19 replies to this topic

[revos]

Logfile of HijackThis v1.99.1
Scan saved at 2:17:30 PM, on 5/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\Program Files\VisualTooltip\VisualToolTip.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Gran Paradiso\firefox.exe
C:\DOCUME~1\HP_OWN~1.001\LOCALS~1\Temp\Rar$EX01.688\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [VisualTooltip] "C:\Program Files\VisualTooltip\VisualToolTip.exe"
O4 - HKLM\..\Run: [Styler] "C:\Program Files\Styler\Styler.exe"
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Serviço de protocolo Microsoft SSVP (svchostx) - Unknown owner - C:\WINDOWS\system\svchost.exe (file missing)

[AndyManchesta]

Hi Revos, Welcome to the forum


Goto Start > Run > and copy and paste

sc delete svchostx

Press OK and you will just notice the cmd screen flash on then off again then the service will be marked for deletion, please then reboot the PC

After reboot download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

Finally run Kaspersky WebScanner

• Please go HERE and click Kaspersky Online Scanner
  
• Read and Accept the Agreement
  
• You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  
• If you see a Windows dialog asking if you want to install this software, click the Install button.
  
• The program will launch and then begin downloading the latest definition files,
  
• When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  
• Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  
• Under "Please select a target to scan:", click My Computer to start the scan.
  
• When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.

Please then post back the combofix log, the Kaspersky log and a new HijackThis log

Cheers

Andy

[revos]

ComboFix

"HP_Owner" - 07-05-02 13:18:50	Service Pack 2  
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B.001\Desktop\"


(((((((((((((((((((((((((((((((   Files Created from 2007-04-02 to 2007-05-02  ))))))))))))))))))))))))))))))))))


2007-05-02 07:36	49,152	--a------	C:\WINDOWS\nircmd.exe
2007-05-01 14:40	<DIR>	d--------	C:\Program Files\Qlock
2007-04-27 07:58	<DIR>	d--------	C:\DOCUME~1\HP_OWN~1.001\Contacts
2007-04-27 07:56	<DIR>	d----c---	C:\WINDOWS\system32\DRVSTORE
2007-04-23 20:18	<DIR>	d--------	C:\Program Files\Scriptocean
2007-04-21 10:51	<DIR>	d--------	C:\j2sdk1.4.2_14
2007-04-19 22:57	<DIR>	d--------	C:\Program Files\TopDesk
2007-04-18 17:06	<DIR>	d--------	C:\WINDOWS\RebirthRO Full Client
2007-04-18 17:06	<DIR>	d--------	C:\Program Files\RebirthRO
2007-04-12 06:25	<DIR>	d--------	C:\WINDOWS\Performance
2007-04-12 06:25	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Corporation
2007-04-10 18:15	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-04-10 17:53	<DIR>	d--------	C:\Program Files\Common Files\Macrovision Shared
2007-04-09 23:20	<DIR>	d--------	C:\Program Files\SatelliteTVforPC
2007-04-09 23:19	<DIR>	d--------	C:\WINDOWS\uninstall
2007-04-06 15:09	<DIR>	d--------	C:\DOCUME~1\HP_OWN~1.001\APPLIC~1\MSN6
2007-04-05 17:51	<DIR>	d--------	C:\Program Files\Alcohol Soft
2007-04-04 16:01	<DIR>	d--------	C:\DOCUME~1\HP_OWN~1.001\APPLIC~1\vlc
2007-04-02 15:00	<DIR>	d--------	C:\Program Files\Common Files\Thraex Software


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-02 07:36	--------	d--------	C:\Program Files\gran paradiso
2007-05-01 08:24	--------	d--------	C:\Program Files\spywareblaster
2007-04-24 17:42	--------	d--------	C:\DOCUME~1\HP_OWN~1.001\APPLIC~1\u3
2007-04-22 15:08	--------	d--------	C:\Program Files\lx_cats
2007-04-21 12:36	7943	--a--c---	C:\WINDOWS\mozver.dat
2007-04-18 09:51	--------	d--------	C:\Program Files\mcafee
2007-04-14 08:16	--------	d--------	C:\DOCUME~1\HP_OWN~1.001\APPLIC~1\limewire
2007-04-14 07:57	--------	d--------	C:\Program Files\itunes
2007-04-14 07:57	--------	d--------	C:\Program Files\ipod
2007-04-14 07:54	--------	d--------	C:\Program Files\quicktime
2007-04-14 07:52	--------	d--------	C:\Program Files\apple software update
2007-04-01 20:33	--------	d--------	C:\DOCUME~1\HP_OWN~1.001\APPLIC~1\sopcast
2007-04-01 20:25	--------	d--------	C:\Program Files\sopcast
2007-04-01 13:03	--------	d--h-----	C:\Program Files\installshield installation information
2007-04-01 12:50	98304	--a------	C:\WINDOWS\system32\cmdlineext.dll
2007-03-29 23:13	--------	d--------	C:\DOCUME~1\HP_OWN~1.001\APPLIC~1\lavasoft
2007-03-29 23:12	--------	d--------	C:\Program Files\lavasoft
2007-03-28 19:39	--------	d--------	C:\Program Files\apache software foundation
2007-03-27 14:37	--------	d--------	C:\Program Files\CCleaner
2007-03-26 15:35	--------	d--------	C:\Program Files\mozilla thunderbird
2007-03-26 15:24	--------	d--------	C:\DOCUME~1\HP_OWN~1.001\APPLIC~1\thunderbird
2007-03-23 16:56	639224	--a------	C:\WINDOWS\system32\drivers\sptd.sys
2007-03-21 19:24	--------	d--------	C:\Program Files\lexmark fax solutions
2007-03-16 22:52	64512	--ah-----	C:\DOCUME~1\HP_OWN~1.001\APPLIC~1\dach100.dll
2007-03-16 20:02	216	--ah-----	C:\WINDOWS\winshell.dat
2007-03-15 16:27	2368	--a------	C:\WINDOWS\system32\svkp.sys
2007-03-13 17:19	--------	d--------	C:\Program Files\collage maker
2007-03-12 21:18	14	--a------	C:\WINDOWS\system32\systeminfo32.sys
2007-03-12 21:17	--------	d--------	C:\Program Files\dvd x studios
2007-03-12 19:54	--------	d--------	C:\Program Files\nero
2007-03-12 17:06	--------	d--------	C:\DOCUME~1\HP_OWN~1.001\APPLIC~1\real
2007-03-12 17:04	--------	d--------	C:\Program Files\Common Files\xing shared
2007-03-12 17:04	--------	d--------	C:\Program Files\Common Files\real
2007-03-12 16:58	--------	d--------	C:\Program Files\uniblue
2007-03-12 16:58	--------	d--------	C:\DOCUME~1\HP_OWN~1.001\APPLIC~1\uniblue
2007-03-12 09:22	--------	d--------	C:\Program Files\limewire
2007-03-11 23:54	--------	d--------	C:\Program Files\msbuild
2007-03-11 23:54	--------	d--------	C:\Program Files\microsoft works
2007-03-11 02:12	--------	d--------	C:\DOCUME~1\HP_OWN~1.001\APPLIC~1\help
2007-03-11 00:58	--------	d--------	C:\Program Files\vista sidebar
2007-03-11 00:23	--------	d--------	C:\Program Files\mcafee.com
2007-03-10 23:46	--------	d--------	C:\Program Files\styler
2007-03-10 23:46	--------	d--------	C:\DOCUME~1\HP_OWN~1.001\APPLIC~1\styler
2007-03-10 23:43	--------	d--------	C:\Program Files\visualtooltip
2007-03-10 23:43	--------	d--------	C:\Program Files\blaero start orb
2007-03-10 23:43	--------	d--------	C:\DOCUME~1\HP_OWN~1.001\APPLIC~1\stardock
2007-03-10 23:42	--------	d--------	C:\Program Files\lclock
2007-03-10 23:38	--------	d--------	C:\DOCUME~1\HP_OWN~1.001\APPLIC~1\winrar
2007-03-10 23:32	--------	d--------	C:\DOCUME~1\HP_OWN~1.001\APPLIC~1\talkback
2007-03-10 23:28	--------	d--------	C:\Program Files\Common Files\symantec shared
2007-03-10 23:09	--------	d--------	C:\Program Files\hp
2007-03-10 23:06	--------	d--------	C:\Program Files\hewlett-packard
2007-03-10 22:31	--------	d--------	C:\Program Files\windows nt
2007-03-10 18:53	--------	d--------	C:\Program Files\lexmark 6200 series
2007-03-08 20:16	--------	d--------	C:\Program Files\wildtangent
2007-03-06 18:07	2560	--a------	C:\WINDOWS\_msrstrt.exe
2007-03-02 14:16	109608	--a------	C:\WINDOWS\system32\drivers\Mpfp.sys
2007-03-01 05:36	57344	--a------	C:\WINDOWS\rsver.dll


((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown 
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}	C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}	c:\program files\mcafee\virusscan\scriptcl.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6}	C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VisualTooltip"="\"C:\\Program Files\\VisualTooltip\\VisualToolTip.exe\""
"Styler"="\"C:\\Program Files\\Styler\\Styler.exe\""
"LXBUCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBUtime.dll,_RunDLLEntry@16"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"AWMON"="\"C:\\PROGRA~1\\Lavasoft\\AD-AWA~2\\Ad-Watch.exe\""
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
   Authentication Packages	REG_MULTI_SZ   	msv1_0\
   Security Packages	REG_MULTI_SZ   	kerberosmsv1_0schannelwdigest\
   Notification Packages	REG_MULTI_SZ   	scecli\

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS
 
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter	REG_MULTI_SZ   	HTTPFilter\
LocalService	REG_MULTI_SZ   	AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService	REG_MULTI_SZ   	DnsCache\
DcomLaunch	REG_MULTI_SZ   	DcomLaunchTermService\
rpcss	REG_MULTI_SZ   	RpcSs\
imgsvc	REG_MULTI_SZ   	StiSvc\
termsvcs	REG_MULTI_SZ   	TermService\
WudfServiceGroup	REG_MULTI_SZ   	WUDFSvc\


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{acadf16a-d199-11db-86f7-00112f62d4a5}]
Shell\AutoRun\command	K:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AA461FA6918194CA.job
C:\WINDOWS\tasks\AAA79A269164168A.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-02 13:27:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-02 13:28:08
C:\ComboFix-quarantined-files.txt ... 07-05-02 13:28
C:\ComboFix2.txt ... 07-05-02 07:36

Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 1:34:47 PM, on 5/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\Program Files\Styler\Styler.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Gran Paradiso\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\DOCUME~1\HP_OWN~1.001\LOCALS~1\Temp\Rar$EX00.296\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [VisualTooltip] "C:\Program Files\VisualTooltip\VisualToolTip.exe"
O4 - HKLM\..\Run: [Styler] "C:\Program Files\Styler\Styler.exe"
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

sorry but anytime i click on kaspersky online scanner
a window pops up but disappeare right after

[AndyManchesta]

Cheers Revos

Download Deljob.exe and save it on your desktop.
Doubleclick Deljob.exe.
If the PC is infected, you'll get a message that "Suspicious files" are found and the suspicious files look similar to: B2DRF32OI6483931.job (random numbers and letters),
then select option 2 by typing 2 and hit enter.

A log, (logit.txt) should open afterwards. This log will be present on your desktop. Post the contents of the logfile in your next reply.

Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.

Next generate a report of the Add/Remove screen entries:
Open Hijackthis, and click the Misc Tools button.
Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel should appear.
In this panel click the Save list button.
Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.

Can you then try resetting your IE security settings then try Kaspersky again,

Open a I.E browser window then goto Tools on the top bar then Internet Options

• Goto The Advanced Tab and Press Restore Defaults
  
• Goto The Security Tab, it will then be highlighting the Internet Zone, Press Custom Level then press Reset and Yes on the pop up confirmation box, then Click OK and OK again to close the Security Settings screen.

Then try Kaspersky again using Internet Explorer, if it doesnt run then please run one of these online scanners and post back the log

Panda Activescan

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.

Bit Defender

• read the EULA and click 'I agree' if you wish to procede with scan
  
• When prompted for the install and run click 'yes'
  
• Choose your country and click 'ok'
  
• Place a 'check' in all boxes under scan options
  
• Place a check in the 'My Computer' under Target Selection
  
• Click 'start scanning' to begin
  
• Save the Log file for posting back here.

Let us know if you have any problems

Thanks

Andy

[revos]

Bitdefender Scan

BitDefender Online Scanner
  
  
 
Scan report generated at: Thu, May 03, 2007 - 11:03:02
 
 
  
  
 
Scan path: C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;
  
  
 
 
  
  
 
Statistics
 
Time
 03:38:19
 
Files
 898578
 
Folders
 12318
 
Boot Sectors
 3
 
Archives
 22324
 
Packed Files
 58892
 
  
  
 
Results
 
Identified Viruses 
 9
 
Infected Files 
 14
 
Suspect Files 
 0
 
Warnings
 0
 
Disinfected
 0
 
Deleted Files
 14
 
  
  
 
Engines Info
 
Virus Definitions
 503798
 
Engine build
 AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)
 
Scan plugins
 14
 
Archive plugins
 38
 
Unpack plugins
 6
 
E-mail plugins
 6
 
System plugins
 1
 
  
  
 
Scan Settings
 
First Action
 Disinfect
 
Second Action
 Delete
 
Heuristics
 Yes
 
Enable Warnings
 Yes
 
Scanned Extensions
 *;
 
Exclude Extensions
  
 
Scan Emails
 Yes
 
Scan Archives
 Yes
 
Scan Packed
 Yes
 
Scan Files
 Yes
 
Scan Boot
 Yes
 
  
  
 
  Scanned File
  Status
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0002
 Infected with: Dropped:Trojan.Hacktool.Freezer.B
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0002
 Disinfection failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0002
 Deleted
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)
 Update failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0004
 Infected with: Trojan.Spy.Winspy.G
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0004
 Disinfection failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0004
 Deleted
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)
 Update failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0010
 Infected with: Trojan.WinSpy.Z
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0010
 Disinfection failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0010
 Deleted
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)
 Update failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0016
 Infected with: Backdoor.Vb.BAL
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0016
 Disinfection failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0016
 Deleted
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)
 Update failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0024
 Infected with: Backdoor.VB.KV
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0024
 Disinfection failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0024
 Deleted
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)
 Update failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0026
 Infected with: Backdoor.Genlot.KN
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0026
 Disinfection failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0026
 Deleted
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)
 Update failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0028
 Infected with: Trojan.WinSpy.Z
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0028
 Disinfection failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0028
 Deleted
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)
 Update failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0030
 Infected with: Trojan.Spy.Agent.PX
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0030
 Disinfection failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0030
 Deleted
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)
 Update failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0031
 Infected with: Trojan.WinSpy.Z
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0031
 Disinfection failed
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)=>bzip2_nsis0031
 Deleted
 
C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe=>(NSIS o)
 Update failed
 
C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B.001\Local Settings\Application Data\Mozilla\Firefox\Profiles\1xovmqdp.default\Cache\3451AB3Ad01=>SEXLoaderNA.exe
 Infected with: Trojan.Inject.AS
 
C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B.001\Local Settings\Application Data\Mozilla\Firefox\Profiles\1xovmqdp.default\Cache\3451AB3Ad01=>SEXLoaderNA.exe
 Disinfection failed
 
C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B.001\Local Settings\Application Data\Mozilla\Firefox\Profiles\1xovmqdp.default\Cache\3451AB3Ad01=>SEXLoaderNA.exe
 Deleted
 
C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B.001\Local Settings\Application Data\Mozilla\Firefox\Profiles\1xovmqdp.default\Cache\3451AB3Ad01
 Update failed
 
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP121\A0034526.dll
 Infected with: Backdoor.Vb.BAL
 
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP121\A0034526.dll
 Disinfection failed
 
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP121\A0034526.dll
 Deleted
 
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP121\A0034527.exe
 Infected with: Backdoor.Genlot.KN
 
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP121\A0034527.exe
 Disinfection failed
 
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP121\A0034527.exe
 Deleted
 
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP38\A0011347.exe=>(Embedded EXE 2o)
 Infected with: Trojan.Spy.Banker.AHG
 
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP38\A0011347.exe=>(Embedded EXE 2o)
 Disinfection failed
 
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP38\A0011347.exe=>(Embedded EXE 2o)
 Deleted
 
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP38\A0011347.exe
 Update failed
 
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP43\A0016816.exe=>(Embedded EXE 2o)
 Infected with: Trojan.Spy.Banker.AHG
 
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP43\A0016816.exe=>(Embedded EXE 2o)
 Disinfection failed
 
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP43\A0016816.exe=>(Embedded EXE 2o)
 Deleted
 
C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP43\A0016816.exe
 Update failed
 
C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
 Clean

DelJob report

-------------------------------------------------------- 
BACKUPS CREATED in C:\DELJOB 
 
AA461FA6918194CA.job
AAA79A269164168A.job
-------------------------------------------------------- 
FILES IN TASKS FOLDER 
 
AppleSoftwareUpdate.job
Check Updates for Windows Live Toolbar.job
McDefragTask.job
McQcTask.job
Symantec NetDetect.job
-------------------------------------------------------- 
EXPORT APP DATA FOLDERS 
 
 Volume in drive C is HP_PAVILION
 Volume Serial Number is 4C20-45EF

 Directory of C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B.001\Application Data

04/06/2007  03:09 PM	<DIR>					   .
04/06/2007  03:09 PM	<DIR>					   ..
04/10/2007  06:16 PM	<DIR>					   Adobe
03/31/2007  09:04 PM	<DIR>					   Ahead
03/22/2007  07:01 PM	<DIR>		  APPLEC~1	 Apple Computer
03/11/2007  02:12 AM	<DIR>					   Help
08/07/2004  02:03 PM	<DIR>		  IDENTI~1	 Identities
03/29/2007  11:13 PM	<DIR>					   Lavasoft
04/14/2007  08:16 AM	<DIR>					   LimeWire
03/12/2007  09:07 PM	<DIR>		  MACROM~1	 Macromedia
04/27/2007  07:58 AM	<DIR>		  MICROS~1	 Microsoft
03/26/2007  03:24 PM	<DIR>					   Mozilla
04/06/2007  03:09 PM	<DIR>					   MSN6
03/12/2007  05:06 PM	<DIR>					   Real
08/07/2004  04:59 PM	<DIR>		  SAMPLE~1	 SampleView
04/01/2007  08:33 PM	<DIR>					   SopCast
03/10/2007  11:43 PM	<DIR>					   Stardock
03/10/2007  11:46 PM	<DIR>					   Styler
08/07/2004  02:37 PM	<DIR>					   Sun
08/08/2004  09:56 AM	<DIR>					   Symantec
03/10/2007  11:32 PM	<DIR>					   Talkback
03/26/2007  03:24 PM	<DIR>		  THUNDE~1	 Thunderbird
04/24/2007  05:42 PM	<DIR>					   U3
03/12/2007  04:58 PM	<DIR>					   Uniblue
04/04/2007  04:01 PM	<DIR>					   vlc
03/10/2007  11:38 PM	<DIR>					   WinRAR
			   0 File(s)			  0 bytes
			  26 Dir(s)  90,535,596,032 bytes free
 Volume in drive C is HP_PAVILION
 Volume Serial Number is 4C20-45EF

 Directory of C:\Documents and Settings\All Users\Application Data

04/12/2007  06:25 AM	<DIR>					   .
04/12/2007  06:25 AM	<DIR>					   ..
08/07/2004  04:07 PM	<DIR>					   Adobe
12/13/2006  08:22 PM	<DIR>		  ADOBES~1	 Adobe Systems
09/02/2006  03:17 PM	<DIR>					   AOL
08/07/2004  04:20 PM	<DIR>		  APPLEC~1	 Apple Computer
08/22/2005  02:16 PM	<DIR>					   Autodesk
03/12/2007  09:17 PM	<DIR>		  DVDXST~1	 DVD X Studios
11/28/2004  05:31 PM	<DIR>					   FaxCtr
04/10/2007  06:15 PM	<DIR>					   FLEXnet
12/10/2004  11:08 PM	<DIR>		  GAMEHO~1	 GameHouse
03/11/2007  10:53 PM	<DIR>					   Google
08/07/2004  03:39 PM	<DIR>		  HEWLET~1	 Hewlett-Packard
11/27/2005  10:54 AM	<DIR>		  INSTAL~1	 InstallShield
02/28/2005  10:27 PM	<DIR>		  J2GLOB~1	 j2 Global
02/13/2007  07:45 PM	<DIR>		  MACROM~1	 Macromedia
12/17/2006  12:09 PM	<DIR>					   McAfee
09/07/2006  05:58 PM	<DIR>					   McAfee.com
10/04/2006  02:03 PM	<DIR>		  MCAFEE~1.COM McAfee.com Personal Firewall
08/07/2004  04:17 PM	<DIR>		  MICROS~1	 Microsoft
04/12/2007  06:35 AM	<DIR>		  MICROS~3	 Microsoft Corporation
03/12/2007  12:03 AM	<DIR>		  MICROS~2	 Microsoft Help
08/07/2004  04:37 PM	<DIR>					   Motive
07/02/2005  07:02 AM	<DIR>					   MSN6
03/12/2007  07:54 PM	<DIR>					   Nero
08/27/2005  07:49 AM	<DIR>		  NETWOR~1	 Network Associates
08/07/2004  04:20 PM	<DIR>		  QUICKT~1	 QuickTime
12/02/2005  02:55 PM	<DIR>		  RIVERP~1	 River Past G4
08/07/2004  02:09 PM	<DIR>					   SBSI
05/01/2007  08:29 AM	<DIR>		  SPYBOT~1	 Spybot - Search & Destroy
09/14/2005  08:36 PM	<DIR>					   Support.com
03/10/2007  11:21 PM	<DIR>					   Symantec
01/10/2007  05:11 PM	<DIR>					   TEMP
02/13/2007  09:29 PM	<DIR>					   Trymedia
02/04/2007  08:09 PM	<DIR>					   U3
04/17/2005  06:06 PM	<DIR>		  ULEADS~1	 Ulead Systems
09/02/2006  02:41 PM	<DIR>		  VIEWPO~1	 Viewpoint
12/25/2006  10:24 PM	<DIR>		  WINDOW~1	 Windows Genuine Advantage
02/08/2007  03:00 PM	<DIR>		  WINDOW~2	 Windows Live Toolbar
			   0 File(s)			  0 bytes
			  39 Dir(s)  90,535,591,936 bytes free
--------------------------------------------------------

BlackLight report

05/02/07 16:39:06 [Info]: BlackLight Engine 1.0.61 initialized
05/02/07 16:39:06 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/02/07 16:39:06 [Note]: 7019 4
05/02/07 16:39:06 [Note]: 7005 0
05/02/07 16:39:08 [Note]: 7006 0
05/02/07 16:39:08 [Note]: 7011 1744
05/02/07 16:39:08 [Note]: 7026 0
05/02/07 16:39:08 [Note]: 7026 0
05/02/07 16:39:21 [Note]: FSRAW library version 1.7.1021
05/02/07 16:43:46 [Note]: 2000 1012
05/02/07 16:43:55 [Note]: 7007 0

uninstall list report

ABBYY FineReader 6.0 Sprint Plus
Ad-Aware SE Professional
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Agere Systems PCI Soft Modem
Apple Software Update
CCleaner (remove only)
Collage Maker 2.03
DVD X Player 4.1 Professional
Gunbound Revolution
Help and Support Additions
HijackThis 1.99.1
HP Deskjet Preloaded Printer Drivers
iPod for Windows 2005-06-26
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 11
Java 2 Runtime Environment, SE v1.4.2_14
Java 2 SDK, SE v1.4.2_14
Java(TM) SE Runtime Environment 6 Update 1
KBD
Lexmark 6200 Series
Lexmark Fax Solutions
LimeWire PRO 4.13.0
LiveReg (Symantec Corporation)
Macromedia Dreamweaver 8
Macromedia Extension Manager
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 7.0
Nero 7 Ultra Edition
Norton Personal Firewall
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
RealPlayer
Rhapsody Player Engine
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
SopCast 1.1.1
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Uniblue Registry Booster
UniChrome Series Driver and Utilities
Vista Transformation Pack 6.0
Windows Internet Explorer 7
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver

Thanks alot andy

[AndyManchesta]

Hi Revos,

Im sorry for the delay in replying, Ive not been able to get on the forum for a couple of days

The results look fine, if you wish to keep HijackThis installed you should probably reinstall it as you currently have it running from the temp folder, its easier to remove it from the Add/Remove screen rather than move it then reinstall it but save it to your C:\Drive so its in a permanent folder

Run CCleaner to clear out the temp folders and clear Firefox's cache by opening Firefox and clicking Tools > Clear Private Data > then place a check next to Cache and click the clear private data now button, and then remove these versions of Java from your Add/Remove screen

J2SE Runtime Environment 5.0 Update 11
Java 2 Runtime Environment, SE v1.4.2_14
Java 2 SDK, SE v1.4.2_14

Just leave Java™ SE Runtime Environment 6 Update 1 installed as that is the latest, some of the older versions are vulnerable to infections so they should be removed.

Finally clear out your system restore points as some are infected

Click Start Menu > All Programs > Accessories > System Tools > SystemRestore

Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created. Then press OK to clear the temp files found in the initial scan and close Disk Cleanup

Apart from that it looks fine, if you have the time though run a scan with Panda Activescan which I linked to earlier just to make sure there is no remaining problems and let us know if any infections are found

Regards

Andy

[revos]

thanks alot andy for your help
well here is a panda report but do you have any idea why avast antivirus confirm a virus while panda was installing files in my PC ? i had to turn it off to scan the pc .

sorry andy post was too long to post so i attached the report .

Attached Files

•  Activescan.txt   179.33K   2 downloads

[AndyManchesta]

Hi Revos

Ive no idea why Avast would detect a Virus when installing Panda unless its picking up some of Panda's virus signatures which it uses to scan and was detecting a problem in which case it would be a false detection, Does Avast save the data of what it detected and in what location ?

Delete the msn freezer.exe file below as its a keylogger/spy tool and according to the Bitdefender scan earlier its also got backdoor features to allow the attacker to have access to your system so Im not sure where you picked that up but its clearly a serious threat and you should change passwords for sites you use such as banking, paypal, ebay, email etc.. because of it as there is no way to know what information has already been stolen.

Open hijackthis and click Open the Misc Tools section

Then click Delete a file on reboot

In the File Name field, copy and paste this:

C:\Documents and Settings\HP_Owner.SIRVOX\Local Settings\Temp\Rar$EX00.547\msn freezer.exe

Then click Open

Hijackthis will tell you that this file will be deleted when the system reboots and ask you if you want to reboot now. Click Yes

Your system should then reboot

Quote

Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Potentially unwanted tool:Application/CloseApp Not disinfected C:\WINDOWS\system32\closeapp.exe

KillIt.exe is a process killer that is preinstalled on hp systems so its fine to ignore, nircmd and closeapp are also process killer/command line tools so they are not a threat by themselves. Nircmd would of been added by Combofix when you used it earlier, you can read more about them on their homepage here

http://www.traction-...co.uk/closeapp/
http://www.nirsoft.n...ils/nircmd.html

The rest of the detections are for cookies so they are harmless text files and nothing to worry about. You can use the Clear private data tab on Firefox to remove the cookies and Id expect CCleaner would also remove them,

Do you have more than one account on this PC and if so can you log into each and post a HijackThis log from them all

Cheers

[revos]

thanks andy i am seem to have this problem anytime i click once automatically it repeat clicking .
i had this problem when i tried autoclicker software but today i had to pay while i was choosen msnfreeze.exe to delete
it opens automatically and all virus that hijackthis mods helped me to delete before came back but this time avast detected them i moved them to virus chest and deleted them can you check my hijack report please and see if they are gone or not .

Logfile of HijackThis v1.99.1
Scan saved at 3:28:02 PM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\VisualTooltip\VisualToolTip.exe
C:\Program Files\Styler\Styler.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Program Files\Gran Paradiso\firefox.exe
C:\DOCUME~1\HP_OWN~1.001\LOCALS~1\Temp\Rar$EX00.469\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [VisualTooltip] "C:\Program Files\VisualTooltip\VisualToolTip.exe"
O4 - HKLM\..\Run: [Styler] "C:\Program Files\Styler\Styler.exe"
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Watch.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA} (Java Plug-in 1.4.2_14) - 
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) - 
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

for panda problem the file name that avast detect is pskavs.dll located in c:/WINDOWS/system23/ACTIVE~1

[AndyManchesta]

Quote

thanks andy i am seem to have this problem anytime i click once automatically it repeat clicking .
i had this problem when i tried autoclicker software but today i had to pay while i was choosen msnfreeze.exe to delete
it opens automatically and all virus that hijackthis mods helped me to delete before came back but this time avast detected them i moved them to virus chest and deleted them can you check my hijack report please and see if they are gone or not .

It sounds abit risky to have that sort of software as left clicking once would allow you to drag and drop the file, left clicking twice would execute a file and right clicking would open a menu to allow you to delete/rename etc.. but if its being done automatically then your not really in control so you may want to uninstall whatever is doing that and just go back to clicking the mouse button, using HijackThis's delete on reboot feature would of been safer as that would of removed the file without you having to locate it first but the HijackThis log looks clean so hopefully they were deleted before they could install any files.

Quote

for panda problem the file name that avast detect is pskavs.dll located in c:/WINDOWS/system23/ACTIVE~1

Yes, this is a known false detection from Avast, its in the System32\Activescan folder and its being caused because Pandascan doesnt encrypt its virus database so they are detected by Avast even though they are harmless, you can read more about that here

http://www.avast.com...d.html#idt_1554

You should avoid having more than one Antivirus program installed though as they can use alot of system resources and if they conflict with each other it can cause slowdown's, crashes and actually make the system more vulnerable to infections as both programs are trying to do the same thing at the same time, if McAfee and Avast are both providing real time protection you should consider uninstalling one or disabling the real time monitoring on the second so that there is only one starting with Windows and providing protection.

That is the same with Firewall programs, you should only have one Firewall program installed or it can cause problems as they are trying to do the same thing at the same time, your Add/Remove list is showing Norton Personal Firewall and your log is showing McAfee Personal Firewall, ZoneAlarm Firewall & Outpost Firewall, One Antivirus program and One Firewall program is enough for any PC so you should consider deciding which one you want to keep and uninstall the rest.

There's a couple of entries that can be fixed in HijackThis but first you need to move it as its still running from the temp folders, HijackThis creates backups of everything that is fixed and if it is left in the temporary folder you may lose the backups if you clear the temp files anytime. Its easier to goto Add/Remove screen (Start Menu > Control Panel > Add/Remove programs) and remove HijackThis from the system then download it again from Here,

http://www.merijn.or.../hijackthis.zip

Do not run it from the download link but first save it to your C:\Drive then its in a permanent folder.

Run Hijack This and choose Do A System Scan then place a check next to these entries

O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O16 - DPF: {CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA} (Java Plug-in 1.4.2_14) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Run another scan and make sure they do not still show up, if they do then you will have to disable Adwatch and TeaTimer as they maybe interfering and restoring the entries,

To disable Ad-Watch:

1. Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch".
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".

Active: Switches Monitoring On or Off without closing
Automatic: Switches Automatic Blocking On or Off

3. Uncheck (red X) both items.

To disable TeaTimer

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

If you do need to disable them then re-enable the protection again after making the fixes.

To make sure nothing got past the AV protection please download AVG Anti-Spyware and run a full scan

Download AVG Anti-Spyware

• Load AVG and then click the Update tab at the top. Under Manual Update click Start update.
  
• After the update finishes (the status bar at the bottom will display "Update successful")
  
• Click on the Scanner tab at the top and then click on Complete System Scan
  
• AVG will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG will then display "All actions have been applied" on the right.
  
• Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back

Post back the scan log and let us know if there's more than one account on your system as we may need to check the logs from each account if there is

Thanks

Andy

[revos]

thank you very much sir .
no i dont have all anti virus and firewalls they are just oldfirewall i tried after i uninstalled mcafee firewall after i read mcafee sucks i tried all firewall u saw but they same they are much complicated mcafee one its easy also i only have avast anti virus . i deleted all old stuff but after you said i had them i checked add/remove program they dont seem to be there i dont know how you see them in my log .
what firewall and antivirus do you recommend me to use cause i tried all the 1 some posted in this forum they same bad for me .
is avg anti spyware better that ad-adware which one do you think i should keep ?

Long post again i attached the report

Attached Files

•  Report_Scan_20070506_200915.txt   517.76K   1 downloads

[AndyManchesta]

Hey Revos,

If you dont use all the protection programs thats showing then you need to fully remove them but disable Ad-Aware's Adwatch and Spybot's TeaTimer first as explained earlier as they are probably interfering with the removal which maybe why you have parts of so many programs still showing in your logs.

Once they are disabled if you don't have Norton Installed any more then you should run their removal tool to remove all traces of it from your system which you can find here

http://service1.symantec.com/SUPPORT/tsgen...v=&osv_lvl=

Same for McAfee, if you no longer use their Antivirus or Firewall program then you should run their removal tool to remove all of it components from your system

http://ts.mcafeehelp.com/displayDoc.asp?do...mp;HotTopic=YES

For ZoneAlarm, its showing the run key for it in your log

Quote

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

But its not showing the service which should also be there so Im not sure if thats still installed or not, if its not showing on the Add/Remove screen under ZoneAlarm try going to Start -> All Programs -> Zone Labs -> then click Uninstall Zone Labs Security. If you cannot do that check in the C:\Program Files\Zone Labs\ZoneAlarm\ folder and see if there is a uninstaller named zauninst.exe, if there is double click it and follow the prompts to remove zone alarm. If you still cannot remove it then you can either follow the instructions on this support page

http://forums.zonealarm.com/zonelabs/board...essage.id=67885

or reinstall it with Adwatch and TeaTimer still turned off then reboot and uninstall it using the Add/Remove screen so it fully removes it and all its files. If you wanted to keep ZoneAlarm then it should be reinstalled anyway as it appears to be missing its service

For Outpost, again its showing a part of it in your latest log,

Quote

O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup

Check the Add/Remove screen for its entry if you installed after posting the Add/Remove log earlier, if its not there then follow the instructions on this page for removing it manually but skip the registry part unless you feel confident editing the registry as you can always fix its run entry with hijackthis if it remains later

http://www.agnitum.com/support/kb/article....159&lang=en

Quote

what firewall and antivirus do you recommend me to use cause i tried all the 1 some posted in this forum they same bad for me .
is avg anti spyware better that ad-adware which one do you think i should keep ?

I really cannot say which AV and Firewall is the best as its a personal choice, I think they all have strengths and weaknesses and they are always playing catch up with the trojan writers so its alot more important to browse carefully and only visit and download files from sites you know and trust rather than rely on any security program for complete protection. I think Avast, AVG and AntiVir are all good free AntiVirus programs and ZoneAlarm is a good Firewall but there's many others to choose from so its whatever works best for you, you should only have one AV and firewall installed though to prevent conflicts and crashes.

Spybot and Ad-Aware are both good programs so you may as well keep them installed, its fine to have more than one AntiSpy program as they do not work in the same way as Antivirus programs so they will not cause the same problems, having them both providing real time monitoring with Adwatch and TeaTimer may cause some slowdowns but they should still work well together, Its fine to also keep AVG Antispy installed as that is free to use, it disables the real time monitoring after 30 days but it can still be updated manually and used to scan the system anytime you want so its really up to you if you want to keep them all or remove any.

AVG Antispyware needs running again as you didnt fix any of the items it found, you can see that in the report as it shows No action taken next to each entry. Run it again but follow this part of the instructions

Quote

AVG will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG will then display "All actions have been applied" on the right

Most of what it found were cookies but there's afew infected files that need removing, run it again and remove everything found then save the log when its finished and also let me know about any other accounts on your pc then we can take it from there.

Cheers

[revos]

well i did what you said plus i made my mind and now i am using avg AV and anti Spyware and zonealarm firewall .

Logfile of HijackThis v1.99.1
Scan saved at 6:24:46 PM, on 5/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VisualTooltip\VisualToolTip.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Gran Paradiso\firefox.exe
C:\ijji\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [VisualTooltip] "C:\Program Files\VisualTooltip\VisualToolTip.exe"
O4 - HKLM\..\Run: [Styler] "C:\Program Files\Styler\Styler.exe"
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA} - 
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - 
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

here is AVG antispyware report and i did all cation thing you said thanks for your help andy and no i dont have any accs in my PC except for this one .

Attached Files

•  Report_Scan_20070507_163820.txt   498.24K   1 downloads

[AndyManchesta]

Hi Revos,

Nice Work, thats looking much better

Run Hijack This and choose Do A System Scan then place a check next to these entries

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O16 - DPF: {CAFEEFAC-0014-0002-0014-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -

Close all open browser and other windows except for Hijack This and press the Fix Checked button. Run another scan to make sure they have been removed

AVG AntiSpyware has ignored a couple of files,

Quote

C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Desktop\GB Hacks\readme.exe -> Not-A-Virus.HackTool.Win32.Delf.bw : Ignored. C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Desktop\GB Hacks\trainer.exe -> Not-A-Virus.HackTool.Win32.Delf.bw

Hacking and crack tools are often very malicious and most of the time they are more likely to open a backdoor on your own system to allow an attacker to have access and steal info so even though they have been ignored by AVG Id strongly recommend deleting them as they could cause alot of problems if you run them on your system.

The readme.exe file is likely intended to trick people as its an .exe file, if it really was a readme file then it would have a text extension (readme.txt) so that in itself makes the files look very malicious ,

Id suggest deleting this folder

C:\Documents and Settings\HP_Owner.YOUR-AE066C3A9B\Desktop\GB Hacks

If its something you use and think is genuine then please have every file inside that folder scanned at VirusTotal by Opening the scan site and pressing Browse, locate the files one at a time and double click it to load the path into the Virus scan window then press Send, copy and paste the results back if you decide to keep the folder installed as that will use about 30 different Antivirus companies to scan the file which will help to show what its infected with.

Apart from that it looks fine Revos, hows things running now ?

Andy

[revos]

thanks alot sir for your time . appreciated

Logfile of HijackThis v1.99.1
Scan saved at 8:01:13 AM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\VisualTooltip\VisualToolTip.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\ijji\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [VisualTooltip] "C:\Program Files\VisualTooltip\VisualToolTip.exe"
O4 - HKLM\..\Run: [Styler] "C:\Program Files\Styler\Styler.exe"
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

if there is anything else to do to make my PC better tell me please
thanks alot andy

[AndyManchesta]

Hi Revos,

That's a clean log

Regarding making the PC run better, there's a couple of startup entries that are not essential but it's up to you if you want to fix any of them and it may help to run Disk Defrag but everything else looks fine,

Optional Fixes

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Application Scheduler installed along with Real Player. Once installed, it runs independently and doesnt need to start up automatically with Windows but will put itself back anytime RealPlayer is used. To disable this after fixing the entry so it doesnt return, goto Start Menu > All Programs > Real Player > Click Tools then Preferences. Goto The Automatic Services and uncheck all boxes. Do the same for the AutoUpdate & Message Center tabs and press OK then exit

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
Checks for Java updates but doesnt need to start with Windows. You can still update Java after fixing this entry by using the Control Panel's Java icon (Start Menu > Control Panel > Java) or by visiting Sun's website Here,

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
This speeds up the time it takes to load the Adobe Reader application anytime its used but it's not required to run Adobe correctly. If you use Adobe often then its worth leaving it to start with Windows but if not then it can be fixed with HijackThis.

Run CCleaner to clear out Temp folders and then run Disk Defrag

Goto Start Menu > All Programs > Accessories > System Tools > Disk Defragmenter

Click the Analyze button and it will then check if you need to defragment the drive, if it shows 'You need to defragment this volume' then click the Defragment button.


Please make sure to run your Antivirus software regularly, and to keep it up-to-date and also make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

To help keep the PC clean also read Tony Klein's excellent article:

So how did I get infected in the first place?

Let us know if there's any remaining problems

Cheers

Andy

[revos]

hey andy !
now i cant open control panel anytime i double click it get window explore error and it closes .
do you have any idea how to fix it ?

[AndyManchesta]

Try going to Start > Run > and type

Control.exe

Press OK and the Control Panel will open, does it still crash ?

If it does then reboot to Safe Mode and see if it can open

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.

If you cannot open it then it maybe a damaged .cpl file and that could be difficult to solve as there is alot of them on the system and more added by new programs, reboot back to normal mode and try it again, if its still crashing goto start > run > and copy and paste these lines below one at a time and press OK after each one, they should all open a control panel tool so it may help to find out which one is causing the crashes,

control access.cpl

control appwiz.cpl

control desk.cpl

control Hdwwiz.cpl

control inetcpl.cpl

control intl.cpl

control joy.cpl

control main.cpl

control modem.cpl

control mmsys.cpl

control Ncpa.cpl

control Nusrmgr.cpl

control Odbccp32.cpl

control powercfg.cpl

control sticpl.cpl

control sysdm.cpl

control Telephon.cpl

control timedate.cpl

Close each one after they open and let us know if any of them cause explorer to crash.

There's alot more third party programs that add cpl files so it could also be one of them which is damaged or corrupt, you could follow the instructions here

http://support.micro...om/?kbid=221153

or run checkdisk as that might be able to repair any disk errors

Goto Start Menu > Run > Type

cmd

Press OK and it will open the command prompt screen. Type (or copy and paste) this onto the cmd screen

CHKDSK

Press Enter and it will scan the drive for errors and it will look like this :

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.
CHKDSK is verifying security descriptors (stage 3 of 3)...
Security descriptor verification completed.
Correcting errors in the Volume Bitmap.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.

If it does show errors as the example above shows then type

CHKDSK /F /R

Press Enter and it will likely show this message :

The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process. Would you like to schedule this volume to be
checked the next time the system restarts? (Y/N)

Type Y for yes and then Reboot the PC, this may take along time to complete but hopefully it will repair any problems that are found on the drive.

Andy

[revos]

now its working fine but i dont know what happened yesterday it was weird but thanks alot andy

[AndyManchesta]

Your Welcome Revos,

Im glad it fixed itself but if you have any more problems anytime let us know

Happy Surfing

Andy