Jump to content

MS Juan and Vundo infection HELP!!!


Recommended Posts

Hi guys,

Been trying to sort this problem for past couple of hours, but MS Juan and Vundo viruses keep rearing their ugly heads!!!!

I uninstalled IE7 to try and see if that fixed the problem, i kept getting pop-up ads with IE so download Firefox 3 to use which i have to say is better so will stick with it. I read that the Add-ons in IE could be a cause along with Java, so disabled the Add-ons, and downloaded the newest Java software but to no avail.

Here are my logs:-

Malwarebytes' Anti-Malware 1.20

Database version: 945

Windows 5.1.2600 Service Pack 3

21:19:49 13/07/2008

mbam-log-7-13-2008 (21-19-48).txt

Scan type: Quick Scan

Objects scanned: 45248

Time elapsed: 12 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\hewgwx.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{37f7002a-e076-4d95-95b6-c23fabe37a73} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37f7002a-e076-4d95-95b6-c23fabe37a73} (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\hewgwx.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\aiofgb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ojvqgqfs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\whlndmwt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\NXN24ACA\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

Link to post
Share on other sites

ANALYSIS: 2008-07-13 22:45:07

PROTECTIONS: 1

MALWARE: 11

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Windows Defender 1.1.2204.0 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@casalemedia[2].txt

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\User\Cookies\user@doubleclick[2].txt

00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\xgarbbts.default\Cache\4292372Ed01[

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:18:06, on 13/07/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1215878691109

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208543610937

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--

End of file - 9147 bytes

Link to post
Share on other sites

We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

  • Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
  • Click on Tools, General Settings
  • Under Real-time protection options, unselect the Turn on real-time protection check box
  • Click Save

After all of the fixes are complete it is very important that you enable Real-time Protection again.

Next, let's make sure you can View All Files.

Next, please download the KILLBOX. Save it to your desktop.

DO NOTHING ELSE WITH IT YET.

Reboot the computer into Safe mode. Once in safe mode and logged on as "Administrator", please continue with the instrucitons below:

Open killbox.exe...First click on Tools-->Delete Temp Files.

A box will open with a list of all user profiles.

Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files

Temp Files

XP Prefetch

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well...next, click on the Button titled Delete Selected Temp Files.

Exit by clicking the Button titled Exit(Save Settings).

Once back into the main killbox program, check the box Delete on Reboot. Now, highlight all the entries below in Bold text and then copy them.

C:\Documents and Settings\User\Local Settings\Temp\nsw1A.tmp

C:\Documents and Settings\User\Local Settings\Temp\nss15.tmp

C:\Program Files\GameSpy Arcade\Services\_common\PortraitLoader.dll

Then in killbox click File-->Paste from Clipboard...Now, Click the All Files button.

Next, click the Red X ...and for the confirmation message that will appear, you will need to click Yes.

A second message will ask to Reboot now? you will need to click No for now.

Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've completed the instructions below.

Next, please run HijackThis again and check the box next to this entry:

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Close all windows now except for the hijackthis application's window, then click the Fix Checked button.

Reboot and post back a fresh HijackThis log. Thanks!

Link to post
Share on other sites

Thanks 1972vet,

New Hijack this log posted. Sorry it took a couple of housr, i live in Spain so there is a time difference to wherever you are. I am off to work soon and won't be able to post back any further logs until this evening but can reply to any questions you have in the meantime

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:36:52, on 14/07/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1215878691109

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208543610937

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--

End of file - 9035 bytes

Link to post
Share on other sites

Hi again,

Just run a fresh scan with MBAM and found nothing, but Spybot S&D found the following if this helps:-

Avenue A, Inc.: Tracking cookie (Internet Explorer: User) (Cookie, nothing done)

Possible extension hijack: Default registry file handler (Registry change, nothing done)

HKEY_CLASSES_ROOT\regfile\shell\open\command\!=regedit.exe "%1"

Possible extension hijack: Default screen saver handler (Registry change, nothing done)

HKEY_CLASSES_ROOT\scrfile\shell\open\command\!="%1" /S

--- Spybot - Search && Destroy version: 1.3 ---

2004-05-12 Includes\Cookies.sbi

2004-05-12 Includes\Dialer.sbi

2004-05-12 Includes\Hijackers.sbi

2004-05-12 Includes\Keyloggers.sbi

2004-05-12 Includes\LSP.sbi

2004-05-12 Includes\Malware.sbi

2004-05-12 Includes\Revision.sbi

2004-05-12 Includes\Security.sbi

2004-05-12 Includes\Spybots.sbi

2004-05-12 Includes\Tracks.uti

2004-05-12 Includes\Trojans.sbi

2007-06-06 Plugins\TCPIPAddress.dll

Link to post
Share on other sites

Your log looks clean...you can re-enable Windows Defender.

Spybot just found tracking cookies. You'll pick those up every visit to the web page that planted them. Since you're using Firefox just configure it to remove cookies when you close the browser.

With Firefox open, click Tools-->Options-->Privacy Tab...in the Cookies section, click the drop down menu and select to keep until "I close Firefox". Click "OK" and close Firefox. With this setting, even though you collect cookies while you surf, they will disappear as soon as you close the browser but the next time you visit web pages that require you to log on using and ID and password, you will have to enter the data again. A small price to pay for privacy.

The Registry entries that spybot flagged look almost normal...and I think they probably are but I'm just not accustomed to seeing the entry look like it does the way you posted it and I don't ask for logs from Spybot as a general rule since they are so HUGE. The Registry items that spybot has presented as possible hijack attempts might be a couple of false positives.

The entry (for example) for the first one listed:

HKEY_CLASSES_ROOT\regfile\shell\open\command\!=regedit.exe "%1"

...should actually appear as such:

HKEY_CLASSES_ROOT\regfile\shell\open\command

...and the Value data for that key should be:

regedit.exe "%1"

What this key represents is an association to the executable file "regedit.exe" whenever you attempt to open a ".reg" file:

HKEY_CLASSES_ROOT\.reg

...the default action would be for windows to use the "regedit.exe" file to open it, which is as it should be.

I think what spybot means by the "!=" which appears before the "regedit.exe" file in that registry key it lists is that "what follows is the Value data"...perhaps. At least, that's how I interpret that but who knows for sure, the author of Spybot S&D may have had something else in mind.

You can check that key yourself to see if what I have detailed above is accurate for you. Just navigate to that registry key and take a look at the last folder in that line. The Comand folder should be the only folder you have listed under the Open folder...and of course, the Value data should be as I mentioned above...I might also mention, when I run Spybot it doesn't present those keys in my case so I should also ask is the version of Spybot that you have up to date?

Link to post
Share on other sites

Yeah, spybot is up-to date.

Other things i noticed when all the viruses started coming through as if the floodgates opened, at one stage i had like 150 different variations and types so cut the ADSL connection ASAP and cleaned as many as i could. But MS Juan and Vundo stumped me.

IE7 had Privacy options changed to "Accept ALL Cookies" when it's normally at Medium, so downgraded back to IE6 and it seems to be fine now.

Also Avast antivrus was disabled which seemed to have caused all the problems, is there a way that a particular virus got through and changed the settings in Avast, that that's how all the others got through.

In the meantime, that's why i changed to Firefox and installed Windows Defender...... So far so good, run MDAM a couple of times and coming up clean, Spybot is still showing the same 3 instances but no worries about them if you so they are no problem.

Changed the settings in Firefox as you suggested, but otherwise so far so good. No more damn pop-up ad's!!!!!!!

I assume that's it and nothing else to do? Thanks for you your help man, it sounds so simple now, but was pulling my hair out for near on 2 days so turned here as a last resort where i should have come here first in retrospect :)

Link to post
Share on other sites

Quick question, one of the issues i had at the weekend was one of the virused had disabled Auto Update for XP. I managed to get that up and running again but....... I now have 192mb of updates to install which include IE7, they download but ALL fail to install for some reason.

No idea why, and no error number or log on the Windows update site either

Here's the full SpyBot S&D log from the latest version fully updated

--- Search result list ---

Hint of the Day: Click the bar at the right of this to see more information! ()

Zedo: Tracking cookie (Internet Explorer: User) (Cookie, fixed)

Right Media: Tracking cookie (Firefox: default) (Cookie, fixed)

Right Media: Tracking cookie (Firefox: default) (Cookie, fixed)

Right Media: Tracking cookie (Firefox: default) (Cookie, fixed)

Right Media: Tracking cookie (Firefox: default) (Cookie, fixed)

Right Media: Tracking cookie (Firefox: default) (Cookie, fixed)

Right Media: Tracking cookie (Firefox: default) (Cookie, fixed)

Right Media: Tracking cookie (Firefox: default) (Cookie, fixed)

DirectTrack: Tracking cookie (Firefox: default) (Cookie, fixed)

MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)

CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)

DirectTrack: Tracking cookie (Firefox: default) (Cookie, fixed)

DoubleClick: Tracking cookie (Firefox: default) (Cookie, fixed)

FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)

FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)

FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)

BurstMedia: Tracking cookie (Firefox: default) (Cookie, fixed)

BurstMedia: Tracking cookie (Firefox: default) (Cookie, fixed)

BurstMedia: Tracking cookie (Firefox: default) (Cookie, fixed)

Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)

BurstMedia: Tracking cookie (Firefox: default) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)

FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

AdRevolver: Tracking cookie (Firefox: default) (Cookie, fixed)

WebTrends live: Tracking cookie (Firefox: default) (Cookie, fixed)

MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)

Tradedoubler: Tracking cookie (Firefox: default) (Cookie, fixed)

Tradedoubler: Tracking cookie (Firefox: default) (Cookie, fixed)

Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)

Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)

Statcounter: Tracking cookie (Firefox: default) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)

Zedo: Tracking cookie (Firefox: default) (Cookie, fixed)

Tradedoubler: Tracking cookie (Firefox: default) (Cookie, fixed)

--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)

2008-07-07 SDFiles.exe (1.6.0.4)

2008-07-07 SDMain.exe (1.0.0.6)

2008-07-07 SDShred.exe (1.0.2.3)

2008-07-07 SDUpdate.exe (1.6.0.8)

2008-07-07 SDWinSec.exe (1.0.0.12)

2008-07-07 SpybotSD.exe (1.6.0.30)

2008-07-07 TeaTimer.exe (1.6.0.20)

2004-04-27 unins000.exe (51.13.0.0)

2008-07-15 unins001.exe (51.49.0.0)

2008-07-07 Update.exe (1.6.0.7)

2008-07-07 advcheck.dll (1.6.1.12)

2007-04-02 aports.dll (2.1.0.0)

2004-05-12 borlndmm.dll (7.0.4.453)

2004-05-12 delphimm.dll (7.0.4.453)

2008-06-14 DelZip179.dll (1.79.11.1)

2008-07-07 SDHelper.dll (1.6.0.12)

2008-06-19 sqlite3.dll

2008-07-07 Tools.dll (2.1.5.7)

2004-05-12 UnzDll.dll (1.73.1.1)

2004-05-12 ZipDll.dll (1.73.2.0)

2008-06-17 Includes\Adware.sbi (*)

2008-07-07 Includes\AdwareC.sbi (*)

2008-06-03 Includes\Cookies.sbi (*)

2008-06-03 Includes\Dialer.sbi (*)

2008-07-07 Includes\DialerC.sbi (*)

2008-06-03 Includes\HeavyDuty.sbi (*)

2008-07-08 Includes\Hijackers.sbi (*)

2008-07-08 Includes\HijackersC.sbi (*)

2008-06-25 Includes\Keyloggers.sbi (*)

2008-07-08 Includes\KeyloggersC.sbi (*)

2004-11-29 Includes\LSP.sbi (*)

2008-07-02 Includes\Malware.sbi (*)

2008-07-08 Includes\MalwareC.sbi (*)

2008-06-17 Includes\PUPS.sbi (*)

2008-07-01 Includes\PUPSC.sbi (*)

2007-11-07 Includes\Revision.sbi (*)

2008-06-10 Includes\Security.sbi (*)

2008-07-08 Includes\SecurityC.sbi (*)

2008-06-03 Includes\Spybots.sbi (*)

2008-06-03 Includes\SpybotsC.sbi (*)

2008-06-17 Includes\Spyware.sbi (*)

2008-07-08 Includes\SpywareC.sbi (*)

2008-06-03 Includes\Tracks.uti

2008-06-24 Includes\Trojans.sbi (*)

2008-07-08 Includes\TrojansC.sbi (*)

2008-03-04 Plugins\Chai.dll

2008-03-05 Plugins\Fennel.dll

2008-02-26 Plugins\Mate.dll

2007-12-24 Plugins\TCPIPAddress.dll

--- System information ---

Windows XP (Build: 2600) Service Pack 3 (5.1.2600)

/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)

/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs

/ Windows / SP1: Microsoft National Language Support Downlevel APIs

/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)

/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)

/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)

/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)

/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)

/ Windows XP: Security Update for Windows XP (KB941569)

/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)

/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)

/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP

/ Windows XP / SP3: Windows XP Service Pack 3

/ Windows XP / SP4: Security Update for Windows XP (KB950760)

/ Windows XP / SP4: Security Update for Windows XP (KB950762)

/ Windows XP / SP4: Security Update for Windows XP (KB951376)

/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)

/ Windows XP / SP4: Security Update for Windows XP (KB951698)

/ Windows XP / SP4: Security Update for Windows XP (KB951748)

/ Windows XP / SP4: Update for Windows XP (KB951978)

--- Startup entries list ---

Located: HK_LM:Run, {0228e555-4f9c-4e35-a3ec-b109a192b4c2}

command: C:\Program Files\Google\Gmail Notifier\gnotify.exe

file: C:\Program Files\Google\Gmail Notifier\gnotify.exe

size: 479232

MD5: 3DF7AC30A381C57D0C70EAEFEE3C4EF2

Located: HK_LM:Run, AppleSyncNotifier

command: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

file: C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

size: 116040

MD5: 27E0EB81AE55788C8FBE6D489F862168

Located: HK_LM:Run, avast!

command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

size: 79224

MD5: 87B63FD1B5EC5CC41589CE7026DB7C5F

Located: HK_LM:Run, HotKeysCmds

command: C:\WINDOWS\system32\hkcmd.exe

file: C:\WINDOWS\system32\hkcmd.exe

size: 166424

MD5: 4CCD8266E948D29C698FE6393D5A9CA9

Located: HK_LM:Run, IgfxTray

command: C:\WINDOWS\system32\igfxtray.exe

file: C:\WINDOWS\system32\igfxtray.exe

size: 141848

MD5: 407E99FD256DAF061C4FFADC0AB0DDBB

Located: HK_LM:Run, iTunesHelper

command: "C:\Program Files\iTunes\iTunesHelper.exe"

file: C:\Program Files\iTunes\iTunesHelper.exe

size: 289064

MD5: 12577ED7558A642C53C959E72FF2455F

Located: HK_LM:Run, Persistence

command: C:\WINDOWS\system32\igfxpers.exe

file: C:\WINDOWS\system32\igfxpers.exe

size: 137752

MD5: 601D21C2B66AB945C0A73C07A8E0C928

Located: HK_LM:Run, RTHDCPL

command: RTHDCPL.EXE

file: C:\WINDOWS\RTHDCPL.EXE

size: 16855552

MD5: 9BED5FA9D8E98A1C4F8A9922185FDA7D

Located: HK_LM:Run, SkyTel

command: SkyTel.EXE

file: C:\WINDOWS\SkyTel.EXE

size: 1826816

MD5: 8A451B4C2E8688311B7483B2D61D3FB6

Located: HK_LM:Run, SunJavaUpdateSched

command: "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

file: C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

size: 144784

MD5: 6AB4C021FBD36DC6764924C312428D97

Located: HK_LM:Run, Windows Defender

command: "C:\Program Files\Windows Defender\MSASCui.exe" -hide

file: C:\Program Files\Windows Defender\MSASCui.exe

size: 866584

MD5: 77C03BF23AE56B0A31AE4D5BB4B3D0AC

Located: HK_CU:Run, ALUAlert

where: .DEFAULT...

command: C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

file: C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: HK_CU:Run, CTFMON.EXE

where: .DEFAULT...

command: C:\WINDOWS\system32\CTFMON.EXE

file: C:\WINDOWS\system32\CTFMON.EXE

size: 15360

MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, Nokia.PCSync

where: .DEFAULT...

command: C:\Program Files\Nokia\Nokia PC Suite 6 Enterprise Edition\PcSync2.exe /NoDialog

file: C:\Program Files\Nokia\Nokia PC Suite 6 Enterprise Edition\PcSync2.exe

size: 1265664

MD5: 295BA32F60D1EA780288458D508EF6A1

Located: HK_CU:Run, CTFMON.EXE

where: PE_C_JOHAN...

command: C:\WINDOWS\system32\ctfmon.exe

file: C:\WINDOWS\system32\ctfmon.exe

size: 15360

MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, msnmsgr

where: PE_C_JOHAN...

command: "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

file: C:\Program Files\Windows Live\Messenger\msnmsgr.exe

size: 5724184

MD5: A8972A2F9A744DD5EE0BFE429D767F1C

Located: HK_CU:Run, CTFMON.EXE

where: S-1-5-19...

command: C:\WINDOWS\system32\CTFMON.EXE

file: C:\WINDOWS\system32\CTFMON.EXE

size: 15360

MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, CTFMON.EXE

where: S-1-5-20...

command: C:\WINDOWS\system32\CTFMON.EXE

file: C:\WINDOWS\system32\CTFMON.EXE

size: 15360

MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, CTFMON.EXE

where: S-1-5-21-1606980848-602609370-839522115-1003...

command: C:\WINDOWS\system32\ctfmon.exe

file: C:\WINDOWS\system32\ctfmon.exe

size: 15360

MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, MsnMsgr

where: S-1-5-21-1606980848-602609370-839522115-1003...

command: "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

file: C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

size: 5724184

MD5: A8972A2F9A744DD5EE0BFE429D767F1C

Located: HK_CU:Run, ALUAlert

where: S-1-5-18...

command: C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

file: C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: HK_CU:Run, CTFMON.EXE

where: S-1-5-18...

command: C:\WINDOWS\system32\CTFMON.EXE

file: C:\WINDOWS\system32\CTFMON.EXE

size: 15360

MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, Nokia.PCSync

where: S-1-5-18...

command: C:\Program Files\Nokia\Nokia PC Suite 6 Enterprise Edition\PcSync2.exe /NoDialog

file: C:\Program Files\Nokia\Nokia PC Suite 6 Enterprise Edition\PcSync2.exe

size: 1265664

MD5: 295BA32F60D1EA780288458D508EF6A1

Located: WinLogon, crypt32chain

command: crypt32.dll

file: crypt32.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, cryptnet

command: cryptnet.dll

file: cryptnet.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, cscdll

command: cscdll.dll

file: cscdll.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, dimsntfy

command: %SystemRoot%\System32\dimsntfy.dll

file: %SystemRoot%\System32\dimsntfy.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, igfxcui

command: igfxdev.dll

file: igfxdev.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, ScCertProp

command: wlnotify.dll

file: wlnotify.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, Schedule

command: wlnotify.dll

file: wlnotify.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, sclgntfy

command: sclgntfy.dll

file: sclgntfy.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, SensLogn

command: WlNotify.dll

file: WlNotify.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, termsrv

command: wlnotify.dll

file: wlnotify.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, WgaLogon

command: WgaLogon.dll

file: WgaLogon.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

Located: WinLogon, wlballoon

command: wlnotify.dll

file: wlnotify.dll

size: 0

MD5: D41D8CD98F00B204E9800998ECF8427E

Warning: if the file is actually larger than 0 bytes,

the checksum could not be properly calculated!

--- Browser helper object list ---

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name: Spybot-S&D IE Protection

description: Spybot-S&D IE Browser plugin

classification: Legitimate

known filename: SDhelper.dll

info link: http://spybot.eon.net.au/

info source: Patrick M. Kolla

Path: C:\PROGRA~1\SPYBOT~1\

Long name: SDHelper.dll

Short name:

Date (created): 12/05/2004 01:03:00

Date (last access): 15/07/2008 02:56:42

Date (last write): 07/07/2008 09:41:58

Filesize: 1562448

Attributes: archive

MD5: 32981ADE44D01EC2A9EBC2E311291707

CRC32: C2F522E6

Version: 1.6.0.12

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name: SSVHelper Class

Path: C:\Program Files\Java\jre1.6.0_07\bin\

Long name: ssv.dll

Short name:

Date (created): 12/07/2008 23:33:44

Date (last access): 15/07/2008 03:07:28

Date (last write): 10/06/2008 04:27:02

Filesize: 509328

Attributes: archive

MD5: F921D875A1CBD69A6A462BA2514BC831

CRC32: 38AC9EE2

Version: 6.0.70.6

{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name: Windows Live Sign-in Helper

Path: C:\Program Files\Common Files\Microsoft Shared\Windows Live\

Long name: WindowsLiveLogin.dll

Short name: WINDOW~1.DLL

Date (created): 20/09/2007 10:30:18

Date (last access): 15/07/2008 03:05:56

Date (last write): 20/09/2007 10:30:18

Filesize: 328752

Attributes: archive

MD5: 59CF5BF6684AFCF906CADAD39B4214DE

CRC32: C363813C

Version: 4.200.520.1

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} (Windows Live Toolbar Helper)

location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

BHO name:

CLSID name: Windows Live Toolbar Helper

Path: C:\Program Files\Windows Live Toolbar\

Long name: msntb.dll

Short name:

Date (created): 19/10/2007 11:20:48

Date (last access): 15/07/2008 03:07:28

Date (last write): 19/10/2007 11:20:48

Filesize: 546320

Attributes: archive

MD5: CEE1BE1DA21300208D07FBEAE9EA2B51

CRC32: 12446524

Version: 3.1.0.146

--- ActiveX list ---

{0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5)

DPF name:

CLSID name: Facebook Photo Uploader 5

Installer: C:\WINDOWS\Downloaded Program Files\ImageUploader5.inf

Codebase: http://upload.facebook.com/controls/Facebo...toUploader5.cab

Path: C:\WINDOWS\Downloaded Program Files\

Long name: ImageUploader5.ocx

Short name: IMAGEU~1.OCX

Date (created): 09/04/2008 15:27:42

Date (last access): 15/07/2008 03:11:22

Date (last write): 09/04/2008 15:27:42

Filesize: 3175136

Attributes: archive

MD5: C34D0189E37CDE86947B889FBEB81C7A

CRC32: DAEE829D

Version: 5.1.11.0

{5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module)

DPF name:

CLSID name: Windows Live Safety Center Base Module

Installer: C:\WINDOWS\Downloaded Program Files\wlscBase.inf

Codebase: http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab

Path: C:\WINDOWS\Downloaded Program Files\

Long name: wlscBase.dll

Short name:

Date (created): 24/06/2008 08:05:12

Date (last access): 15/07/2008 03:02:40

Date (last write): 24/06/2008 08:05:12

Filesize: 455744

Attributes: archive

MD5: 17536C890DF63AB4644EB111C28128F5

CRC32: 0E5EC3BB

Version: 1.8.5036.1

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

DPF name:

CLSID name: WUWebControl Class

Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf

Codebase: http://www.update.microsoft.com/windowsupd...b?1215878691109

Path: C:\WINDOWS\system32\

Long name: wuweb.dll

Short name:

Date (created): 18/04/2008 16:23:42

Date (last access): 15/07/2008 03:04:50

Date (last write): 30/07/2007 19:19:46

Filesize: 203096

Attributes: archive

MD5: FD984F9BFC9C62BD6546BD183CE5ADE7

CRC32: 8092F837

Version: 7.0.6000.381

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

DPF name:

CLSID name: MUWebControl Class

Installer: C:\WINDOWS\Downloaded Program Files\muweb.inf

Codebase: http://www.update.microsoft.com/microsoftu...b?1208543610937

Path: C:\WINDOWS\system32\

Long name: muweb.dll

Short name:

Date (created): 30/07/2007 19:18:34

Date (last access): 15/07/2008 03:04:50

Date (last write): 30/07/2007 19:18:34

Filesize: 207736

Attributes: archive

MD5: 8038B166CE79E58E193566150CE26465

CRC32: 9137D395

Version: 7.0.6000.381

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)

DPF name: Java Runtime Environment 1.6.0

CLSID name: Java Plug-in 1.6.0_07

Installer:

Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

description: Sun Java

classification: Legitimate

known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll

info link:

info source: Patrick M. Kolla

Path: C:\Program Files\Java\jre1.6.0_07\bin\

Long name: npjpi160_07.dll

Short name: NPJPI1~1.DLL

Date (created): 10/06/2008 02:32:34

Date (last access): 15/07/2008 03:11:22

Date (last write): 10/06/2008 04:27:02

Filesize: 132496

Attributes: archive

MD5: 7C83A2809E13950359189767AC9D5DB8

CRC32: 925C2A88

Version: 6.0.70.6

{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)

DPF name: Java Runtime Environment 1.6.0

CLSID name: Java Plug-in 1.6.0_05

Installer:

Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

Path: C:\Program Files\Java\jre1.6.0_05\bin\

Long name: npjpi160_05.dll

Short name: NPJPI1~1.DLL

Date (created): 22/02/2008 02:33:32

Date (last access): 15/07/2008 03:11:22

Date (last write): 22/02/2008 04:25:20

Filesize: 132496

Attributes: archive

MD5: 4FDFB86D78994BD71CBB779A7809E9CD

CRC32: 5A0EB880

Version: 6.0.50.13

{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)

DPF name: Java Runtime Environment 1.6.0

CLSID name: Java Plug-in 1.6.0_07

Installer:

Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

Path: C:\Program Files\Java\jre1.6.0_07\bin\

Long name: npjpi160_07.dll

Short name: NPJPI1~1.DLL

Date (created): 10/06/2008 02:32:34

Date (last access): 15/07/2008 03:11:22

Date (last write): 10/06/2008 04:27:02

Filesize: 132496

Attributes: archive

MD5: 7C83A2809E13950359189767AC9D5DB8

CRC32: 925C2A88

Version: 6.0.70.6

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)

DPF name: Java Runtime Environment 1.6.0

CLSID name: Java Plug-in 1.6.0_07

Installer:

Codebase: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

Path: C:\Program Files\Java\jre1.6.0_07\bin\

Long name: npjpi160_07.dll

Short name: NPJPI1~1.DLL

Date (created): 10/06/2008 02:32:34

Date (last access): 15/07/2008 03:11:22

Date (last write): 10/06/2008 04:27:02

Filesize: 132496

Attributes: archive

MD5: 7C83A2809E13950359189767AC9D5DB8

CRC32: 925C2A88

Version: 6.0.70.6

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)

DPF name:

CLSID name: Shockwave Flash Object

Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf

Codebase: http://download.macromedia.com/pub/shockwa...ash/swflash.cab

description: Macromedia Shockwave Flash Player

classification: Legitimate

known filename:

info link:

info source: Patrick M. Kolla

Path: C:\WINDOWS\system32\Macromed\Flash\

Long name: Flash9f.ocx

Short name:

Date (created): 25/03/2008 04:32:42

Date (last access): 15/07/2008 03:11:22

Date (last write): 25/03/2008 04:32:42

Filesize: 2991488

Attributes: readonly archive

MD5: 48FDF435B8595604E54125B321924510

CRC32: 12335E29

Version: 9.0.124.0

--- Process list ---

PID: 0 ( 0) [system]

PID: 684 ( 4) \SystemRoot\System32\smss.exe

size: 50688

PID: 764 ( 684) \??\C:\WINDOWS\system32\csrss.exe

size: 6144

PID: 788 ( 684) \??\C:\WINDOWS\system32\winlogon.exe

size: 507904

PID: 832 ( 788) C:\WINDOWS\system32\services.exe

size: 108544

MD5: 0E776ED5F7CC9F94299E70461B7B8185

PID: 844 ( 788) C:\WINDOWS\system32\lsass.exe

size: 13312

MD5: BF2466B3E18E970D8A976FB95FC1CA85

PID: 1012 ( 832) C:\WINDOWS\system32\svchost.exe

size: 14336

MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18

PID: 1088 ( 832) C:\WINDOWS\system32\svchost.exe

size: 14336

MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18

PID: 1200 ( 832) C:\Program Files\Windows Defender\MsMpEng.exe

size: 13592

MD5: F45DD1E1365D857DD08BC23563370D0E

PID: 1264 ( 832) C:\WINDOWS\System32\svchost.exe

size: 14336

MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18

PID: 1308 ( 832) C:\WINDOWS\system32\svchost.exe

size: 14336

MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18

PID: 1428 ( 832) C:\WINDOWS\system32\svchost.exe

size: 14336

MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18

PID: 1548 ( 832) C:\WINDOWS\system32\svchost.exe

size: 14336

MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18

PID: 1628 ( 832) C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

size: 611664

MD5: 17067069B9A7865028C1F2E6971D0CCC

PID: 1672 ( 832) C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

size: 17272

MD5: 67AF5593EF8359B56DAD6F289D22494B

PID: 1748 ( 832) C:\Program Files\Alwil Software\Avast4\ashServ.exe

size: 144760

MD5: 373BF09D372A82EA637CA9A6BC8CC8E9

PID: 1972 (1900) C:\WINDOWS\Explorer.EXE

size: 1033728

MD5: 12896823FB95BFB3DC9B46BCAEDC9923

PID: 260 ( 832) C:\WINDOWS\system32\spoolsv.exe

size: 57856

MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B

PID: 1532 ( 832) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

size: 116040

MD5: 68277BB887A67D992A81B01710AFF92A

PID: 1600 ( 832) C:\Program Files\Bonjour\mDNSResponder.exe

size: 229376

MD5: CFD4C3352E29A8B729536648466E8DF5

PID: 424 ( 832) C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

size: 217600

MD5: AB2B9349ADA4AC5EC74B622B8303FE23

PID: 568 ( 832) C:\WINDOWS\system32\svchost.exe

size: 14336

MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18

PID: 768 (1972) C:\WINDOWS\system32\hkcmd.exe

size: 166424

MD5: 4CCD8266E948D29C698FE6393D5A9CA9

PID: 1136 (1012) C:\WINDOWS\system32\igfxsrvc.exe

size: 256536

MD5: FAB6E90B4229C2CAC944021E9211594F

PID: 1448 (1972) C:\WINDOWS\system32\igfxpers.exe

size: 137752

MD5: 601D21C2B66AB945C0A73C07A8E0C928

PID: 1848 (1972) C:\WINDOWS\RTHDCPL.EXE

size: 16855552

MD5: 9BED5FA9D8E98A1C4F8A9922185FDA7D

PID: 1888 (1972) C:\Program Files\Google\Gmail Notifier\gnotify.exe

size: 479232

MD5: 3DF7AC30A381C57D0C70EAEFEE3C4EF2

PID: 2068 (1972) C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

size: 144784

MD5: 6AB4C021FBD36DC6764924C312428D97

PID: 2116 (1972) C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

size: 79224

MD5: 87B63FD1B5EC5CC41589CE7026DB7C5F

PID: 2264 (1972) C:\Program Files\iTunes\iTunesHelper.exe

size: 289064

MD5: 12577ED7558A642C53C959E72FF2455F

PID: 2292 (1972) C:\Program Files\Windows Defender\MSASCui.exe

size: 866584

MD5: 77C03BF23AE56B0A31AE4D5BB4B3D0AC

PID: 2304 (1972) C:\WINDOWS\system32\ctfmon.exe

size: 15360

MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

PID: 2340 (1972) C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

size: 5724184

MD5: A8972A2F9A744DD5EE0BFE429D767F1C

PID: 2472 ( 832) C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

size: 247160

MD5: 1E105120FCA89F052081D94D8EDDD522

PID: 2600 ( 832) C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

size: 349560

MD5: 0AC0D3338B4E4F2744B648FCC35A8BB3

PID: 2960 ( 832) C:\WINDOWS\System32\alg.exe

size: 44544

MD5: 8C515081584A38AA007909CD02020B3D

PID: 3080 ( 832) C:\Program Files\iPod\bin\iPodService.exe

size: 532264

MD5: B510D6665EA4562797187F18094A040E

PID: 604 ( 832) C:\Program Files\Windows Live\Messenger\usnsvc.exe

size: 98328

MD5: 9D19B042A4FD5C02195071EA2FE0C821

PID: 2104 ( 624) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

size: 4891472

MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855

PID: 4 ( 0) System

--- Browser start & search pages list ---

Spybot - Search & Destroy browser pages report, 15/07/2008 03:14:48

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page

C:\WINDOWS\system32\blank.htm

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar

http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

http://www.google.com/

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@

http://home.microsoft.com/access/autosearch.asp?p=%s

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page

%SystemRoot%\system32\blank.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page

http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page

http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

--- Winsock Layered Service Provider list ---

Protocol 0: MSAFD Tcpip [TCP/IP]

GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP IP protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [uDP/IP]

GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP IP protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]

GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP IP protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider

GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}

Filename: %SystemRoot%\system32\rsvpsp.dll

Description: Microsoft Windows NT/2k/XP RVSP

DB filename: %SystemRoot%\system32\rsvpsp.dll

DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider

GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}

Filename: %SystemRoot%\system32\rsvpsp.dll

Description: Microsoft Windows NT/2k/XP RVSP

DB filename: %SystemRoot%\system32\rsvpsp.dll

DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4EFFB846-0F7D-4956-A8B3-B8FA4E4C8B6C}] SEQPACKET 0

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4EFFB846-0F7D-4956-A8B3-B8FA4E4C8B6C}] DATAGRAM 0

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C27A67A3-686A-4E48-937B-E23033381A61}] SEQPACKET 1

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C27A67A3-686A-4E48-937B-E23033381A61}] DATAGRAM 1

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{91886BD1-C562-441E-873E-7DCD3BEB17D5}] SEQPACKET 2

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{91886BD1-C562-441E-873E-7DCD3BEB17D5}] DATAGRAM 2

GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}

Filename: %SystemRoot%\system32\mswsock.dll

Description: Microsoft Windows NT/2k/XP NetBios protocol

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip

GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}

Filename: %SystemRoot%\System32\mswsock.dll

Description: Microsoft Windows NT/2k/XP TCP/IP name space provider

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: TCP/IP

Namespace Provider 1: NTDS

GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}

Filename: %SystemRoot%\System32\winrnr.dll

Description: Microsoft Windows NT/2k/XP name space provider

DB filename: %SystemRoot%\system32\winrnr.dll

DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace

GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}

Filename: %SystemRoot%\System32\mswsock.dll

Description: Microsoft Windows NT/2k/XP name space provider

DB filename: %SystemRoot%\system32\mswsock.dll

DB protocol: NLA-Namespace

Namespace Provider 3: mdnsNSP

GUID: {B600E6E9-553B-4A19-8696-335E5C896153}

Filename: C:\Program Files\Bonjour\mdnsNSP.dll

Description: Apple Rendezvous protocol

DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll

DB protocol: mdnsNSP

Link to post
Share on other sites

That scan looks good. No mention of those registry entries...I think it is safe to assume then that the earlier findings were false positives...by the way, a respected Security Specialist informs me that the "!=" in the world of programing means "Is not equal to". Thus, those earlier findings that Spybot was complaining of were meant to imply that those registry Data Values were not equal to what followed after that equal sign. However, I think now we can relax.

The spybot log does however show service/process entries for Symantec. Nothing regarding any Symantec installation showed in your previous HijackThis logs. Have you installed this since your last log? Regardless, it is NOT recommended to have more than one antivirus product on board running in real time. Your level of security protection is actually reduced and you run the risk of data loss from the instability that it can cause. You should decide which to keep and uninstall the other.

Please post back a fresh HijackThis log after uninstalling one of them and advise how the system is performing for you now. Thanks!

Link to post
Share on other sites

I think i know what that is, i had Norton Antivurus 2003 installed a couple of years ago, but the registration expired so uninstalled that and downloaded Avast as it was free and been using that ever since.

I trialled a couple of others like Kaspersky but they slowed down my system so now Avast is the ONLY AV program installed and running 100%

I don't have any other Symantec products installed, could it be that there are still traces left of of Norton AV from the uninstall?

System seems to be performing well, no traces of viruses apart from the tracking cookies that Spybot is picking up but not overly concerned about them.

The only other issue is Windows Update not installing the necessary updates so will try and resolve that over the next couple of days.

Here is a new HJT Log for you in the meantime:-

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:22:41, on 15/07/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1215878691109

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208543610937

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--

End of file - 9350 bytes

Link to post
Share on other sites

OK...no need to post another hjt log, it looks fine. The Spybot log however does indicate a problem. The startup entries listing shows that the Symantec Live Update wants to run at startup:

--- Startup entries list ---

Located: HK_CU:Run

C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

...why it doesn't show in the HijackThis log is the question. There are a couple of possibilities. Have you used the msconfig utility to stop any services/processes from running at startup?

The entry does need to be removed as there exists the possibility of some conflict issues. You can use the Symantec removal tool but I would like to hear back from you first as to whether or not you may have this startup entry arrested by some other application (perhaps Windows Defender). Such a scenario may just complicate things if you were to try running that tool before removing any restriction that you (or some other application) may have put in place. Can you look into that possibility from your end and report back to us on this?

Likewise, the Windows Update issue is something we will address when we have removed the Symantec remnants.

Link to post
Share on other sites

OK...no need to post another hjt log, it looks fine. The Spybot log however does indicate a problem. The startup entries listing shows that the Symantec Live Update wants to run at startup:

--- Startup entries list ---

Located: HK_CU:Run

C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

...why it doesn't show in the HijackThis log is the question. There are a couple of possibilities. Have you used the msconfig utility to stop any services/processes from running at startup?

The entry does need to be removed as there exists the possibility of some conflict issues. You can use the Symantec removal tool but I would like to hear back from you first as to whether or not you may have this startup entry arrested by some other application (perhaps Windows Defender). Such a scenario may just complicate things if you were to try running that tool before removing any restriction that you (or some other application) may have put in place. Can you look into that possibility from your end and report back to us on this?

Likewise, the Windows Update issue is something we will address when we have removed the Symantec remnants.

I have a number of processes stopped in msconfig, mostly running processes that are no longer required, i don't want to run at start-up, or when i have attempted virus removal in the past and stopped the processes that were flagged.

I have uploaded images of what i have running and what i have stopped but Symantec isn't one of them so no idea?

I have manually downloaded and installed IE7 again from the windows update site but these are the following updates that have downloaded but are refusing to install:-

Update for Microsoft Office Outlook 2007 (KB952142)

2007 Microsoft Office Suite Service Pack 1 (SP1)

Cumulative Security Update for ActiveX Killbits for Windows XP (KB950760)

Security Update for Microsoft .NET Framework, Version 2.0 (KB928365)

Update for Windows XP (KB951978)

And these are the available updates from Windows Update:-

Definition Update for Windows Defender - KB915597

Update for Windows XP (KB951978)

Cumulative Security Update for ActiveX Killbits for Windows XP (KB950760)

Cumulative Security Update for Internet Explorer 7 for Windows XP (KB950759)

Security Update for Microsoft .NET Framework, Version 2.0 (KB928365)

Update for Microsoft Office Outlook 2007 (KB952142)

2007 Microsoft Office Suite Service Pack 1 (SP1)

They download fine, but just fail to install. I've run services.msc and have Auto Updates, BITS and Event log fully functional (service started on auto) with no errors showing in event log so no idea why they won't install?

post-2862-1216152358_thumb.jpg

post-2862-1216152372_thumb.jpg

post-2862-1216152358_thumb.jpg

post-2862-1216152372_thumb.jpg

Link to post
Share on other sites

You can remove a failed Symantec install/uninstall or damaged product using their Removal Tool...

As for the msconfig utility entries that you disabled on startup, these three are malicious:

C:\Windows\system32\dmcghgdl.dll

C:\Program Files\VAV\vav.exe

C:\Sys4.exe

We need to allow these the opportunity to run on startup if they are still present. Return to the msconfig utility and place a check in the box next to those entries. Apply it, ok it, then close msconfig. Reboot and check the box for the option "Do not show me this again" in the warning message that will pop up on reboot. Run a fresh HijackThis log and post that back here on your next reply. We need to make certain that these are removed before we even consider going back to Windows Update. Thanks!

Link to post
Share on other sites

You can remove a failed Symantec install/uninstall or damaged product using their Removal Tool...

As for the msconfig utility entries that you disabled on startup, these three are malicious:

C:\Windows\system32\dmcghgdl.dll

C:\Program Files\VAV\vav.exe

C:\Sys4.exe

We need to allow these the opportunity to run on startup if they are still present. Return to the msconfig utility and place a check in the box next to those entries. Apply it, ok it, then close msconfig. Reboot and check the box for the option "Do not show me this again" in the warning message that will pop up on reboot. Run a fresh HijackThis log and post that back here on your next reply. We need to make certain that these are removed before we even consider going back to Windows Update. Thanks!

I used the Symantec removal tool (disabled Windows defender incase)

Re-anabled the msconfig entries as above, VAV.exe returned an error "File not found" on start-up.

Checked C:\Windows\system32\dmcghgdl.dll and the file is no longer there

I ran a new MBAM scan and found 2 new entries so posted below with fresh HJT log:-

Malwarebytes' Anti-Malware 1.20

Database version: 957

Windows 5.1.2600 Service Pack 3

11:39:28 16/07/2008

mbam-log-7-16-2008 (11-39-28).txt

Scan type: Quick Scan

Objects scanned: 41342

Time elapsed: 7 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sys4.exe (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40273316 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:40:26, on 16/07/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows

Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows

Live Toolbar\msntb.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail

Notifier\gnotify.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live

Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) -

http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -

http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/windowsupd...b?1215878691109

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://www.update.microsoft.com/microsoftu...b?1208543610937

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -

C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common

Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program

Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--

End of file - 9819 bytes

Link to post
Share on other sites

OK, the Sys4.exe I was expecting:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sys4.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Glad to see mbam took care of that. This one however:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40273316 (Trojan.Vundo) -> Quarantined and deleted successfully.

...is not enough to do it I'm afraid. Your log still shows the rogue anti-spyware application running that we re-enabled using the msconfig utility. That's a good thing by the way. Now we can remove it properly.

Before we go after it though, let's take a look at the add/remove programs list to see if we could get lucky. I haven't seen it in a while now but I know from years past, users were able to remove some of the vundo and or smitfraud/rogue application problems by finding an uninstall string to remove them. In the off chance that it's there, click start-->Control Panel-->Add/Remove Programs...scroll down the list to see if you can locate a program named:

VAV

...if you find it, click once on it to highlight it then click Remove. If the uninstall completes successfully, reboot at this point.

If you are not able to find an uninstall string there for that program name then continue with the instructions below:

First, make sure before you procede that Windows Defender is still disabled.

Please download

RogueRemover & save it to your desktop.

  • Double-click on rr-free-setup.exe to install in: C:\Program Files\RogueRemover.
  • Navigate to the folder and double click on the file named RogueRemover.exe or use the icon that was created on your desktop.
  • Once the program runs, select Check for Updates.
  • When prompted, select Check for Updates.
  • If prompted again, click Download to receive the latest updates.
  • When completed, close the update window.
  • Finally, select Scan and the program will walk you through the remaining steps.

Post back a fresh Hijackthis log.

Also, please advise how the system behaves for you now. Thanks!

Link to post
Share on other sites

OK, the Sys4.exe I was expecting:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sys4.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Glad to see mbam took care of that. This one however:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40273316 (Trojan.Vundo) -> Quarantined and deleted successfully.

...is not enough to do it I'm afraid. Your log still shows the rogue anti-spyware application running that we re-enabled using the msconfig utility. That's a good thing by the way. Now we can remove it properly.

Before we go after it though, let's take a look at the add/remove programs list to see if we could get lucky. I haven't seen it in a while now but I know from years past, users were able to remove some of the vundo and or smitfraud/rogue application problems by finding an uninstall string to remove them. In the off chance that it's there, click start-->Control Panel-->Add/Remove Programs...scroll down the list to see if you can locate a program named:

VAV

...if you find it, click once on it to highlight it then click Remove. If the uninstall completes successfully, reboot at this point.

If you are not able to find an uninstall string there for that program name then continue with the instructions below:

First, make sure before you procede that Windows Defender is still disabled.

Please download

RogueRemover & save it to your desktop.

  • Double-click on rr-free-setup.exe to install in: C:\Program Files\RogueRemover.

  • Navigate to the folder and double click on the file named RogueRemover.exe or use the icon that was created on your desktop.

  • Once the program runs, select Check for Updates.

  • When prompted, select Check for Updates.

  • If prompted again, click Download to receive the latest updates.

  • When completed, close the update window.

  • Finally, select Scan and the program will walk you through the remaining steps.

Post back a fresh Hijackthis log.

Also, please advise how the system behaves for you now. Thanks!

Hi 1972vet,

I am at work at the moment, so not able to do anything until i get home in 5 hours or so. But a little more info for you.......

sys4.exe was one of a number of sys running processes that were present that i stoppes over the weekend, i found them all in windows\documents and settings\local settings\user\temp and there were 3 or 4 different files (sys1.exe, sys2.exe etc) deleted from there and they haven't returned either.

VAV.exe was a Vista Anti-Virus app or something that downloaded and installed itself, that was the start of all the other viruses etc that opened the floodgates. I remember stopping the running process, and deleting the entire folder from the HDD and disabling in msconfig.

I don't remember seeing VAV in add or remove programs, but will check tonight follow as you've posted above and then reply with the requested logs etc

Link to post
Share on other sites

Just got in, as i thought there was no VAV in add/remove programs.

Disabled windows defender and downloaded RogueRemover, this turned out clean, nothing found.

Run MBAM again, clean nothing found. Same as SpyBot just 1 tracking cookie found so nothing there really

Fresh HJT log below:-

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:54:55, on 16/07/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1215878691109

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208543610937

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--

End of file - 9895 bytes

Link to post
Share on other sites

The executable file vav.exe is targeted by RogueRemover so I'm surprised at those findings.

Using the Killbox we downloaded earlier, please do this:

Open Killbox and check the box Delete on Reboot. Now, highlight all the entry below in Bold text and then copy it.

C:\Program Files\VAV\vav.exe

Then in killbox click File-->Paste from Clipboard...Now, Click the All Files button.

Next, click the Red X ...and for the confirmation message that will appear, you will need to click Yes.

A second message will ask to Reboot now? you will need to click No for now.

Remember...Killbox will let you know if the file does not exist.

Next, please run HijackThis again and check the box next to this entry:

O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe

Now close all windows including this browser window. Leaving only the HijackThis application's window open, click the Fix Checked button.

Now reboot the computer and post back a fresh HijackThis log. Also, please advise how the system is performing for you. Thanks!

Link to post
Share on other sites

Probably because i manually deleted the folder when i disabled in msconfig. Just checked again, and definitely not there.

Run Killbox and not found either.....

Checked msconfig and the entries that we re-enabled (including VAV.exe) are no longer there.

System seems to be running fine, no pop-ups, no strange behaviour and smooth as normal

Fresh HJT Log:-

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:23:03, on 16/07/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Live\Messenger\usnsvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1215878691109

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208543610937

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--

End of file - 9805 bytes

Link to post
Share on other sites

I see a clean log...congratulations! You can re-enable Windows Defender and you can delete these:

Symantec Removal tool

RogueRemover

...The Killbox you can keep but before you should try to use it for anything, please thoroughly read through the "Killbox Description and Usage" guide in the Help section of the menu.

Now that your system is clean and running the way you expect, let's create a new restore point you can refer to should the need arise at some point in the future.

Please click "Start->Programs->Accessories->System Tools->System Restore". In the new window, check the 'Create a restore point' in the right pane and click "Next". In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean) Click "Create" and reboot your computer.

To assist in the prevention of spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?

  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:

Kerio Personal Firewall

Zone Alarm

Outpost Free

Comodo

Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup.

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:

Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

So how did I get infected in the first place?

Regards, and Happy Surfing!

Link to post
Share on other sites

I see a clean log...congratulations! You can re-enable Windows Defender and you can delete these:

Symantec Removal tool

RogueRemover

...The Killbox you can keep but before you should try to use it for anything, please thoroughly read through the "Killbox Description and Usage" guide in the Help section of the menu.

Now that your system is clean and running the way you expect, let's create a new restore point you can refer to should the need arise at some point in the future.

Please click "Start->Programs->Accessories->System Tools->System Restore". In the new window, check the 'Create a restore point' in the right pane and click "Next". In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean) Click "Create" and reboot your computer.

To assist in the prevention of spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?

  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.

  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.

  • Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:

Kerio Personal Firewall

Zone Alarm

Outpost Free

Comodo

Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup.

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:

Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

So how did I get infected in the first place?

Regards, and Happy Surfing!

Thanks 1972vet, your help has been very much appreciated.

The only issue i have now, is how to resolve the issue with windows updates not installing. Any ideas, or can you point me in the direction of another forum or help section?

Link to post
Share on other sites

Sorry for the oversight on my part...I do remember now telling you that we would troubleshoot that issue once your system is cleaned. Please do this for me.

Since it's not a malware issue, please create a new thread Here. Give the thread the title "Windows Update Help" and post your windows update log there to my attention. Others may also pick up your thread and post something in response but I'll be there to oversee as well and will indeed take possession of your issue for you. I only mentioned the fact that others may also post there because I believe that forum is open to all members here so be advised that good intentions sometimes will get turned sideways...so please take into consideration that other members instructions may or may not have the desired results you are looking for.

After you create the post from following the instructions below to copy your Windows Update log for me, send me a PM using This Link and include a link to your newly created thread. That way I'll get the email notification immediately upon your posting:

Click Start-->Run...In the Open box, type or copy and paste the following:

%windir%\windowsupdate.log

...then click OK.

A notepad text document will open containing entries logged by Windows Update. Scroll to the bottom to view the most recent information logged. Copy what information you have there for the most recent date (just for that one day). Paste that information into your newly created thread per the above instruction. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.