Jump to content

CWS.Svchost32 issues and desperately need help !


Recommended Posts

Hi all

New here and having a couple of issues. Started with pop-ups and pc became very slow. Couldn't get windows updates or any antispyware software to install. Slowly but surely I have started cleaing things up and CWShredder reports that it has found CWS.Svchost32 but I can't seem to get rid of it.

I have tried SpyBot S&D, Lavasoft Adaware, SuperAntiSpyware, Trojan Hunter, Windows Defender and everything they listed has been removed but HJT log still shows the following:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:21:45, on 03/08/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Kontiki\KService.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

C:\WINDOWS\wanmpsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\apps\ABoard\ABoard.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\apps\ABoard\AOSD.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\AOL\1130227887\ee\AOLSoftware.exe

C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Kontiki\KHost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\wuauclt.exe

c:\program files\common files\aol\1130227887\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe

c:\program files\common files\aol\1130227887\ee\aolsoftware.exe

C:\Program Files\AOL 9.0a\aoltray.exe

C:\Program Files\AOL Companion\companion.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080

O1 - Hosts: 66.180.173.39 google.ae

O1 - Hosts: 66.180.173.39 google.am

O1 - Hosts: 66.180.173.39 google.as

O1 - Hosts: 66.180.173.39 google.az

O1 - Hosts: 66.180.173.39 google.bi

O1 - Hosts: 66.180.173.39 google.cd

O1 - Hosts: 66.180.173.39 google.cg

O1 - Hosts: 66.180.173.39 google.ci

O1 - Hosts: 66.180.173.39 google.cl

O1 - Hosts: 66.180.173.39 google.co.cr

O1 - Hosts: 66.180.173.39 google.co.hu

O1 - Hosts: 66.180.173.39 google.co.in

O1 - Hosts: 66.180.173.39 google.co.je

O1 - Hosts: 66.180.173.39 google.co.jp

O1 - Hosts: 66.180.173.39 google.co.ke

O1 - Hosts: 66.180.173.39 google.co.ls

O1 - Hosts: 66.180.173.39 google.co.th

O1 - Hosts: 66.180.173.39 google.co.ug

O1 - Hosts: 66.180.173.39 google.co.uk

O1 - Hosts: 66.180.173.39 google.co.ve

O1 - Hosts: 66.180.173.39 google.dj

O1 - Hosts: 66.180.173.39 google.es

O1 - Hosts: 66.180.173.39 google.fm

O1 - Hosts: 66.180.173.39 google.gg

O1 - Hosts: 66.180.173.39 google.gl

O1 - Hosts: 66.180.173.39 google.gm

O1 - Hosts: 66.180.173.39 google.hn

O1 - Hosts: 66.180.173.39 google.kz

O1 - Hosts: 66.180.173.39 google.li

O1 - Hosts: 66.180.173.39 google.lt

O1 - Hosts: 66.180.173.39 google.lu

O1 - Hosts: 66.180.173.39 google.lv

O1 - Hosts: 66.180.173.39 google.mn

O1 - Hosts: 66.180.173.39 google.ms

O1 - Hosts: 66.180.173.39 google.mu

O1 - Hosts: 66.180.173.39 google.mw

O1 - Hosts: 66.180.173.39 google.no

O1 - Hosts: 66.180.173.39 google.off.ai

O1 - Hosts: 66.180.173.39 google.pn

O1 - Hosts: 66.180.173.39 google.pt

O1 - Hosts: 66.180.173.39 google.ro

O1 - Hosts: 66.180.173.39 google.ru

O1 - Hosts: 66.180.173.39 google.rw

O1 - Hosts: 66.180.173.39 google.se

O1 - Hosts: 66.180.173.39 google.sh

O1 - Hosts: 66.180.173.39 google.sk

O1 - Hosts: 66.180.173.39 google.sm

O1 - Hosts: 66.180.173.39 google.td

O1 - Hosts: 66.180.173.39 google.tm

O1 - Hosts: 66.180.173.39 google.tt

O1 - Hosts: 66.180.173.39 google.uz

O1 - Hosts: 66.180.173.39 google.vg

O1 - Hosts: 66.180.173.39 google.ae

O1 - Hosts: 66.180.173.39 google.am

O1 - Hosts: 66.180.173.39 google.as

O1 - Hosts: 66.180.173.39 google.az

O1 - Hosts: 66.180.173.39 google.bi

O1 - Hosts: 66.180.173.39 google.cd

O1 - Hosts: 66.180.173.39 google.cg

O1 - Hosts: 66.180.173.39 google.ci

O1 - Hosts: 66.180.173.39 google.cl

O1 - Hosts: 66.180.173.39 google.co.cr

O1 - Hosts: 66.180.173.39 google.co.hu

O1 - Hosts: 66.180.173.39 google.co.in

O1 - Hosts: 66.180.173.39 google.co.je

O1 - Hosts: 66.180.173.39 google.co.jp

O1 - Hosts: 66.180.173.39 google.co.ke

O1 - Hosts: 66.180.173.39 google.co.ls

O1 - Hosts: 66.180.173.39 google.co.th

O1 - Hosts: 66.180.173.39 google.co.ug

O1 - Hosts: 66.180.173.39 google.co.uk

O1 - Hosts: 66.180.173.39 google.co.ve

O1 - Hosts: 66.180.173.39 google.dj

O1 - Hosts: 66.180.173.39 google.es

O1 - Hosts: 66.180.173.39 google.fm

O1 - Hosts: 66.180.173.39 google.gg

O1 - Hosts: 66.180.173.39 google.gl

O1 - Hosts: 66.180.173.39 google.gm

O1 - Hosts: 66.180.173.39 google.hn

O1 - Hosts: 66.180.173.39 google.kz

O1 - Hosts: 66.180.173.39 google.li

O1 - Hosts: 66.180.173.39 google.lt

O1 - Hosts: 66.180.173.39 google.lu

O1 - Hosts: 66.180.173.39 google.lv

O1 - Hosts: 66.180.173.39 google.mn

O1 - Hosts: 66.180.173.39 google.ms

O1 - Hosts: 66.180.173.39 google.mu

O1 - Hosts: 66.180.173.39 google.mw

O1 - Hosts: 66.180.173.39 google.no

O1 - Hosts: 66.180.173.39 google.off.ai

O1 - Hosts: 66.180.173.39 google.pn

O1 - Hosts: 66.180.173.39 google.pt

O1 - Hosts: 66.180.173.39 google.ro

O1 - Hosts: 66.180.173.39 google.ru

O1 - Hosts: 66.180.173.39 google.rw

O1 - Hosts: 66.180.173.39 google.se

O1 - Hosts: 66.180.173.39 google.sh

O1 - Hosts: 66.180.173.39 google.sk

O1 - Hosts: 66.180.173.39 google.sm

O1 - Hosts: 66.180.173.39 google.td

O1 - Hosts: 66.180.173.39 google.tm

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {602DD5BD-6413-46D9-B655-937776DFEA19} - C:\WINDOWS\system32\ljJYRHBT.dll (file missing)

O2 - BHO: (no name) - {6BAF4B9A-3399-4233-A380-109DFD48E690} - C:\WINDOWS\system32\andcea.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: (no name) - {D8A7FBC6-AE1D-4743-9E70-21902FB19B6D} - C:\WINDOWS\system32\ljJAPIax.dll (file missing)

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130227887\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: ljJAPIax - ljJAPIax.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O24 - Desktop Component 0: (no name) - http://www.focusstoc.com/forums/uploads/11..._2_2_117383.jpg

O24 - Desktop Component 1: (no name) - http://www.wolves.premiumtv.co.uk/content/...R64/367353.JPEG

--

End of file - 13503 bytes

I'm no expert by any stretch of the imagination but I know that doesn't look right.

Many thanks in advance for any replies.

Link to post
Share on other sites

Hi JeanInMontana

I read the instructions after I posted, apologies. I did set the scans running but they took so long, here are the results:

Malwarebytes' Anti-Malware 1.24

Database version: 1020

Windows 5.1.2600 Service Pack 2

17:31:09 04/08/2008

mbam-log-8-4-2008 (17-31-09).txt

Scan type: Full Scan (C:\|)

Objects scanned: 65109

Time elapsed: 42 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-08-04 06:23:43

PROTECTIONS: 1

MALWARE: 12

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Windows Defender 1.1.3806.0 No Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00003992 spyware/adclicker Spyware No 1 Yes No hkey_classes_root\typelib\{c89e0f84-3c34-43d1-a72c-af1a160a7c07}

00035872 adware/popuper Adware No 0 Yes No c:\documents and settings\all users\favorites\online antivirus and spyware remover.url

00035872 adware/popuper Adware No 0 Yes No c:\documents and settings\all users\favorites\online directory of pure porn.url

00046160 adware/searchexe Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

00046160 adware/searchexe Adware No 0 Yes No HKEY_CURRENT_USER\software\Microsoft\Internet Explorer\Search\SearchAssistant

00112450 adware/easysearch Adware No 0 Yes No c:\recycler\index.html

00112450 adware/easysearch Adware No 0 Yes No c:\recycler\easysearch_google.jpg

00165355 adware/nowfind Adware No 0 Yes No c:\windows\system32\icnfe.dll

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Richard Sadler\Cookies\richard_sadler@com[1].txt

00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Richard Sadler\Cookies\richard_sadler@xiti[1].txt

00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\Richard Sadler\Cookies\richard_sadler@toplist[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Richard Sadler\Cookies\richard_sadler@ad.yieldmanager[1].txt

00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Richard Sadler\Cookies\richard_sadler@adtech[2].txt

00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Richard Sadler\Cookies\richard_sadler@statse.webtrendslive[2].txt

00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\administrator@did-it[1].txt

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location į

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description į

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:38:14, on 04/08/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Kontiki\KService.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\apps\ABoard\ABoard.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe

C:\apps\ABoard\AOSD.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Kontiki\KHost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Common Files\AOL\1130227887\ee\aolsoftware.exe

C:\Program Files\AOL 9.0a\aoltray.exe

C:\Program Files\AOL Companion\companion.exe

c:\program files\common files\aol\1130227887\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe

c:\program files\common files\aol\1130227887\ee\aolsoftware.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\AVG\AVG8\aAvgApi.exe

C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080

O1 - Hosts: 66.180.173.39 google.ae

O1 - Hosts: 66.180.173.39 google.am

O1 - Hosts: 66.180.173.39 google.as

O1 - Hosts: 66.180.173.39 google.az

O1 - Hosts: 66.180.173.39 google.bi

O1 - Hosts: 66.180.173.39 google.cd

O1 - Hosts: 66.180.173.39 google.cg

O1 - Hosts: 66.180.173.39 google.ci

O1 - Hosts: 66.180.173.39 google.cl

O1 - Hosts: 66.180.173.39 google.co.cr

O1 - Hosts: 66.180.173.39 google.co.hu

O1 - Hosts: 66.180.173.39 google.co.in

O1 - Hosts: 66.180.173.39 google.co.je

O1 - Hosts: 66.180.173.39 google.co.jp

O1 - Hosts: 66.180.173.39 google.co.ke

O1 - Hosts: 66.180.173.39 google.co.ls

O1 - Hosts: 66.180.173.39 google.co.th

O1 - Hosts: 66.180.173.39 google.co.ug

O1 - Hosts: 66.180.173.39 google.co.uk

O1 - Hosts: 66.180.173.39 google.co.ve

O1 - Hosts: 66.180.173.39 google.dj

O1 - Hosts: 66.180.173.39 google.es

O1 - Hosts: 66.180.173.39 google.fm

O1 - Hosts: 66.180.173.39 google.gg

O1 - Hosts: 66.180.173.39 google.gl

O1 - Hosts: 66.180.173.39 google.gm

O1 - Hosts: 66.180.173.39 google.hn

O1 - Hosts: 66.180.173.39 google.kz

O1 - Hosts: 66.180.173.39 google.li

O1 - Hosts: 66.180.173.39 google.lt

O1 - Hosts: 66.180.173.39 google.lu

O1 - Hosts: 66.180.173.39 google.lv

O1 - Hosts: 66.180.173.39 google.mn

O1 - Hosts: 66.180.173.39 google.ms

O1 - Hosts: 66.180.173.39 google.mu

O1 - Hosts: 66.180.173.39 google.mw

O1 - Hosts: 66.180.173.39 google.no

O1 - Hosts: 66.180.173.39 google.off.ai

O1 - Hosts: 66.180.173.39 google.pn

O1 - Hosts: 66.180.173.39 google.pt

O1 - Hosts: 66.180.173.39 google.ro

O1 - Hosts: 66.180.173.39 google.ru

O1 - Hosts: 66.180.173.39 google.rw

O1 - Hosts: 66.180.173.39 google.se

O1 - Hosts: 66.180.173.39 google.sh

O1 - Hosts: 66.180.173.39 google.sk

O1 - Hosts: 66.180.173.39 google.sm

O1 - Hosts: 66.180.173.39 google.td

O1 - Hosts: 66.180.173.39 google.tm

O1 - Hosts: 66.180.173.39 google.tt

O1 - Hosts: 66.180.173.39 google.uz

O1 - Hosts: 66.180.173.39 google.vg

O1 - Hosts: 66.180.173.39 google.ae

O1 - Hosts: 66.180.173.39 google.am

O1 - Hosts: 66.180.173.39 google.as

O1 - Hosts: 66.180.173.39 google.az

O1 - Hosts: 66.180.173.39 google.bi

O1 - Hosts: 66.180.173.39 google.cd

O1 - Hosts: 66.180.173.39 google.cg

O1 - Hosts: 66.180.173.39 google.ci

O1 - Hosts: 66.180.173.39 google.cl

O1 - Hosts: 66.180.173.39 google.co.cr

O1 - Hosts: 66.180.173.39 google.co.hu

O1 - Hosts: 66.180.173.39 google.co.in

O1 - Hosts: 66.180.173.39 google.co.je

O1 - Hosts: 66.180.173.39 google.co.jp

O1 - Hosts: 66.180.173.39 google.co.ke

O1 - Hosts: 66.180.173.39 google.co.ls

O1 - Hosts: 66.180.173.39 google.co.th

O1 - Hosts: 66.180.173.39 google.co.ug

O1 - Hosts: 66.180.173.39 google.co.uk

O1 - Hosts: 66.180.173.39 google.co.ve

O1 - Hosts: 66.180.173.39 google.dj

O1 - Hosts: 66.180.173.39 google.es

O1 - Hosts: 66.180.173.39 google.fm

O1 - Hosts: 66.180.173.39 google.gg

O1 - Hosts: 66.180.173.39 google.gl

O1 - Hosts: 66.180.173.39 google.gm

O1 - Hosts: 66.180.173.39 google.hn

O1 - Hosts: 66.180.173.39 google.kz

O1 - Hosts: 66.180.173.39 google.li

O1 - Hosts: 66.180.173.39 google.lt

O1 - Hosts: 66.180.173.39 google.lu

O1 - Hosts: 66.180.173.39 google.lv

O1 - Hosts: 66.180.173.39 google.mn

O1 - Hosts: 66.180.173.39 google.ms

O1 - Hosts: 66.180.173.39 google.mu

O1 - Hosts: 66.180.173.39 google.mw

O1 - Hosts: 66.180.173.39 google.no

O1 - Hosts: 66.180.173.39 google.off.ai

O1 - Hosts: 66.180.173.39 google.pn

O1 - Hosts: 66.180.173.39 google.pt

O1 - Hosts: 66.180.173.39 google.ro

O1 - Hosts: 66.180.173.39 google.ru

O1 - Hosts: 66.180.173.39 google.rw

O1 - Hosts: 66.180.173.39 google.se

O1 - Hosts: 66.180.173.39 google.sh

O1 - Hosts: 66.180.173.39 google.sk

O1 - Hosts: 66.180.173.39 google.sm

O1 - Hosts: 66.180.173.39 google.td

O1 - Hosts: 66.180.173.39 google.tm

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {602DD5BD-6413-46D9-B655-937776DFEA19} - C:\WINDOWS\system32\ljJYRHBT.dll (file missing)

O2 - BHO: (no name) - {6BAF4B9A-3399-4233-A380-109DFD48E690} - C:\WINDOWS\system32\andcea.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: (no name) - {D8A7FBC6-AE1D-4743-9E70-21902FB19B6D} - C:\WINDOWS\system32\ljJAPIax.dll (file missing)

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130227887\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: ljJAPIax - ljJAPIax.dll (file missing)

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O24 - Desktop Component 0: (no name) - http://www.focusstoc.com/forums/uploads/11..._2_2_117383.jpg

O24 - Desktop Component 1: (no name) - http://www.wolves.premiumtv.co.uk/content/...R64/367353.JPEG

--

End of file - 13753 bytes

Hope all this makes sense. If my friend had told me how bad his machine was before I offered to help think I may have thought twice.

Thanks Jay

Link to post
Share on other sites

the quick scan with MBAM is what is instructed and really all you need to do.

00035872 adware/popuper Adware No 0 Yes No c:\documents and settings\all users\favorites\online antivirus and spyware remover.url

00035872 adware/popuper Adware No 0 Yes No c:\documents and settings\all users\favorites\online directory of pure porn.url

As you see the two above are the root of the popups and need to be taken out of Favorites and don't go there again. Porn sites are notorious for infection and most likely the other is a rogue application.

Run HJT again and remove these lines below by placing a check next to them and then clicking fix.

O1 - Hosts: 66.180.173.39 google.ae

O1 - Hosts: 66.180.173.39 google.am

O1 - Hosts: 66.180.173.39 google.as

O1 - Hosts: 66.180.173.39 google.az

O1 - Hosts: 66.180.173.39 google.bi

O1 - Hosts: 66.180.173.39 google.cd

O1 - Hosts: 66.180.173.39 google.cg

O1 - Hosts: 66.180.173.39 google.ci

O1 - Hosts: 66.180.173.39 google.cl

O1 - Hosts: 66.180.173.39 google.co.cr

O1 - Hosts: 66.180.173.39 google.co.hu

O1 - Hosts: 66.180.173.39 google.co.in

O1 - Hosts: 66.180.173.39 google.co.je

O1 - Hosts: 66.180.173.39 google.co.jp

O1 - Hosts: 66.180.173.39 google.co.ke

O1 - Hosts: 66.180.173.39 google.co.ls

O1 - Hosts: 66.180.173.39 google.co.th

O1 - Hosts: 66.180.173.39 google.co.ug

O1 - Hosts: 66.180.173.39 google.co.uk

O1 - Hosts: 66.180.173.39 google.co.ve

O1 - Hosts: 66.180.173.39 google.dj

O1 - Hosts: 66.180.173.39 google.es

O1 - Hosts: 66.180.173.39 google.fm

O1 - Hosts: 66.180.173.39 google.gg

O1 - Hosts: 66.180.173.39 google.gl

O1 - Hosts: 66.180.173.39 google.gm

O1 - Hosts: 66.180.173.39 google.hn

O1 - Hosts: 66.180.173.39 google.kz

O1 - Hosts: 66.180.173.39 google.li

O1 - Hosts: 66.180.173.39 google.lt

O1 - Hosts: 66.180.173.39 google.lu

O1 - Hosts: 66.180.173.39 google.lv

O1 - Hosts: 66.180.173.39 google.mn

O1 - Hosts: 66.180.173.39 google.ms

O1 - Hosts: 66.180.173.39 google.mu

O1 - Hosts: 66.180.173.39 google.mw

O1 - Hosts: 66.180.173.39 google.no

O1 - Hosts: 66.180.173.39 google.off.ai

O1 - Hosts: 66.180.173.39 google.pn

O1 - Hosts: 66.180.173.39 google.pt

O1 - Hosts: 66.180.173.39 google.ro

O1 - Hosts: 66.180.173.39 google.ru

O1 - Hosts: 66.180.173.39 google.rw

O1 - Hosts: 66.180.173.39 google.se

O1 - Hosts: 66.180.173.39 google.sh

O1 - Hosts: 66.180.173.39 google.sk

O1 - Hosts: 66.180.173.39 google.sm

O1 - Hosts: 66.180.173.39 google.td

O1 - Hosts: 66.180.173.39 google.tm

O1 - Hosts: 66.180.173.39 google.tt

O1 - Hosts: 66.180.173.39 google.uz

O1 - Hosts: 66.180.173.39 google.vg

O1 - Hosts: 66.180.173.39 google.ae

O1 - Hosts: 66.180.173.39 google.am

O1 - Hosts: 66.180.173.39 google.as

O1 - Hosts: 66.180.173.39 google.az

O1 - Hosts: 66.180.173.39 google.bi

O1 - Hosts: 66.180.173.39 google.cd

O1 - Hosts: 66.180.173.39 google.cg

O1 - Hosts: 66.180.173.39 google.ci

O1 - Hosts: 66.180.173.39 google.cl

O1 - Hosts: 66.180.173.39 google.co.cr

O1 - Hosts: 66.180.173.39 google.co.hu

O1 - Hosts: 66.180.173.39 google.co.in

O1 - Hosts: 66.180.173.39 google.co.je

O1 - Hosts: 66.180.173.39 google.co.jp

O1 - Hosts: 66.180.173.39 google.co.ke

O1 - Hosts: 66.180.173.39 google.co.ls

O1 - Hosts: 66.180.173.39 google.co.th

O1 - Hosts: 66.180.173.39 google.co.ug

O1 - Hosts: 66.180.173.39 google.co.uk

O1 - Hosts: 66.180.173.39 google.co.ve

O1 - Hosts: 66.180.173.39 google.dj

O1 - Hosts: 66.180.173.39 google.es

O1 - Hosts: 66.180.173.39 google.fm

O1 - Hosts: 66.180.173.39 google.gg

O1 - Hosts: 66.180.173.39 google.gl

O1 - Hosts: 66.180.173.39 google.gm

O1 - Hosts: 66.180.173.39 google.hn

O1 - Hosts: 66.180.173.39 google.kz

O1 - Hosts: 66.180.173.39 google.li

O1 - Hosts: 66.180.173.39 google.lt

O1 - Hosts: 66.180.173.39 google.lu

O1 - Hosts: 66.180.173.39 google.lv

O1 - Hosts: 66.180.173.39 google.mn

O1 - Hosts: 66.180.173.39 google.ms

O1 - Hosts: 66.180.173.39 google.mu

O1 - Hosts: 66.180.173.39 google.mw

O1 - Hosts: 66.180.173.39 google.no

O1 - Hosts: 66.180.173.39 google.off.ai

O1 - Hosts: 66.180.173.39 google.pn

O1 - Hosts: 66.180.173.39 google.pt

O1 - Hosts: 66.180.173.39 google.ro

O1 - Hosts: 66.180.173.39 google.ru

O1 - Hosts: 66.180.173.39 google.rw

O1 - Hosts: 66.180.173.39 google.se

O1 - Hosts: 66.180.173.39 google.sh

O1 - Hosts: 66.180.173.39 google.sk

O1 - Hosts: 66.180.173.39 google.sm

O1 - Hosts: 66.180.173.39 google.td

O1 - Hosts: 66.180.173.39 google.tm

O2 - BHO: (no name) - {602DD5BD-6413-46D9-B655-937776DFEA19} - C:\WINDOWS\system32\ljJYRHBT.dll (file missing)

O2 - BHO: (no name) - {6BAF4B9A-3399-4233-A380-109DFD48E690} - C:\WINDOWS\system32\andcea.dll (file missing)

O2 - BHO: (no name) - {D8A7FBC6-AE1D-4743-9E70-21902FB19B6D} - C:\WINDOWS\system32\ljJAPIax.dll (file missing)

O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - (no file) (HKCU)

O20 - Winlogon Notify: ljJAPIax - ljJAPIax.dll (file missing)

O24 - Desktop Component 0: (no name) - http://www.focusstoc.com/forums/uploads/11..._2_2_117383.jpg

O24 - Desktop Component 1: (no name) - http://www.wolves.premiumtv.co.uk/content/...R64/367353.JPEG

Reboot. Update MBAM do a quick scan again and post that log and a new HJT log.

Link to post
Share on other sites

Thanks for the reply Jean. I have followed your instructions and here are the latest logs:

Malwarebytes' Anti-Malware 1.24

Database version: 1031

Windows 5.1.2600 Service Pack 2

19:02:45 07/08/2008

mbam-log-8-7-2008 (19-02-45).txt

Scan type: Quick Scan

Objects scanned: 43937

Time elapsed: 7 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:04:23, on 07/08/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Kontiki\KService.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

C:\WINDOWS\wanmpsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\apps\ABoard\ABoard.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\apps\ABoard\AOSD.exe

C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\AOL\1130227887\ee\AOLSoftware.exe

C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Kontiki\KHost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\AOL 9.0a\aoltray.exe

C:\Program Files\AOL Companion\companion.exe

c:\program files\common files\aol\1130227887\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe

c:\program files\common files\aol\1130227887\ee\aolsoftware.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\AVG\AVG8\avgcmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\_h.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = C:\WINDOWS\_s.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = C:\WINDOWS\_h.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\apps\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1130227887\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 9109 bytes

CWShredder no longer reports issues with CWS.Svchost32. IS there anything elese I should be aware of ? The only other thing is the hosts file in C:\Windows\System32\Drivers\etc has a load of entries which start #6.180.173.39 instead of 66.180.173.39 as they did earlier and a load more 127.0.0.1. Are these all added by SpyBot S&D ?

Thanks again for all your help so far.

Link to post
Share on other sites

Probably the hosts entries are from SBS&D. Run HJT again in scan only and put a check next to the following then click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blan

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

Your log looks clean. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK.

Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it.

Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep MBAM and Spybot Search & Destroy and always immunize SBS&D when you update. You will also need at least one other scanning program Asquared or SuperAntiSpyware are good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use.

A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient.

Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan.

Keep other software known for vulnerabilities updated also. Use the Secunia Inspector free scan to identify risks in outdated versions.

SpywareBlaster from Javacool Software

WinPatrol by BillPStudios

SiteHound by FireTrust

RogueRemover

hpHosts

The windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free

Also the full protection of MBAM is offered at a very low price. Give it a trial using the link in my signature.

Link to post
Share on other sites

Hi Jean thanks again for your swift reply.

I've completed all the steps you suggested and have installed a couple of the programs you provided in your last reply. The machine now looks good and is a million times quicker than when I first offered to help out my friend. I'll give him his machine back tomorrow and advise him on some safer surfing techniques :D

Once again thanks for all your help and keep up the good work.

Link to post
Share on other sites

Glad we could help.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.