View Full Version : win32.agent.ask HELP
Please can someone help me, I have been infected with the above nasty! Ive have installed,updated and run Spybot, AVG virus/spyware. Here is my HJT log
Logfile of HijackThis v1.99.1
Scan saved at 1:14:22 PM, on 4/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\F drive Program files\AVG Anti-Spyware 7.5\guard.exe
F:\FDRIVE~2\AVGANT~1\avgamsvr.exe
F:\FDRIVE~2\AVGANT~1\avgupsvc.exe
F:\F drive Program files\Comodo\Firewall\cmdagent.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\Explorer.EXE
F:\F drive Program files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\v6.exe
C:\Program Files\iPrimus iSpeed\propelac.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\v7.exe
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\clcl5.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Tom\LOCALS~1\Temp\Rar$EX01.546\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;ftp=proxy.iprimus.com.au:8080;gopher=proxy.iprimus.com.au:8080;https=proxy.iprimus.com.au:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\F drive Program files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\iPrimus iSpeed\prpl_IePopupBlocker.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [COMODO Firewall Pro] "F:\F drive Program files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [Propel Accelerator] C:\Program Files\iPrimus iSpeed\propelac.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\system32\svehost.exe
O4 - HKLM\..\Run: [clcl6] C:\WINDOWS\system32\clcl6.exe
O4 - HKLM\..\RunOnce: [clcl5] command.com /c del C:\WINDOWS\system32\clcl5.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\F drive Program files\Adobe\Reader\reader_sl.exe
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\iPrimus iSpeed\pac-addwl.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\iPrimus iSpeed\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\iPrimus iSpeed\pac-image.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{738CF286-92BB-4F5B-BEAC-F6B29A3BAADF}: NameServer = 203.134.17.90 211.26.25.90
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\F drive Program files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\FDRIVE~2\AVGANT~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\FDRIVE~2\AVGANT~1\avgupsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - F:\F drive Program files\Comodo\Firewall\cmdagent.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: vwservice - Unknown owner - C:\WINDOWS\system32\vwsrv.exe
pskelley
2007-04-26, 14:36
G'Day and welcome to the forum, since I see no anti-virus scan results as required in the instructions: "BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at own risk.
Please make sure that you have read them.
These are backdoor trojans and I am not certain how severely they have compromised your system, you may want to read this information:
http://www.dslreports.com/faq/10451
http://www.dslreports.com/faq/10063
You also have this junk running in your services:
http://fileinfo.prevx.com/spyware/qqada089502141-VWSR38988966/VWSRV.EXE.html
1) You are running HJT.exe from a TEMP folder and we will have no backups for safety if needed. Move it here: C:\HJT\HijackThis.exe. If you need more instructions, use these:
http://russelltexas.com/malware/createhjtfolder.htm
Thanks to andymanchesta and anyone else who helped with the fix.
2) Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
3) You have AVG Anti-Spyware on board, use these instructions to run it:
http://forums.security-central.us/showthread.php?t=3165
Delete or quarantine anything it finds and save the scan report.
Restart the computer and post the Report.txt from SDFix, the scan report from AVG Anti-Spyware and a new HJT log.
Cheers
hi,
and a big thanks to all whom helped. I cant run the online virus checkers for some reason. Have updated all AVG virus and spyware. Ad-ware and Spybot. Moved HJT to F drive. Followed instructions as per advice. Here is a copy of the latest HJT log, SDfix log and AVG Spyware log.
Thanks for your time and effort.
Logfile of HijackThis v1.99.1
Scan saved at 8:48:39 AM, on 4/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
F:\F drive Program files\AVG Anti-Spyware 7.5\guard.exe
F:\FDRIVE~2\AVGANT~1\avgamsvr.exe
F:\FDRIVE~2\AVGANT~1\avgupsvc.exe
F:\F drive Program files\Comodo\Firewall\cmdagent.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
F:\F drive Program files\Comodo\Firewall\CPF.exe
C:\Program Files\iPrimus iSpeed\propelac.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
F:\F drive Program files\Adobe\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\F drive folders\ROBs\Computer Tools\Hi Jac This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;ftp=proxy.iprimus.com.au:8080;gopher=proxy.iprimus.com.au:8080;https=proxy.iprimus.com.au:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\F drive Program files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\iPrimus iSpeed\prpl_IePopupBlocker.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [COMODO Firewall Pro] "F:\F drive Program files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Propel Accelerator] C:\Program Files\iPrimus iSpeed\propelac.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\F drive Program files\Adobe\Reader\reader_sl.exe
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\iPrimus iSpeed\pac-addwl.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\iPrimus iSpeed\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\iPrimus iSpeed\pac-image.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{738CF286-92BB-4F5B-BEAC-F6B29A3BAADF}: NameServer = 203.134.17.90 211.26.25.90
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\F drive Program files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\FDRIVE~2\AVGANT~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\FDRIVE~2\AVGANT~1\avgupsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - F:\F drive Program files\Comodo\Firewall\cmdagent.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: vwservice - Unknown owner - C:\WINDOWS\system32\vwsrv.exe (file missing)
SDFix: Version 1.79
Run by Tom - Sat 04/28/2007 - 21:28:57.50
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found...
Removing Temp Files
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Checking For Files with Hidden Attributes:
C:\Documents and Settings\Tom\NetHood\cache on webmail.westnet.com.au\Desktop.ini
Finished
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 6:51:03 PM 4/28/2007
+ Scan result:
Nothing found.
::Report end
Once again thanks for your time
pskelley
2007-04-30, 14:20
Thanks for returing your information, please review the instructions again:
http://forums.spybot.info/showthread.php?t=288
Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
It is preferable, and the log easier to read, if you do not use the [code] or [php] options.
Please uncheck "word wrap" until we are done, my scanners can not work with formatted logs.
When I scan this item: O23 - Service: vwservice - Unknown owner - C:\WINDOWS\system32\vwsrv.exe (file missing)
I get this: http://www.google.com/search?hl=en&q=vwsrv.exe+&btnG=Google+Search
http://fileinfo.prevx.com/spyware/qqada089502141-VWSR38988966/VWSRV.EXE.html
http://www.castlecops.com/O23.html
vwservice X vwsrv.exe Added by the Polynomial_Code_Exploit Note: Located in C:\WINDOWS\system32\
Let's get rid of that EXPLOIT and do a little cleaning.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Disable the Service
Click Start > Run and type services.msc
Scroll down to vwservice and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
4) Delete the Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type (vwservice) and press OK.
OK any prompts, close HijackThis, and restart your computer.
5) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O23 - Service: vwservice - Unknown owner - C:\WINDOWS\system32\vwsrv.exe (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
7) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\vwsrv.exe <<< delete that file
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log, let me know how the computer is running now.
Thanks
Hi,
Thanks for your help. Not sure with HJT log word wrap, have it unchecked. Followed instructions. Here is the latest HJT log. It seems to be running better now.
Logfile of HijackThis v1.99.1
Scan saved at 9:28:33 AM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
F:\F drive Program files\AVG Anti-Spyware 7.5\guard.exe
F:\F drive Program files\Comodo\Firewall\CPF.exe
C:\Program Files\iPrimus iSpeed\propelac.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
F:\FDRIVE~2\AVGANT~1\avgamsvr.exe
F:\FDRIVE~2\AVGANT~1\avgupsvc.exe
F:\F drive Program files\Comodo\Firewall\cmdagent.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\iPod\bin\iPodService.exe
F:\F drive Program files\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\F drive Program files\AVG antivirus\avgwb.dat
F:\F drive folders\ROBs\Computer Tools\Hi Jac This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;ftp=proxy.iprimus.com.au:8080;gopher=proxy.iprimus.com.au:8080;https=proxy.iprimus.com.au:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\F drive Program files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\iPrimus iSpeed\prpl_IePopupBlocker.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [COMODO Firewall Pro] "F:\F drive Program files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Propel Accelerator] C:\Program Files\iPrimus iSpeed\propelac.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\F drive Program files\Adobe\Reader\reader_sl.exe
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\iPrimus iSpeed\pac-addwl.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\iPrimus iSpeed\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\iPrimus iSpeed\pac-image.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{738CF286-92BB-4F5B-BEAC-F6B29A3BAADF}: NameServer = 203.134.17.90 211.26.25.90
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\F drive Program files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\FDRIVE~2\AVGANT~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\FDRIVE~2\AVGANT~1\avgupsvc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - F:\F drive Program files\Comodo\Firewall\cmdagent.exe
O23 - Service: Fix-It Task Manager - V Communications, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Thanks for your time and help.
rob
pskelley
2007-05-03, 12:55
G'Day Rob, not sure why your log is spreading the way it is if "word wrap" is turned off in Notepad? This HijackThis log look clean:bigthumb: If you have no other malware issues, I would say you are good to go.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Cheers...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
pskelley
2007-05-07, 13:19
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks