View Full Version : fake windows alerts, slow and crashing
Ineedhelp
2007-03-23, 10:42
Hello,
My computer is completely slow and I'm getting these fake windows alerts, that say I have spyware. At first I thought they were real, and it asked me to put my windows cd in so it could fix some problem for "system stabillity," and who knows what that did. Also theres a file which adaware pointed out and i cant delete it.It's: windows\system32\dxclib303562752.dll
Any help is a life saver;I need to be abble to get back on line for my online school courses! Thanks Deme
Logfile of HijackThis v1.99.1
Scan saved at 1:11:04 AM, on 3/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\WINDOWS\system32\inet.exe
C:\WINDOWS\iau1.exe
C:\WINDOWS\system32\tcpipmon.exe
C:\WINDOWS\system32\tcpipmon.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\M-Audio MobilePre\MPTask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchhosts.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\mr godo\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/verizon/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [System64] C:\WINDOWS\system32\inet.exe
O4 - HKLM\..\Run: [Multimedia extensions] C:\WINDOWS\mservice1.exe
O4 - HKLM\..\Run: [Microsoft Office Quick Launcher] C:\WINDOWS\iau1.exe
O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\RunServices: [SystemTools32] C:\WINDOWS\system32\inet.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: M-Audio MobilePre Control Panel Launcher.lnk = C:\Program Files\M-Audio MobilePre\MPTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147721908875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147722478328
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by121fd.bay121.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Noaelbje.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\system32\tccpip.exe (file missing)
Hiya Ineedhelp and welcome to the Forums :)
One or more of the identified infections is a backdoor trojan :sick:
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.
Please let us know what you have decided to do in your next post:bigthumb:
Ineedhelp
2007-03-24, 04:04
Hi Mr. Jak,
THANKS for getting back. Well lets just try to get rid of this junk. fortunately I don't have any credit cards, so I doubt they have much they can steal from me.;) I ran "sdfix" and it got rid of the "windows alerts" but It's still slow and has popups.Heres the log: SDFix: Version 1.74
Run by mr godo - Fri 03/23/2007 - 17:06:41.03
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
Runtime
ImagePath:
\??\C:\WINDOWS\System32\drivers\runtime.sys
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found...
ADS Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\tcpip.exe"="%windir%\\system32\\tcpip.exe:*:Enabled:TCP and UDP Support"
"C:\\WINDOWS\\system32\\qwertybot.exe"="C:\\WINDOWS\\system32\\qwertybot.exe:*:Enabled:qwertybot"
Remaining Files:
---------------
Checking For Files with Hidden Attributes :
C:\Documents and Settings\mr godo\Shared\Microsoft Office XP PRO 2002 TESTED AND WORKS (word, excel, powerpoint, outlook, access, frontpage)\MSDE2000\SQLRESLD.DLL
C:\WINDOWS\system32\4CB5865AA0.dll
C:\Documents and Settings\mr godo\Application Data\??mbols\winword.exe
C:\Documents and Settings\mr godo\Application Data\?ssembly\attrib.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1275OinAdmin.exe
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Windows Media Player\mplayer2.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\LocalService\Local Settings\Temp\win99C3.tmp
C:\Documents and Settings\LocalService\Local Settings\Temp\win99E6.tmp
C:\Documents and Settings\mr godo\Desktop\e-books\~WRL0844.tmp
C:\Documents and Settings\mr godo\Desktop\e-books\~WRL1181.tmp
C:\Documents and Settings\mr godo\Desktop\e-books\~WRL1477.tmp
C:\Documents and Settings\mr godo\Desktop\e-books\~WRL1823.tmp
C:\Documents and Settings\mr godo\Desktop\e-books\~WRL2319.tmp
C:\Documents and Settings\mr godo\Desktop\e-books\~WRL3477.tmp
C:\Documents and Settings\mr godo\Desktop\e-books\~WRL3723.tmp
C:\Documents and Settings\mr godo\Desktop\school down\~WRL0168.tmp
C:\Documents and Settings\mr godo\Desktop\school down\~WRL1755.tmp
C:\Documents and Settings\mr godo\Desktop\school down\~WRL3805.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e50a4b34f51ec6965df68a8e417aeeb4\BIT28.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e91c174a5c7761c32bfba674512023d6\BIT16.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG
Finished
thks!
Hi again :)
Good work, SDFix would have been the next step. Please post a fresh Hijackhtis log to here and we'll clean the remainings :bigthumb:
Ineedhelp
2007-03-27, 02:11
Hi jak,
Well my computer actually went down, but luckily my little brother was abble to mess with it a bit and get it back on line. What happened was i was running an avg check and sudenly it just went out; It would restart and get to the windows thing, then restart again and again. Honestly what do these people get out of f**king people over:eek: Well, here's my hjt log. I think what ever the virus is has disabled both avg and windows defender. thks again!!! P.s. also this file is still there:dxclib303562752.dll :mad:
Logfile of HijackThis v1.99.1
Scan saved at 2:56:29 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\M-Audio MobilePre\MPTask.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Documents and Settings\mr godo\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/verizon/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll (file missing)
F3 - REG:win.ini: load=???�?�
F3 - REG:win.ini: run=???�?�
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - Global Startup: M-Audio MobilePre Control Panel Launcher.lnk = C:\Program Files\M-Audio MobilePre\MPTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147721908875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147722478328
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by121fd.bay121.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Noaelbje.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
Ineedhelp
2007-03-27, 02:56
Also, whatever this is has dissabled java so some websites arent working right and i cant watch videos on utube!!:sad:
Hiya :)
You're still infected.
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Ineedhelp
2007-03-27, 22:57
Hello good sir, :bigthumb:
here it is:
"mr godo" - 07-03-27 12:25:09 Service Pack 2
ComboFix 07-03-27.4 - Running from: "C:\Documents and Settings\mr godo\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\cfg32.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\WINDOWS\system32\4_exception.nls
C:\WINDOWS\system32\vexg6ame4.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\Dxcuknwrd.dll
C:\DOCUME~1\MRGODO~1\APPLIC~1\Dxcdmns.dll
C:\DOCUME~1\MRGODO~1\APPLIC~1\Dxcknwrd.dll
C:\DOCUME~1\MRGODO~1\APPLIC~1\Dxcuknwrd.dll
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\WINDOWS\system32\bund1\ClientBundle1.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\Program Files\Common Files\{3889C~1\UnInstall.exe
C:\WINDOWS\system32\bkd.exe
C:\Documents and Settings\All Users.\documents\settings
C:\Program Files\outerinfo
C:\WINDOWS\system32\bund1
C:\Program Files\Common Files\{3889C~1
C:\Program Files\Common Files\{C889C~1
C:\Program Files\deluxecommunications\Dxc.exe
C:\Program Files\deluxecommunications\DxcBho.dll
C:\Program Files\deluxecommunications\DxcCore.dll
C:\WINDOWS\system32\dxclib~1.dll
C:\Program Files\deluxecommunications
((((((((((((((((((((((((((((((( Files Created from 2007-02-27 to 2007-03-27 ))))))))))))))))))))))))))))))))))
2007-03-27 12:18 <DIR> d-------- C:\DOCUME~1\MRGODO~1\APPLIC~1\Motive
2007-03-26 14:23 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-03-26 14:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-03-26 02:35 <DIR> d-------- C:\Program Files\CA
2007-03-26 02:09 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Spyware Terminator
2007-03-26 01:51 135,936 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-03-26 01:51 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Spyware Terminator
2007-03-26 01:48 <DIR> d-------- C:\Program Files\WinClamAVShield
2007-03-26 01:45 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-03-26 01:45 <DIR> d-------- C:\DOCUME~1\MRGODO~1\APPLIC~1\Spyware Terminator
2007-03-26 01:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2007-03-26 01:44 <DIR> d-------- C:\DOCUME~1\MRGODO~1\APPLIC~1\PC Tools
2007-03-26 01:42 22,528 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
2007-03-26 01:42 15,872 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
2007-03-26 01:42 15,360 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
2007-03-26 01:41 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2007-03-26 01:41 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2007-03-26 01:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools
2007-03-24 21:46 <DIR> d-------- C:\WINDOWS\pss
2007-03-24 21:39 <DIR> d-------- C:\WINDOWS\Prefetch
2007-03-24 21:07 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-03-24 21:07 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-03-23 14:50 <DIR> d-------- C:\VundoFix Backups
2007-03-23 14:44 1,584 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-23 14:38 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-23 14:38 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-23 14:38 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-23 14:38 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-23 14:38 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-23 14:38 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-22 22:33 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-03-22 20:50 2,916 --a------ C:\smitfra.reg
2007-03-22 20:49 141,888 --a------ C:\smitfrau.reg
2007-03-22 13:37 <DIR> d--h----- C:\Program Files\BHO Plugin
2007-03-21 12:18 0 --a------ C:\ifroql.exe
2007-03-21 12:13 64,000 --a------ C:\WINDOWS\system32\oqnryqb.dll
2007-03-21 12:13 48,640 --a------ C:\WINDOWS\system32\kbwrpg.dll
2007-03-21 12:12 221,184 --a------ C:\WINDOWS\system32\psc_mon.exe
2007-03-21 12:11 88,367 --a------ C:\WINDOWS\itpb_3.exe
2007-03-21 12:07 <DIR> d-------- C:\WINDOWS\system32\micro1
2007-03-21 12:05 8,704 --a------ C:\WINDOWS\system32\sporder.dll
2007-03-21 12:05 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-03-21 12:05 <DIR> d-------- C:\Program Files\Ofb11
2007-03-21 01:51 <DIR> d-------- C:\Program Files\Common Files\Java
2007-03-19 23:30 30,720 --a------ C:\WINDOWS\msiau1.dll
2007-03-19 23:30 30,720 --a------ C:\WINDOWS\iau1.exe
2007-03-09 18:43 <DIR> d-------- C:\DOCUME~1\MRGODO~1\Contacts
2007-03-09 18:41 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-03-09 18:41 <DIR> d-------- C:\Program Files\MSN Messenger
2007-03-03 05:13 56,832 --a------ C:\WINDOWS\system32\meyonq.dll
2007-03-03 05:13 2 --a------ C:\WINDOWS\system32\wnstssv.exe
2007-03-03 05:13 <DIR> d-------- C:\DOCUME~1\MRGODO~1\APPLIC~1\?ssembly
2007-03-03 05:13 <DIR> d-------- C:\DOCUME~1\MRGODO~1\APPLIC~1\??mbols
2007-02-27 01:31 <DIR> d-------- C:\Program Files\SecondLifeFirstLook
2007-02-27 01:12 <DIR> d-------- C:\DOCUME~1\MRGODO~1\APPLIC~1\SecondLife
2007-02-27 01:11 <DIR> d-------- C:\Program Files\SecondLife
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-03-26 14:37 -------- d-------- C:\Program Files\windows defender
2007-03-26 14:37 -------- d-------- C:\Program Files\windows defender
2007-03-26 02:03 -------- d-------- C:\Program Files\resumemaker
2007-03-26 02:03 -------- d-------- C:\Program Files\resumemaker
2007-03-24 21:24 23328 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-03-24 21:21 -------- d-------- C:\Program Files\messenger
2007-03-24 21:21 -------- d-------- C:\Program Files\messenger
2007-03-23 13:17 318 --a------ C:\delete.bat
2007-03-21 01:55 -------- d-------- C:\Program Files\java
2007-03-21 01:55 -------- d-------- C:\Program Files\java
2007-02-27 01:34 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-02-10 03:03 268704 --a------ C:\WINDOWS\ofb11_setup.exe
2007-02-01 20:18 60416 --a------ C:\WINDOWS\ic5.exe
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-13 20:55 108741 --a------ C:\WINDOWS\hpoins08.dat
2007-01-09 01:09 80 -rahs---- C:\WINDOWS\system32\4cb5865aa0.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="?�"
"hkey"="HKCU"
"command"="?�"
"inimapping"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Management Console]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lssas1"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\lssas1.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Office Quick Launcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iau1"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\iau1.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Multimedia extensions]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mservice1"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\mservice1.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="?�"
"hkey"="HKCU"
"command"="?�"
"inimapping"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{076394AD-7FDD-44EF-A075-32C68DBAB99B}"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Internet Explorer"="{F28A40D7-AD0E-034A-C651-5F0ED76232E6}"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=dword:00000000
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-03-27 12:45:10
Ineedhelp
2007-03-28, 00:34
Mr Jak!!:D:
Here is a new hjt. P.s. you'r my hero man!!:ninja: Do you know how i can reset my java? When i go to lots of websites it says "your security settings don't allow the use of activex controls," and java isn't working for playing videos on utube either:mad: I tried reinstalling java but that did'nt do it..Alright thks..
Logfile of HijackThis v1.99.1
Scan saved at 2:26:58 PM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\M-Audio MobilePre\MPTask.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Documents and Settings\mr godo\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/verizon/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - Global Startup: M-Audio MobilePre Control Panel Launcher.lnk = C:\Program Files\M-Audio MobilePre\MPTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147721908875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147722478328
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by121fd.bay121.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Noaelbje.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
Hi again, we'll continue :)
Let'get you cleaned first, then we may check the Java.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Open AVG Anti-Spyware
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Management Console]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Office Quick Launcher]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Multimedia extensions]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Internet Explorer"=-
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
==================
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Noaelbje.dll (file missing)
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
C:\ifroql.exe
C:\WINDOWS\system32\oqnryqb.dll
C:\WINDOWS\system32\kbwrpg.dll
C:\WINDOWS\system32\psc_mon.exe
C:\WINDOWS\itpb_3.exe
C:\WINDOWS\msiau1.dll
C:\WINDOWS\iau1.exe
C:\WINDOWS\system32\meyonq.dll
C:\WINDOWS\system32\wnstssv.exe
C:\WINDOWS\system32\Noaelbje.dll
C:\WINDOWS\ofb11_setup.exe
C:\WINDOWS\ic5.exe
C:\WINDOWS\system32\4cb5865aa0.dll
C:\WINDOWS\lssas1.exe
C:\WINDOWS\mservice1.exe
Go to the My Computer and delete the following folders (if present):
C:\Program Files\BHO Plugin
C:\WINDOWS\system32\micro1
C:\Documents and Settings\mr godo\Application Data\?ssembly Note: ? is some random chracter. DO NOT DELETE THE FOLDER NAMED "Assembly"
C:\Documents and Settings\mr godo\Application Data\??mbols Note: ?? are some random chracters. DO NOT DELETE THE FOLDER NAMED "Symbols"
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
Ineedhelp
2007-03-31, 04:30
Good sir mr Jak,
here are what you requested.It seems Im getting popups now though... ughh..
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 4:56:11 PM 3/30/2007
+ Scan result:
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP5\A0019200.exe -> Adware.888Bar : Cleaned with backup (quarantined).
C:\Program Files\WinBudget\bin\crap.1168554195.old -> Adware.BHO : Cleaned with backup (quarantined).
C:\Program Files\WinBudget\bin\matrix.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP3\A0004174.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP5\A0019192.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP3\A0004171.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Documents and Settings\mr godo\Application Data\ѕуmbols\winword.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP9\A0019717.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP9\A0019711.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\WINDOWS\rk.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\WINDOWS\system32\isc_cpl.cpl -> Adware.SecurityCenter : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP3\A0004176.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP3\A0004177.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP3\A0004178.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP5\A0018970.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP5\A0018971.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP5\A0018972.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP5\A0019259.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP5\A0019264.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP5\A0019266.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP5\A0019267.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP9\A0019716.exe -> Adware.UltimateDefender : Cleaned with backup (quarantined).
C:\Documents and Settings\mr godo\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\9775879F-6D24-4278-B10B-46F842\85A194AF-FBFB-49B7-B218-B3BF54 -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\Documents and Settings\mr godo\Application Data\аssembly\attrib.exe -> Downloader.Age : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP5\A0004310.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\WINDOWS\system32\setup9X.exe -> Downloader.VB.afp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP9\A0019709.exe -> Hijacker.VB.qf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP9\A0019710.dll -> Hijacker.VB.qf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP3\A0004170.exe -> Proxy.Small.osw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP4\A0004253.dll -> Proxy.Xorpix.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D4D4E9F-92DE-42F3-B2B4-9F093AA09EB5}\RP9\A0019708.exe -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
-----------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:25:47 PM, on 3/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\M-Audio MobilePre\MPTask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\mr godo\Desktop\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - Global Startup: M-Audio MobilePre Control Panel Launcher.lnk = C:\Program Files\M-Audio MobilePre\MPTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O16 - DPF: Yahoo! Chess - http://download2.games.yahoo.com/games/clients/y/ct5_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc.com/ppcos/ISP60/Download/ppcwebi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147721908875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147722478328
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by121fd.bay121.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
:eek:
Ok we'll continue :)
Please run a GMER Rootkit scan:
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
:scratch:
Due to lack of a response, this topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.