cant connect to the internet because my list of available wireless networks is still unavailable for some reason. I'll be able to tell more later when GMER has finished scanning and I use the computer for a while.
Logfile of HijackThis v1.99.1
Scan saved at 09:35:26, on 26/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theonemillionmasterpiece.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\Paul\LOCALS~1\Temp\svchost.exe 1
O4 - HKLM\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [XPRepairBusiness] C:\Program Files\XP Repair Pro\xprepairpro.exe /s
O4 - HKCU\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\Paul\Application Data\hidires\hidr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093018633843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow.com/voice/voice.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-26 10:01:49
Windows 5.1.2600 Service Pack 2
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE EF078C8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE EF0757C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ EF07160A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE EF071AED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION EF07C958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION EF07F821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA EF08838A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA EF087D49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS EF081BBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION EF082331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION EF0904F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL EF078B37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL EF074948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL EF07E46B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN EF08F79D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL EF08EC4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP EF0752FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP EF08F1DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible EF08A1F9
---- EOF - GMER 1.0.12 ----
Hi jagr19,
Only helpers, warriors, experts and team spybot can reply to the threads here in malware removal section..If you wish to help, you can join the university at Malware Removal:
forum.malwareremoval.com
Angelfire777
Angelfire777
2007-02-26, 14:31
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\Paul\LOCALS~1\Temp\svchost.exe 1
O4 - HKLM\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKCU\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe
O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\Paul\Application Data\hidires\hidr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
Reboot
_____________________
Click start > run > copy ans paste: services.msc
Find this service name: "Wireless Zero Configuration" then double click that service..
A new window shall open, in the service status, make sure it is in "started" If not, click the start button.
Under startup type, make sure it is set on "automatic"
Close the windows now.
_____________________
Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
Click Start > Control Panel
Click Add/Remove Programs
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.
Then download Java Runtime Environment 6 (http://java.sun.com/javase/downloads/index.jsp), and install it to your computer.
Reboot and post a fresh HijackThis log and tell me how is it now.
I've completed the first steps with Hijackthis, but when I try and start the Wireless Zero Configuration service I get the following error:
Error 1068: The dependency service or group failed to start
I've checked and the dependencies for Remote Zero Configuration are:
NDIS Usermode I/O Protocol
Remote Procedure Call (RPC)
Angelfire777
2007-02-27, 13:38
Hi,
I've checked and the dependencies for Remote Zero Configuration are:
NDIS Usermode I/O Protocol
Remote Procedure Call (RPC)
Click start > run > copy ans paste: services.msc
Find this service name: "NDIS Usermode I/O Protocol" then double click that service..
A new window shall open, in the service status, make sure it is in "started" If not, click the start button.
Under startup type, make sure it is set on "automatic"
Do the same for this service: Remote Procedure Call (RPC)
then try to start the "Wireless Zero Configuration" service again..
If it is ok now, continue with the next instructions.
NDIS Usermode I/O Protocol is missing from the list, which I guess explains why the Wireless Zero Configuration wont start.
Do you know how I might restore it?
Angelfire777
2007-03-01, 13:21
Hi,
Sorry for the delay but I'm still trying to find ways to restore your connection..Please hold on and I'll have something for you soon:bigthumb:
Angelfire777
2007-03-03, 09:00
Hi, I'm sorry but I have to redirect you to another site..I can only deal with the malware problems and my knowledge regarding windows troubleshooting is very limited..
We'll make sure you're clean first then I'll redirect you. Please post a fresh HijackThis log.
Hi again!
I've managed to get the pc back online (for now!). I've deleted all Java updates, but there is one that is refusing to uninstall : Java 2 Runtime Environment, SE v1.4.1_04
I haven't downloaded version 6 yet as the Sun website is down for maintenance. Here is a fresh Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 09:04:57, on 05/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theonemillionmasterpiece.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [XPRepairBusiness] C:\Program Files\XP Repair Pro\xprepairpro.exe /s
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093018633843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow.com/voice/voice.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Angelfire777
2007-03-05, 13:02
Hi,
I've managed to get the pc back online (for now!). I've deleted all Java updates, but there is one that is refusing to uninstall : Java 2 Runtime Environment, SE v1.4.1_04
What does it say when you try to uninstall?
Did you uninstall AVG7 or disable it? Some entries are missing in your log..
I just tried to open AVG and it said it had become corrupted. I've just reinstalled and it seems ok.
When trying to uninstall Java it goes through the entire process successfully, but it still appears in the add-remove programs list.
Here is a fresh Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:52:23, on 05/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe
C:\DOCUME~1\Paul\LOCALS~1\Temp\~e5d141.tmp
C:\DOCUME~1\Paul\LOCALS~1\Temp\~e5d141.tmp
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paul\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theonemillionmasterpiece.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [wltray.exe] C:\WINDOWS\system32\wltray.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [XPRepairBusiness] C:\Program Files\XP Repair Pro\xprepairpro.exe /s
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://uk.mcafee.com
O15 - Trusted Zone: http://www.thepaulfisherblog.com
O15 - Trusted Zone: http://www.webcamnow.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093018633843
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://www.webcamnow.com/voice/voice.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
Angelfire777
2007-03-06, 09:46
It's probably a leftover..
*I think the Java site is ok now. You can download the latest version there by following my instructions.
*If ever you'll have connection problems again, you can register here: www.pcpitstop.com and link to this thread here so they'll know what happened.
*Delete an Entry from the Uninstall List
Open HijackThis.
Click on the "Config..." button on the bottom right.
Click on the tab "Misc Tools."
Click on the Box that says "Uninstall Manager."
Click on "Java 2 Runtime Environment, SE v1.4.1_04"
Click on Delete this entry.
Click "Yes"
*Other than that, Congratulations! Your log looks clean!
Configure Windows Xp to hide system files:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading, select Do not show hidden files and folders.
Check the Hide protected operating system files option.
Click Yes to confirm.
Click OK.
_______________________
This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.
Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.
» ZoneAlarm (http://www.zonelabs.com)
» Kerio (http://http//www.sunbelt-software.com/Kerio-Download.cfm)
Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)
IESpyAds
~You can download it from here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
~If you want to know how IEspyads work you can take a look at it here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
~Please note that IESpyAds only works with Internet Explorer.
Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)
Happy safe surfing!
Thank you so much for your help. I have posted a request on PC Pitstop and hopefully I can get this issue sorted out too.
Many thanks! Paul
Angelfire777
2007-03-07, 14:58
Glad we could be of assistance :bigthumb:
Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.