Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Smitfraud, windows security bubble infections, please help?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Smitfraud, windows security bubble infections, please help?

Unread postby bess » April 4th, 2007, 1:47 pm

Hello
I have tons of security on my machine:
AVG
AVG Anti-spyware
Superantispyware
Spybot
Adaware
CWS
Spywareguard
CCleaner
Spyware terminator
A2

All are updated and run regularly.

But :( I have gotten infected with some awful nasties that are driving me mad.

Here is my Log, please can anyone take a look?
Very many thanks
Logfile of HijackThis v1.99.1
Scan saved at 18:45:48, on 04/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mjgrepor.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\stcheck32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {c2acd4ce-1dd1-11b2-b4d4-cb88a45f16cc} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [mjgrepor.exe] C:\WINDOWS\system32\mjgrepor.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Privacy tools] C:\WINDOWS\system32\stcheck32.exe
O4 - HKLM\..\Run: [kgpsrw.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\kgpsrw.dll,ngosvnc
O4 - HKLM\..\Run: [scwekke.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\scwekke.dll,pnbmgfc
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.c ... egucfg.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-48.cab
O16 - DPF: {4F912770-A045-4603-951E-9B8377084354} (cpbrukie2 Control) - http://a19.g.akamai.net/7/19/7125/1450/ ... rukie2.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0269298359
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35275EB7-724A-46B1-B8A6-22A817DF4996}: NameServer = 85.255.114.23,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{A67ADADA-055F-419D-929D-7F59888D4E97}: NameServer = 85.255.114.23,85.255.112.220
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.23 85.255.112.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{35275EB7-724A-46B1-B8A6-22A817DF4996}: NameServer = 85.255.114.23,85.255.112.220
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.23 85.255.112.220
O17 - HKLM\System\CS3\Services\Tcpip\..\{35275EB7-724A-46B1-B8A6-22A817DF4996}: NameServer = 85.255.114.23,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.23 85.255.112.220
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
bess
Active Member
 
Posts: 14
Joined: November 26th, 2005, 6:42 pm
Advertisement
Register to Remove

Unread postby tim s » April 4th, 2007, 7:41 pm

Hi bess

Welcome to the MalWare Removal forums! I'll be glad to help you with your computer problems.
HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

In order to help me help you, please observe the following while we work:
  1. If you don't know, stop and ask! Don't continue, we don't want to start all over again!
  2. Understand that cleaning your computer can sometimes take multiple passes/posts,
    and it's important to follow the steps as listed including re-running scans as listed
  3. Please reply to this thread, do not start another.


If you can do those three things, everything should go smoothly

-----------------------------------------------------------------

Theses programs have to be disabled (turned off) or they will block removal of infection.

Disable Spyware Terminator the Real-time Protection
(Click on the "Real-time Protection" tab, leave the "Use Real-time Protection" checkbox empty and click on the "Save Changes" button.)
AND
Right click on system tray icon near clock uncheck Realtime shield then choose Exit

-----------------------

Please disable SpywareGuard, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable SpywareGuard:

  • Right click the running icon of Spywareguard, it will open the program.
  • Then go to Menu, file, exit.
  • Then confirm the program is closed.

-----------------------

You have SuperAntiSpyware installed so if it popsup saying changes are being make you will have to accept them or it will block removal.
  • Open SuperAntiSpyware
  • On General and Startup tab
  • Under Start-UP Options Uncheck box Start SuperAntiSpyware when windows starts
  • Click on Real-Time Protection tab
  • Under Real-Time Protection Remove checkmark from Enable real-time protection box if it has a checkmark in it
  • Close SuperAntiSpyware
  • Right-click the SuperAntiSpyware Tray Icon(lower right corner near clock in system tray) and choose Exit
-------------------------

Disable program can interfer (block removal of infection) with HJT fix.
Open AVG Anti-Spyware 7.5

  • On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Close AVG Anti-Spyware 7.5
  • Right-click the AVG Anti-Spyware 7.5 Tray Icon and choose Exit. Confirm by clicking Yes.


THESE PROGRAMS CAN BE RE-ENABLE WHEN WE ARE DONE REMOVING INFECTION.
----------------------------------------------------------------------------------------------------

Now we are ready to start on removal


You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these two links:
http://www.bleepingcomputer.com/files/l ... areout.exe
http://downloads.subratam.org/Fixwareout.exe

  • Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.
  • Once the desktop loads, post the text that will open (report.txt) in next reply to this thread.


Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

O17 - HKLM\System\CCS\Services\Tcpip\..\{35275EB7-724A-46B1-B8A6-22A817DF4996}: NameServer = 85.255.114.23,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{A67ADADA-055F-419D-929D-7F59888D4E97}: NameServer = 85.255.114.23,85.255.112.220
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.23 85.255.112.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{35275EB7-724A-46B1-B8A6-22A817DF4996}: NameServer = 85.255.114.23,85.255.112.220
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.23 85.255.112.220
O17 - HKLM\System\CS3\Services\Tcpip\..\{35275EB7-724A-46B1-B8A6-22A817DF4996}: NameServer = 85.255.114.23,85.255.112.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.23 85.255.112.220


Close all windows other than HJT and then click FIX CHECKED. Close HijackThis.

Now lets check some settings on your system.
(2000/XP) Only

Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection, or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Reboot computer here.
-----------------------------------------------------------------------------

Go to Try F-Secure BlackLight
Choose I ACCEPT then click Download Blacklight Beta graphical user interface version to download Blacklight to your Desktop
Double-click blbeta.exe then accept the agreement
Click Scan then click Next
You'll see a list of all items found
There will also be a log on your desktop with the name fsbl.xxxxxxxxxxxxxx.log (the xxxxxxxxxxxxxx stand for numbers).
Copy and Paste this log in your next reply.
Do Not choose the rename option yet!

-----------------------------------------------------------------------------

Run Panda's ActiveScan from here and perform a full system scan.

1. Once you are on the Panda site click the "Scan your PC" button NOTE: If you have a popblocker enable you will have to allow popup here.
2. A new window will open...click the big "Check Now" button
3. Enter your Country
4. Enter your State/Province
5. Enter your e-mail address and click send
6. Select either Home User or Company
7. Click the big Scan Now button
8. If it wants to install an ActiveX component allow it
9. It will start downloading the files it requires for the scan (Note: It will take a couple minutes. You may have to reboot here and start back with step 1. I did.)
10. Click on "Local Disks" to start the scan
11. Post Panda scan results in your next reply with others requested.


Post these logs in your next reply to this thread:
Fixwareout report.txt
Panda scan report
F-Secure BlackLight scan results
New HJT log
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby bess » April 5th, 2007, 5:33 am

Hello Tim s
Very many thanks for your help.
I have followed all instructions, but the Panda scan keeps freezing when it scans the i386 files, so I have submitted the results of the other scans you requested while I try and get Panda to sort itself out. It did pick up 1 infection listed under hacking tools and rootkits before it froze.
Here is Fixwareout result

Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdkgt.exe"

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other
C:\WINDOWS\Temp\kdkgt.ren 63884 04/08/2004



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"SoundMan"="SOUNDMAN.EXE"
"Lexmark X1100 Series"="\"C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\""
"TalkTalk"="\"C:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe\" /P TalkTalk"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SpywareTerminator"="\"C:\\Program Files\\Spyware Terminator\\SpywareTerminatorShield.exe\""
"mjgrepor.exe"="C:\\WINDOWS\\system32\\mjgrepor.exe"
"Sony Ericsson PC Suite"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"Privacy tools"="C:\\WINDOWS\\system32\\stcheck32.exe"
"kgpsrw.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\kgpsrw.dll,ngosvnc"
"scwekke.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\scwekke.dll,pnbmgfc"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

Here is F secure result (didnt find anything)

04/05/07 09:17:36 [Info]: BlackLight Engine 1.0.61 initialized
04/05/07 09:17:36 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/05/07 09:17:36 [Note]: 7019 4
04/05/07 09:17:36 [Note]: 7005 0
04/05/07 09:17:49 [Note]: 7006 0
04/05/07 09:17:49 [Note]: 7011 2108
04/05/07 09:17:49 [Note]: 7026 0
04/05/07 09:17:50 [Note]: 7026 0
04/05/07 09:17:53 [Note]: FSRAW library version 1.7.1021
04/05/07 09:24:42 [Note]: 2000 1012
04/05/07 09:24:42 [Note]: 2000 1012
04/05/07 09:30:24 [Note]: 7007 0


Here is a new HJT

Logfile of HijackThis v1.99.1
Scan saved at 10:29:25, on 05/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\mjgrepor.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\stcheck32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {c2acd4ce-1dd1-11b2-b4d4-cb88a45f16cc} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [mjgrepor.exe] C:\WINDOWS\system32\mjgrepor.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Privacy tools] C:\WINDOWS\system32\stcheck32.exe
O4 - HKLM\..\Run: [kgpsrw.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\kgpsrw.dll,ngosvnc
O4 - HKLM\..\Run: [scwekke.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\scwekke.dll,pnbmgfc
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.c ... egucfg.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-48.cab
O16 - DPF: {4F912770-A045-4603-951E-9B8377084354} (cpbrukie2 Control) - http://a19.g.akamai.net/7/19/7125/1450/ ... rukie2.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0269298359
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I noticed "stcheck.exe" is still in the hjt log, this is a file that keeps trying to access my trusted zone.
Still getting the popup balloons too :(
Will run the Panda again now, but have got to go out for a few hours so will report back when I return
Again, very many thanks for your help, much appreciated.
bess
Active Member
 
Posts: 14
Joined: November 26th, 2005, 6:42 pm

Unread postby bess » April 5th, 2007, 12:39 pm

Hello again, further to my reply above , here is the Panda scan


Incident Status Location

Potentially unwanted tool:Application/NirCmd.A
Not disinfected C:\fixwareout\FindT\nircmd.exe
Potentially unwanted tool:Application/Processor
Not disinfected C:\WINDOWS\system32\Process.exe Will await your further instructions!
bess
Active Member
 
Posts: 14
Joined: November 26th, 2005, 6:42 pm

Unread postby tim s » April 5th, 2007, 9:06 pm

Hi bess,

Thanks for posting logs. Please do the folllowing. Make sure that the same spyware programs(Spyware Terminator, SuperAntiSpyware, SpywareGuard and AVG Anti-Spyware 7.5) that I had you disable before are still disabled for this part too.

To enable the viewing of Hidden files follow these steps:
  1. Close all programs so that you are at your desktop.
  2. Click Start, then select My Computer)
  3. Select the Tools (at top of opened screen in menu and click Folder Options.
  4. After the new window appears select the View tab.
  5. Put a checkmark in the checkbox labeled Display the contents of system folders.
  6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
  9. Press the Apply button and then the OK button and shutdown My Computer.
    Now your computer is configured to show all hidden files.

-------------------------------------------------------------------------------

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

    O2 - BHO: (no name) - {c2acd4ce-1dd1-11b2-b4d4-cb88a45f16cc} - (no file)
    O4 - HKLM\..\Run: [Privacy tools] C:\WINDOWS\system32\stcheck32.exe
WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit HijackThis.

------------------------------------------------------------------------


Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
--------------------------------------------------------------------------

Need to check to make sure this process is not running in safemode.

End processes: (if it is present)

  1. Press the CTRL+ALT+DEL keys simultaneously to open Task Manager
  2. Click on the Processes tab to show running processes
  3. Find stcheck32.exe and click on it
  4. Click End Process
  5. Close Task Manager


----------------------------------------------------------------------------

Use Explorer to navigate to and delete the following file (if it is present) just what is in red:

Files:

  • C:\WINDOWS\system32\stcheck32.exe


Instuction on how to find file listed above:
  • Click Start
  • Click on MyComputer
  • Double-Click C drive
  • Now look for WINDOWS folder when found double click on it to open.
  • Now look for system32 folder when found double click on it to open.
  • Now look for stcheck32.exe file when you find this file right-click on it and choose delete.
  • done close all open windows.
Reboot computer


==================================

I need more information on these files please do the following:

Please visit this link to upload file for scan virusscan.jotti.org click here
  • Click the Browse... button
  • Navigate to the following file C:\WINDOWS\system32\mjgrepor.exe
  • Click Open
  • Please post results in next reply.


Now follow the same instructions above for these files one at a time and post results. Thanks
C:\WINDOWS\system32\kgpsrw.dll
C:\WINDOWS\system32\scwekke.dll


-----------------------------------------------------------------------

Please post in next reply
virusscan.jotti result for each file
New HJT log.
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby bess » April 6th, 2007, 4:54 am

Hello again, thank you for your help with this.
Here are the Jotti scans, hope I have done them correctly :oops:

C:\WINDOWS\system32\mjgrepor.exe

Last file scanned at least one scanner reported something about: ACDSee_9.0.55__Patch.exe (MD5: 6762210315e87cbcf4a6184997bce5c1, size: 260719 bytes), detected by:

Scanner Malware name
AntiVir HEUR/Crypted
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web Trojan.PWS.LDPinch.1622
F-Prot Antivirus X
F-Secure Anti-Virus Trojan-PSW.Win32.LdPinch.bgj
Fortinet X
Kaspersky Anti-Virus Trojan-PSW.Win32.LdPinch.bgj
NOD32 X
Norman Virus Control W32/LdPinch.JAY
Panda Antivirus X
Rising Antivirus X
VirusBuster X
VBA32 MalwareScope.Trojan-PSW.Pinch.36

C:\WINDOWS\system32\kgpsrw.dll

Last file scanned at least one scanner reported something about: ACDSee_9.0.55__Patch.exe (MD5: 6762210315e87cbcf4a6184997bce5c1, size: 260719 bytes), detected by:

Scanner Malware name
AntiVir HEUR/Crypted
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web Trojan.PWS.LDPinch.1622
F-Prot Antivirus X
F-Secure Anti-Virus Trojan-PSW.Win32.LdPinch.bgj
Fortinet X
Kaspersky Anti-Virus Trojan-PSW.Win32.LdPinch.bgj
NOD32 X
Norman Virus Control W32/LdPinch.JAY
Panda Antivirus X
Rising Antivirus X
VirusBuster X
VBA32 MalwareScope.Trojan-PSW.Pinch.36


C:\WINDOWS\system32\scwekke.dll


Last file scanned at least one scanner reported something about: ACDSee_9.0.55__Patch.exe (MD5: 6762210315e87cbcf4a6184997bce5c1, size: 260719 bytes), detected by:

Scanner Malware name
AntiVir HEUR/Crypted
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web Trojan.PWS.LDPinch.1622
F-Prot Antivirus X
F-Secure Anti-Virus Trojan-PSW.Win32.LdPinch.bgj
Fortinet X
Kaspersky Anti-Virus Trojan-PSW.Win32.LdPinch.bgj
NOD32 X
Norman Virus Control W32/LdPinch.JAY
Panda Antivirus X
Rising Antivirus X
VirusBuster X
VBA32 MalwareScope.Trojan-PSW.Pinch.36

And here is the HJT log
Logfile of HijackThis v1.99.1
Scan saved at 09:52:58, on 06/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\mjgrepor.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [mjgrepor.exe] C:\WINDOWS\system32\mjgrepor.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [kgpsrw.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\kgpsrw.dll,ngosvnc
O4 - HKLM\..\Run: [scwekke.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\scwekke.dll,pnbmgfc
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.c ... egucfg.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-48.cab
O16 - DPF: {4F912770-A045-4603-951E-9B8377084354} (cpbrukie2 Control) - http://a19.g.akamai.net/7/19/7125/1450/ ... rukie2.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0269298359
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hope this is ok, will await further instructions :)
bess
Active Member
 
Posts: 14
Joined: November 26th, 2005, 6:42 pm

Unread postby bess » April 6th, 2007, 6:35 am

Hello Tim

Just to say reference the above , that I am away for the weekend (until Monday evening,) so wont be able to do any further scans til then. Thanks for your help again.
bess
Active Member
 
Posts: 14
Joined: November 26th, 2005, 6:42 pm

Unread postby tim s » April 6th, 2007, 10:58 am

Hi bess

Thanks for posting logs.

Hello Tim

Just to say reference the above , that I am away for the weekend (until Monday evening,) so wont be able to do any further scans til then. Thanks for your help again.


That is fine I need to do a little more research anyway to prepare fix. I will post fix and you can Post back when you can.

Tim s
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby tim s » April 6th, 2007, 2:10 pm

Hello bess

Do this part when you can I will be waiting on reply.

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

    O4 - HKLM\..\Run: [mjgrepor.exe] C:\WINDOWS\system32\mjgrepor.exe
    O4 - HKLM\..\Run: [kgpsrw.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\kgpsrw.dll,ngosvnc
    O4 - HKLM\..\Run: [scwekke.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\scwekke.dll,pnbmgfc


WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit HijackThis.

-------------------------------------------------

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
---------------------------------------------------

Need to check to make sure this process is not running in safemode.

End malicious processes: (if they are present)

  1. Press the CTRL+ALT+DEL keys simultaneously to open Task Manager
  2. Click on the Processes tab to show running processes
  3. Find mjgrepor.exe and click on it
  4. Click End Process
  5. Close Task Manager

----------------------------------------------------

Use Explorer to navigate to and delete the following files (if they are present) just what is in red:

Files:

  • C:\WINDOWS\system32\mjgrepor.exe
  • C:\WINDOWS\system32\kgpsrw.dll
  • C:\WINDOWS\system32\scwekke.dll

Reboot computer

---------------------------------------------------------

Your version of Java is now outdated. Java vulnerabilites are commonly exploited by viruses. You need to update.

Download the latest version of Java Runtime Environment (JRE) 6u1
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u 1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Click Start then Control Panel > then Add/Remove Programs and remove all older versions of Java.
  • Remove any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed to complete uninstall.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
--------------------------------------------------------

Next I will need you to run this tool to see if something is hiding from other scans.

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Now click the Run Scan button on the toolbar. << do not change any settings
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

--------------------------------------------------

Please post these logs in next reply
winpfind3u log
New HJT log
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby bess » April 9th, 2007, 6:13 pm

Hi Tim S
I'm back!
Thank you for your patience and all your help.
Have followed all instructions and here are the results of the scans.

WinPFind3 logfile created on: 09/04/2007 22:55:41
WinPFind3U by OldTimer - Version 1.0.34 Folder = C:\Documents and Settings\Administrator\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

511.48 Mb Total Physical Memory | 237.23 Mb Available Physical Memory | 46.38% Memory free
1.22 Gb Paging File | 0.94 Gb Available in Paging File | 77.06% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 61.51 Gb Free Space | 82.54% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: LYNNE
Current User Name: Administrator
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
apdproxy.exe -> %ProgramFiles%\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe -> Adobe Systems Incorporated [Ver = 3.0.0.49815 | Size = 57344 bytes | Modified Date = 06/06/2005 23:46:24 | Attr = ]
application launcher.exe -> %ProgramFiles%\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe -> Sony Ericsson Mobile Communications AB [Ver = 1.1.1.3 | Size = 159744 bytes | Modified Date = 26/10/2005 17:17:24 | Attr = R ]
avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.445 | Size = 353792 bytes | Modified Date = 26/02/2007 11:53:56 | Attr = ]
avgcc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.438 | Size = 411648 bytes | Modified Date = 09/02/2007 17:21:32 | Attr = ]
avgemc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 324096 bytes | Modified Date = 26/02/2007 11:53:58 | Attr = ]
avgupsvc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 07/12/2006 14:21:56 | Attr = ]
capabilitymanager.exe -> %CommonProgramFiles%\Teleca Shared\CapabilityManager.exe -> Teleca Software Solutions AB [Ver = 0.0.1.48 | Size = 278528 bytes | Modified Date = 08/06/2005 17:45:04 | Attr = ]
epmworker.exe -> %ProgramFiles%\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe -> Sony Ericsson Mobile Communications AB [Ver = 1, 2, 0,1184 | Size = 872448 bytes | Modified Date = 16/03/2006 09:43:28 | Attr = R ]
generic.exe -> %CommonProgramFiles%\Teleca Shared\Generic.exe -> Teleca Software Solutions [Ver = 1, 0, 3, 2 | Size = 385024 bytes | Modified Date = 10/08/2005 08:54:34 | Attr = R ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 28/09/2006 15:13:20 | Attr = ]
lexbces.exe -> %System32%\LEXBCES.EXE -> Lexmark International, Inc. [Ver = 8.16 | Size = 303104 bytes | Modified Date = 28/03/2003 14:12:10 | Attr = ]
lexpps.exe -> %System32%\LEXPPS.EXE -> Lexmark International, Inc. [Ver = 8.16 | Size = 174592 bytes | Modified Date = 28/03/2003 14:09:32 | Attr = ]
lxbkbmgr.exe -> %ProgramFiles%\Lexmark X1100 Series\lxbkbmgr.exe -> Lexmark International, Inc. [Ver = 0.1.1.1 | Size = 57344 bytes | Modified Date = 28/03/2003 14:18:46 | Attr = ]
lxbkbmon.exe -> %ProgramFiles%\Lexmark X1100 Series\lxbkbmon.exe -> Lexmark International, Inc. [Ver = 0.1.1.1 | Size = 53248 bytes | Modified Date = 28/03/2003 14:39:32 | Attr = ]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5a38 | Size = 282624 bytes | Modified Date = 16/12/2006 16:25:56 | Attr = ]
reader_sl.exe -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 23/09/2005 23:05:26 | Attr = ]
soundman.exe -> %SystemRoot%\SOUNDMAN.EXE -> Realtek Semiconductor Corp. [Ver = 5.1.05 | Size = 55296 bytes | Modified Date = 10/06/2003 12:12:28 | Attr = R ]
sp_rsser.exe -> %ProgramFiles%\Spyware Terminator\sp_rsser.exe -> Crawler.com [Ver = 1.8.2.121 | Size = 902144 bytes | Modified Date = 25/01/2007 23:42:26 | Attr = ]
sprtcmd.exe -> %ProgramFiles%\TalkTalk\bin\sprtcmd.exe -> SupportSoft, Inc. [Ver = 6,7,1035,0 | Size = 192512 bytes | Modified Date = 16/08/2005 00:12:02 | Attr = ]
spywareterminatorshield.exe -> %ProgramFiles%\Spyware Terminator\SpywareTerminatorShield.exe -> Crawler.com [Ver = 1.8.2.458 | Size = 2903040 bytes | Modified Date = 25/01/2007 23:42:18 | Attr = ]
vsmon.exe -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 6.5.737.000 | Size = 75768 bytes | Modified Date = 23/08/2006 23:38:26 | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.34.0 | Size = 318976 bytes | Modified Date = 08/04/2007 19:02:38 | Attr = ]
zlclient.exe -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 6.5.737.000 | Size = 968696 bytes | Modified Date = 23/08/2006 23:38:28 | Attr = ]

[Win32 Services - Non-Microsoft Only]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 204800 bytes | Modified Date = 28/09/2006 15:13:20 | Attr = ]
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.445 | Size = 353792 bytes | Modified Date = 26/02/2007 11:53:56 | Attr = ]
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 07/12/2006 14:21:56 | Attr = ]
(AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 324096 bytes | Modified Date = 26/02/2007 11:53:58 | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 04/08/2004 00:56:50 | Attr = ]
(LexBceS) LexBce Server [Win32_Own | Auto | Running] -> %System32%\LEXBCES.EXE -> Lexmark International, Inc. [Ver = 8.16 | Size = 303104 bytes | Modified Date = 28/03/2003 14:12:10 | Attr = ]
(sp_clamsrv) Spyware Terminator Clam Service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\WinClamAVShield\sp_clamsrv.exe -> Crawler.com [Ver = 1.1.0.11 | Size = 312320 bytes | Modified Date = 09/01/2007 15:44:32 | Attr = ]
(sp_rssrv) Spyware Terminator Realtime Shield Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Spyware Terminator\sp_rsser.exe -> Crawler.com [Ver = 1.8.2.121 | Size = 902144 bytes | Modified Date = 25/01/2007 23:42:26 | Attr = ]
(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Running] -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 6.5.737.000 | Size = 75768 bytes | Modified Date = 23/08/2006 23:38:26 | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adobe Photo Downloader -> %ProgramFiles%\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe -> Adobe Systems Incorporated [Ver = 3.0.0.49815 | Size = 57344 bytes | Modified Date = 06/06/2005 23:46:24 | Attr = ]
AVG7_CC -> %ProgramFiles%\Grisoft\AVG Free\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.438 | Size = 411648 bytes | Modified Date = 09/02/2007 17:21:32 | Attr = ]
Lexmark X1100 Series -> %ProgramFiles%\Lexmark X1100 Series\lxbkbmgr.exe -> Lexmark International, Inc. [Ver = 0.1.1.1 | Size = 57344 bytes | Modified Date = 28/03/2003 14:18:46 | Attr = ]
NeroFilterCheck -> %System32%\NeroCheck.exe -> Ahead Software Gmbh [Ver = 1, 0, 0, 2 | Size = 155648 bytes | Modified Date = 09/07/2001 11:50:42 | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.5a38 | Size = 282624 bytes | Modified Date = 16/12/2006 16:25:56 | Attr = ]
Sony Ericsson PC Suite -> %ProgramFiles%\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe -> Sony Ericsson Mobile Communications AB [Ver = 1.1.1.3 | Size = 159744 bytes | Modified Date = 26/10/2005 17:17:24 | Attr = R ]
SoundMan -> %SystemRoot%\SOUNDMAN.EXE -> Realtek Semiconductor Corp. [Ver = 5.1.05 | Size = 55296 bytes | Modified Date = 10/06/2003 12:12:28 | Attr = R ]
SpywareTerminator -> %ProgramFiles%\Spyware Terminator\SpywareTerminatorShield.exe -> Crawler.com [Ver = 1.8.2.458 | Size = 2903040 bytes | Modified Date = 25/01/2007 23:42:18 | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\jre1.6.0_01\bin\jusched.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 83608 bytes | Modified Date = 14/03/2007 03:43:44 | Attr = ]
TalkTalk -> %ProgramFiles%\TalkTalk\bin\sprtcmd.exe -> SupportSoft, Inc. [Ver = 6,7,1035,0 | Size = 192512 bytes | Modified Date = 16/08/2005 00:12:02 | Attr = ]
Zone Labs Client -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 6.5.737.000 | Size = 968696 bytes | Modified Date = 23/08/2006 23:38:28 | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Modified Date = 23/09/2005 23:05:26 | Attr = ]
< User Startup > -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
%UserStartup%\SpywareGuard.lnk -> %ProgramFiles%\SpywareGuard\sgmain.exe -> [Ver = 2.02.0001 | Size = 360448 bytes | Modified Date = 29/08/2003 20:05:36 | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> Anti-Malware Development a.s. [Ver = 7, 5, 0, 47 | Size = 73728 bytes | Modified Date = 28/09/2006 15:13:28 | Attr = ]
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 19/01/2007 17:33:06 | Attr = ]
{81559C35-8464-49F7-BB0E-07A383BEF910} [HKLM] -> %ProgramFiles%\SpywareGuard\spywareguard.dll [] -> [Ver = 2.02 | Size = 126976 bytes | Modified Date = 03/08/2003 00:20:58 | Attr = R ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.DLL -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1030 | Size = 282624 bytes | Modified Date = 09/03/2007 18:31:48 | Attr = ]
< HOSTS File > (23 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dl ... ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dl ... r=iesearch ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dl ... r=iesearch ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ie ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dl ... r=iesearch ->
HKCU: Start Page -> http://www.bbc.co.uk/ ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 18/12/2006 05:16:42 | Attr = ]
{4A368E80-174F-4872-96B5-0B27DDD11DB2} [HKLM] -> %ProgramFiles%\SpywareGuard\dlprotect.dll [SpywareGuardDLBLOCK.CBrowserHelper] -> [Ver = 2.02 | Size = 192512 bytes | Modified Date = 03/08/2003 00:24:02 | Attr = R ]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_01\bin\ssv.dll [SSVHelper Class] -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 501400 bytes | Modified Date = 14/03/2007 03:43:40 | Attr = ]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2005, 8, 4, 2 | Size = 343112 bytes | Modified Date = 04/08/2005 21:54:42 | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2005, 8, 4, 2 | Size = 343112 bytes | Modified Date = 04/08/2005 21:54:42 | Attr = ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_01\bin\npjpi160_01.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 132760 bytes | Modified Date = 14/03/2007 03:43:42 | Attr = ]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKCU] -> %ProgramFiles%\Java\jre1.6.0_01\bin\ssv.dll [MenuText: Sun Java Console] -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 501400 bytes | Modified Date = 14/03/2007 03:43:40 | Attr = ]
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{4E2E22FC-9F3B-4823-A95D-176801E2D463} -> (Sony Ericsson Device 039 USB Ethernet Emulation (NDIS 5)) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -> QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab ->
{0E5F0222-96B9-11D3-8997-00104BD12D94} -> PCPitstop Utility - CodeBase = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB ->
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -> CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/english/ka ... nicode.cab ->
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://fpdownload.macromedia.com/get/sh ... tor/sw.cab ->
{1803B9EF-9905-4F34-AFC4-05D1BAB28801} -> RegUserCfgUI Class - CodeBase = http://us.dl1.yimg.com/download.yahoo.c ... egucfg.cab ->
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -> Symantec AntiVirus scanner - CodeBase = http://security.symantec.com/sscv6/Shar ... vSniff.cab ->
{33564D57-9980-0010-8000-00AA00389B71} -> - CodeBase = http://download.microsoft.com/download/ ... mv9dmo.cab ->
{4C39376E-FA9D-4349-BACC-D305C1750EF3} -> EPUImageControl Class - CodeBase = http://tools.ebayimg.com/eps/wl/activex ... 0-3-48.cab ->
{4F912770-A045-4603-951E-9B8377084354} -> cpbrukie2 Control - CodeBase = http://a19.g.akamai.net/7/19/7125/1450/ ... rukie2.cab ->
{556DDE35-E955-11D0-A707-000000521957} -> - CodeBase = http://www.xblock.com/download/xclean_micro.exe ->
{56393399-041A-4650-94C7-13DFCB1F4665} -> PSFormX Control - CodeBase = http://www.pcpitstop.com/pestscan/pestscan.cab ->
{644E432F-49D3-41A1-8DD5-E099162EEEC5} -> Symantec RuFSI Utility Class - CodeBase = http://security.symantec.com/sscv6/Shar ... /cabsa.cab ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftup ... 0269298359 ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab ->
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -> ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan ... asinst.cab ->
{B1E2B96C-12FE-45E2-BEF1-44A219113CDD} -> SABScanProcesses Class - CodeBase = http://www.superadblocker.com/activex/sabspx.cab ->
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -> MsnMessengerSetupDownloadControl Class - CodeBase = http://messenger.msn.com/download/MsnMe ... loader.cab ->
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -> Java Plug-in 1.6.0_01 - CodeBase = http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload.macromedia.com/pub/sh ... wflash.cab ->
{EFAEF0E4-F044-4D57-9900-1C3FF18524C9} -> AV Class - CodeBase = http://www.pcpitstop.com/antivirus/PitPav.cab ->


[Files/Folders - Created Within 30 days]
00ba4f22e7f49882b6 -> %SystemDrive%\00ba4f22e7f49882b6 -> [Folder | Created Date = 02/04/2007 21:34:00 | Attr = ]
2243aa5ee46c561e7a9ec9 -> %SystemDrive%\2243aa5ee46c561e7a9ec9 -> [Folder | Created Date = 05/04/2007 18:27:46 | Attr = ]
2a53cc3a6c57640b34013b -> %SystemDrive%\2a53cc3a6c57640b34013b -> [Folder | Created Date = 30/03/2007 10:03:02 | Attr = ]
2aa779501c3d24b220693e -> %SystemDrive%\2aa779501c3d24b220693e -> [Folder | Created Date = 05/04/2007 07:10:19 | Attr = ]
4287b71e2ead49288b6cda -> %SystemDrive%\4287b71e2ead49288b6cda -> [Folder | Created Date = 03/04/2007 09:43:01 | Attr = ]
446f5b1a31e15d9f364fb1b7f5 -> %SystemDrive%\446f5b1a31e15d9f364fb1b7f5 -> [Folder | Created Date = 09/04/2007 21:14:03 | Attr = ]
48544ada41f79d10c0 -> %SystemDrive%\48544ada41f79d10c0 -> [Folder | Created Date = 06/04/2007 06:56:18 | Attr = ]
4bd97ee6287d1778ab3d9440 -> %SystemDrive%\4bd97ee6287d1778ab3d9440 -> [Folder | Created Date = 03/04/2007 09:07:05 | Attr = ]
4c3fe6ec9bed209481616f2645 -> %SystemDrive%\4c3fe6ec9bed209481616f2645 -> [Folder | Created Date = 03/04/2007 19:39:00 | Attr = ]
51cddd1ef164f41a45bb -> %SystemDrive%\51cddd1ef164f41a45bb -> [Folder | Created Date = 31/03/2007 09:51:42 | Attr = ]
77ea23c19e40a7bb937114b27d3ae112 -> %SystemDrive%\77ea23c19e40a7bb937114b27d3ae112 -> [Folder | Created Date = 30/03/2007 19:47:22 | Attr = ]
8874af8910ac11771a -> %SystemDrive%\8874af8910ac11771a -> [Folder | Created Date = 29/03/2007 18:30:10 | Attr = ]
8af9422269fdd0d9b132dc -> %SystemDrive%\8af9422269fdd0d9b132dc -> [Folder | Created Date = 30/03/2007 18:45:09 | Attr = ]
97844e1edf10c27742079ab8efb1b554 -> %SystemDrive%\97844e1edf10c27742079ab8efb1b554 -> [Folder | Created Date = 03/04/2007 09:27:35 | Attr = ]
a066f734c2bc552a84 -> %SystemDrive%\a066f734c2bc552a84 -> [Folder | Created Date = 29/03/2007 12:49:49 | Attr = ]
d383747349e61cff04fb5971 -> %SystemDrive%\d383747349e61cff04fb5971 -> [Folder | Created Date = 06/04/2007 07:28:55 | Attr = ]
ef879d58f1ddc20946ad13291b5e2756 -> %SystemDrive%\ef879d58f1ddc20946ad13291b5e2756 -> [Folder | Created Date = 04/04/2007 13:09:56 | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 536399872 bytes | Created Date = 01/01/1601 | Attr = HS]
$NtUninstallKB925902$ -> %SystemRoot%\$NtUninstallKB925902$ -> [Folder | Created Date = 04/04/2007 13:10:25 | Attr = H ]
$NtUninstallKB929338$ -> %SystemRoot%\$NtUninstallKB929338$ -> [Folder | Created Date = 15/03/2007 17:34:55 | Attr = H ]
assembly -> %SystemRoot%\assembly -> [Folder | Created Date = 28/03/2007 19:44:31 | Attr = R S]
Downloaded Installations -> %SystemRoot%\Downloaded Installations -> [Folder | Created Date = 28/03/2007 15:00:13 | Attr = ]
asdjhweq.exe -> %System32%\asdjhweq.exe -> [Ver = | Size = 98304 bytes | Created Date = 03/04/2007 09:12:11 | Attr = ]
DRVSTORE -> %System32%\DRVSTORE -> [Folder | Created Date = 28/03/2007 15:01:45 | Attr = ]
dumphive.exe -> %System32%\dumphive.exe -> [Ver = | Size = 51200 bytes | Created Date = 04/04/2007 17:08:36 | Attr = ]
eglcqsab -> %System32%\eglcqsab -> [Folder | Created Date = 03/04/2007 09:12:09 | Attr = ]
fahefxi.dll -> %System32%\fahefxi.dll -> [Ver = | Size = 64000 bytes | Created Date = 04/04/2007 12:52:40 | Attr = ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 135168 bytes | Created Date = 09/04/2007 21:52:42 | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 69632 bytes | Created Date = 09/04/2007 21:52:42 | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 135168 bytes | Created Date = 09/04/2007 21:52:42 | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 139264 bytes | Created Date = 09/04/2007 21:52:42 | Attr = ]
Process.exe -> %System32%\Process.exe -> http://www.beyondlogic.org [Ver = 2, 0, 0, 0 | Size = 53248 bytes | Created Date = 04/04/2007 17:08:36 | Attr = ]
SrchSTS.exe -> %System32%\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Created Date = 04/04/2007 17:08:36 | Attr = ]
stcheck32.exe -> %System32%\stcheck32.exe -> [Ver = | Size = 262656 bytes | Created Date = 03/04/2007 09:12:04 | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.0 | Size = 135168 bytes | Created Date = 04/04/2007 17:08:36 | Attr = ]
swsc.exe -> %System32%\swsc.exe -> [Ver = | Size = 40960 bytes | Created Date = 04/04/2007 17:08:36 | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 79360 bytes | Created Date = 04/04/2007 17:08:36 | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 2596 bytes | Created Date = 04/04/2007 17:09:00 | Attr = ]
udvdnzm.dll -> %System32%\udvdnzm.dll -> [Ver = | Size = 63488 bytes | Created Date = 03/04/2007 09:12:13 | Attr = ]
SE27bus.sys -> %System32%\drivers\SE27bus.sys -> MCCI [Ver = V4.34 | Size = 61600 bytes | Created Date = 28/03/2007 14:56:13 | Attr = R ]
SE27cm.sys -> %System32%\drivers\SE27cm.sys -> MCCI [Ver = V4.34 | Size = 6240 bytes | Created Date = 28/03/2007 14:56:54 | Attr = R ]
SE27cmnt.sys -> %System32%\drivers\SE27cmnt.sys -> MCCI [Ver = V4.34 | Size = 6240 bytes | Created Date = 28/03/2007 14:56:54 | Attr = R ]
se27cr.sys -> %System32%\drivers\se27cr.sys -> MCCI [Ver = V4.34 | Size = 4128 bytes | Created Date = 28/03/2007 14:58:50 | Attr = R ]
SE27mdfl.sys -> %System32%\drivers\SE27mdfl.sys -> MCCI [Ver = V4.34 | Size = 9360 bytes | Created Date = 28/03/2007 14:56:54 | Attr = R ]
SE27mdm.sys -> %System32%\drivers\SE27mdm.sys -> MCCI [Ver = V4.34 | Size = 97184 bytes | Created Date = 28/03/2007 14:56:54 | Attr = R ]
SE27mgmt.sys -> %System32%\drivers\SE27mgmt.sys -> MCCI [Ver = V4.34 | Size = 88688 bytes | Created Date = 28/03/2007 14:58:30 | Attr = R ]
se27nd5.sys -> %System32%\drivers\se27nd5.sys -> MCCI [Ver = V4.34 | Size = 18704 bytes | Created Date = 28/03/2007 14:59:15 | Attr = R ]
SE27obex.sys -> %System32%\drivers\SE27obex.sys -> MCCI [Ver = V4.34 | Size = 86560 bytes | Created Date = 28/03/2007 14:58:08 | Attr = R ]
se27unic.sys -> %System32%\drivers\se27unic.sys -> MCCI [Ver = V4.34 | Size = 90800 bytes | Created Date = 28/03/2007 14:58:50 | Attr = R ]
se27wh.sys -> %System32%\drivers\se27wh.sys -> MCCI [Ver = V4.34 | Size = 5872 bytes | Created Date = 28/03/2007 14:56:13 | Attr = R ]
SE27whnt.sys -> %System32%\drivers\SE27whnt.sys -> MCCI [Ver = V4.34 | Size = 5872 bytes | Created Date = 28/03/2007 14:56:13 | Attr = R ]

[Files/Folders - Modified Within 30 days]
$VAULT$.AVG -> %SystemDrive%\$VAULT$.AVG -> [Folder | Modified Date = 29/03/2007 19:05:06 | Attr = RH ]
00ba4f22e7f49882b6 -> %SystemDrive%\00ba4f22e7f49882b6 -> [Folder | Modified Date = 05/04/2007 10:36:20 | Attr = ]
2243aa5ee46c561e7a9ec9 -> %SystemDrive%\2243aa5ee46c561e7a9ec9 -> [Folder | Modified Date = 05/04/2007 19:27:50 | Attr = ]
2a53cc3a6c57640b34013b -> %SystemDrive%\2a53cc3a6c57640b34013b -> [Folder | Modified Date = 05/04/2007 10:36:20 | Attr = ]
2aa779501c3d24b220693e -> %SystemDrive%\2aa779501c3d24b220693e -> [Folder | Modified Date = 05/04/2007 10:36:22 | Attr = ]
4287b71e2ead49288b6cda -> %SystemDrive%\4287b71e2ead49288b6cda -> [Folder | Modified Date = 03/04/2007 10:43:36 | Attr = ]
446f5b1a31e15d9f364fb1b7f5 -> %SystemDrive%\446f5b1a31e15d9f364fb1b7f5 -> [Folder | Modified Date = 09/04/2007 22:14:08 | Attr = ]
48544ada41f79d10c0 -> %SystemDrive%\48544ada41f79d10c0 -> [Folder | Modified Date = 06/04/2007 07:56:22 | Attr = ]
4bd97ee6287d1778ab3d9440 -> %SystemDrive%\4bd97ee6287d1778ab3d9440 -> [Folder | Modified Date = 05/04/2007 10:36:22 | Attr = ]
4c3fe6ec9bed209481616f2645 -> %SystemDrive%\4c3fe6ec9bed209481616f2645 -> [Folder | Modified Date = 05/04/2007 10:36:22 | Attr = ]
51cddd1ef164f41a45bb -> %SystemDrive%\51cddd1ef164f41a45bb -> [Folder | Modified Date = 05/04/2007 10:36:22 | Attr = ]
77ea23c19e40a7bb937114b27d3ae112 -> %SystemDrive%\77ea23c19e40a7bb937114b27d3ae112 -> [Folder | Modified Date = 05/04/2007 10:36:22 | Attr = ]
8874af8910ac11771a -> %SystemDrive%\8874af8910ac11771a -> [Folder | Modified Date = 05/04/2007 10:36:22 | Attr = ]
8af9422269fdd0d9b132dc -> %SystemDrive%\8af9422269fdd0d9b132dc -> [Folder | Modified Date = 05/04/2007 10:36:22 | Attr = ]
97844e1edf10c27742079ab8efb1b554 -> %SystemDrive%\97844e1edf10c27742079ab8efb1b554 -> [Folder | Modified Date = 03/04/2007 10:28:14 | Attr = ]
a066f734c2bc552a84 -> %SystemDrive%\a066f734c2bc552a84 -> [Folder | Modified Date = 05/04/2007 10:36:22 | Attr = ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 09/04/2007 22:52:48 | Attr = ]
d383747349e61cff04fb5971 -> %SystemDrive%\d383747349e61cff04fb5971 -> [Folder | Modified Date = 06/04/2007 08:29:00 | Attr = ]
ef879d58f1ddc20946ad13291b5e2756 -> %SystemDrive%\ef879d58f1ddc20946ad13291b5e2756 -> [Folder | Modified Date = 05/04/2007 10:41:28 | Attr = ]
fixwareout -> %SystemDrive%\fixwareout -> [Folder | Modified Date = 05/04/2007 08:47:20 | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 536399872 bytes | Modified Date = 09/04/2007 22:49:28 | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 09/04/2007 22:51:58 | Attr = ]
RECYCLER -> %SystemDrive%\RECYCLER -> [Folder | Modified Date = 04/04/2007 19:15:56 | Attr = HS]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 09/04/2007 22:29:14 | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 03/04/2007 22:03:14 | Attr = H ]
$NtUninstallKB925902$ -> %SystemRoot%\$NtUninstallKB925902$ -> [Folder | Modified Date = 04/04/2007 14:10:28 | Attr = H ]
$NtUninstallKB929338$ -> %SystemRoot%\$NtUninstallKB929338$ -> [Folder | Modified Date = 15/03/2007 18:34:58 | Attr = H ]
AppPatch -> %SystemRoot%\AppPatch -> [Folder | Modified Date = 05/04/2007 11:03:44 | Attr = ]
assembly -> %SystemRoot%\assembly -> [Folder | Modified Date = 28/03/2007 20:45:42 | Attr = R S]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 09/04/2007 22:49:34 | Attr = S]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 03/04/2007 22:57:14 | Attr = ]
Downloaded Installations -> %SystemRoot%\Downloaded Installations -> [Folder | Modified Date = 28/03/2007 16:00:44 | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 05/04/2007 11:05:28 | Attr = S]
Fonts -> %SystemRoot%\Fonts -> [Folder | Modified Date = 28/03/2007 20:35:28 | Attr = R S]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 13/03/2007 18:59:52 | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 05/04/2007 18:26:08 | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 09/04/2007 22:52:48 | Attr = HS]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Modified Date = 09/04/2007 22:52:22 | Attr = ]
LEXSTAT.INI -> %SystemRoot%\LEXSTAT.INI -> [Ver = | Size = 645 bytes | Modified Date = 05/04/2007 10:52:16 | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 03/04/2007 22:56:44 | Attr = ]
NeroDigital.ini -> %SystemRoot%\NeroDigital.ini -> [Ver = | Size = 135 bytes | Modified Date = 28/03/2007 21:02:04 | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 09/04/2007 22:55:44 | Attr = ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 28/03/2007 20:45:54 | Attr = ]
SoftwareDistribution -> %SystemRoot%\SoftwareDistribution -> [Folder | Modified Date = 05/04/2007 11:39:02 | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 09/04/2007 22:52:44 | Attr = ]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 09/04/2007 22:50:24 | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 29/03/2007 13:50:14 | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 09/04/2007 22:49:44 | Attr = H ]
ActiveScan -> %System32%\ActiveScan -> [Folder | Modified Date = 05/04/2007 11:39:10 | Attr = ]
asdjhweq.exe -> %System32%\asdjhweq.exe -> [Ver = | Size = 98304 bytes | Modified Date = 04/04/2007 13:52:40 | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 05/04/2007 18:26:06 | Attr = ]
climbubm -> %System32%\climbubm -> [Folder | Modified Date = 12/03/2007 09:42:06 | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 05/04/2007 11:39:36 | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 04/04/2007 14:10:28 | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 05/04/2007 11:41:06 | Attr = ]
DRVSTORE -> %System32%\DRVSTORE -> [Folder | Modified Date = 28/03/2007 16:02:46 | Attr = ]
eglcqsab -> %System32%\eglcqsab -> [Folder | Modified Date = 04/04/2007 09:22:44 | Attr = ]
fahefxi.dll -> %System32%\fahefxi.dll -> [Ver = | Size = 64000 bytes | Modified Date = 04/04/2007 13:52:42 | Attr = ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 107808 bytes | Modified Date = 04/04/2007 17:52:50 | Attr = ]
Help.ico -> %System32%\Help.ico -> [Ver = | Size = 1406 bytes | Modified Date = 05/04/2007 10:35:38 | Attr = ]
java.exe -> %System32%\java.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 135168 bytes | Modified Date = 14/03/2007 00:31:24 | Attr = ]
javacpl.cpl -> %System32%\javacpl.cpl -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 69632 bytes | Modified Date = 14/03/2007 02:04:46 | Attr = ]
javaw.exe -> %System32%\javaw.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 135168 bytes | Modified Date = 14/03/2007 00:31:28 | Attr = ]
javaws.exe -> %System32%\javaws.exe -> Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 139264 bytes | Modified Date = 14/03/2007 02:04:46 | Attr = ]
mui -> %System32%\mui -> [Folder | Modified Date = 28/03/2007 20:44:46 | Attr = ]
pavas.ico -> %System32%\pavas.ico -> [Ver = | Size = 30590 bytes | Modified Date = 05/04/2007 10:35:38 | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 65768 bytes | Modified Date = 28/03/2007 20:46:28 | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 449712 bytes | Modified Date = 28/03/2007 20:46:28 | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 468638 bytes | Modified Date = 28/03/2007 20:46:28 | Attr = ]
stcheck32.exe -> %System32%\stcheck32.exe -> [Ver = | Size = 262656 bytes | Modified Date = 03/04/2007 10:12:06 | Attr = ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 2596 bytes | Modified Date = 04/04/2007 18:09:02 | Attr = ]
udvdnzm.dll -> %System32%\udvdnzm.dll -> [Ver = | Size = 63488 bytes | Modified Date = 03/04/2007 10:12:14 | Attr = ]
Uninstall.ico -> %System32%\Uninstall.ico -> [Ver = | Size = 2550 bytes | Modified Date = 05/04/2007 10:35:38 | Attr = ]
URTTemp -> %System32%\URTTemp -> [Folder | Modified Date = 28/03/2007 20:45:42 | Attr = ]
vsconfig.xml -> %System32%\vsconfig.xml -> [Ver = | Size = 48882 bytes | Modified Date = 09/04/2007 22:50:28 | Attr = H ]
wbem -> %System32%\wbem -> [Folder | Modified Date = 05/04/2007 11:44:58 | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 09/04/2007 22:50:38 | Attr = ]
ZoneLabs -> %System32%\ZoneLabs -> [Folder | Modified Date = 05/04/2007 11:45:16 | Attr = ]

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 , -> %SystemRoot%\choice.exe -> [Ver = | Size = 21312 bytes | Modified Date = 21/12/1999 07:58:02 | Attr = ]
WSUD , -> %System32%\ALSNDMGR.CPL -> Realtek Semiconductor Corp. [Ver = 2.1.12 | Size = 8605696 bytes | Modified Date = 18/06/2003 07:14:48 | Attr = R ]
UPX! , UPX0 , -> %System32%\asdjhweq.exe -> [Ver = | Size = 98304 bytes | Modified Date = 04/04/2007 13:52:40 | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 23/08/2001 13:00:00 | Attr = ]
Thawte Consulting , -> %System32%\pxcpya64.exe -> Sonic Solutions [Ver = 1.00.35a | Size = 63144 bytes | Modified Date = 25/08/2006 04:47:00 | Attr = ]
Thawte Consulting , -> %System32%\pxhpinst.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 67240 bytes | Modified Date = 25/08/2006 04:47:00 | Attr = ]
Thawte Consulting , -> %System32%\pxinsa64.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 62632 bytes | Modified Date = 25/08/2006 04:47:00 | Attr = ]
Thawte Consulting , -> %System32%\pxinsi64.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 115880 bytes | Modified Date = 25/08/2006 04:47:00 | Attr = ]
UPX! , UPX0 , -> %System32%\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Modified Date = 27/04/2006 17:49:30 | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.0 | Size = 135168 bytes | Modified Date = 29/08/2006 19:43:54 | Attr = ]
UPX! , UPX0 , -> %System32%\swsc.exe -> [Ver = | Size = 40960 bytes | Modified Date = 09/01/2006 10:36:06 | Attr = ]
UPX! , UPX0 , -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 79360 bytes | Modified Date = 01/12/2006 06:20:34 | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 23/08/2001 13:00:00 | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 23/08/2001 13:00:00 | Attr = ]
UPX! , FSG! , PEC2 , aspack , -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.444 | Size = 775680 bytes | Modified Date = 26/02/2007 11:53:50 | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 03/08/2004 22:41:38 | Attr = ]

< End of report >
Logfile of HijackThis v1.99.1
Scan saved at 23:11:58, on 09/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.c ... egucfg.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-48.cab
O16 - DPF: {4F912770-A045-4603-951E-9B8377084354} (cpbrukie2 Control) - http://a19.g.akamai.net/7/19/7125/1450/ ... rukie2.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0269298359
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Will await further instructions! Thanks again.
bess
Active Member
 
Posts: 14
Joined: November 26th, 2005, 6:42 pm

Unread postby tim s » April 9th, 2007, 7:37 pm

Hello bess

ok things are looking better. How is your computer running now?
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby bess » April 10th, 2007, 4:43 am

HI Tim s
Yes things are back to normal now! Really can't thank you enough for your help.
A few questions if I can be cheeky:
Could I have the real time protection permanently disabled in Spyware Terminator and Superantispyware? My pc takes so long to boot up with all the protection and probably other progs that dont need to be starting.
Do you think I have got "too much" protection? (although I still managed to get infected! :( )
Is it worth paying for AVG antispy for the extra benefits?
Hope you dont mind me asking.
Thanks so much again
bess
Active Member
 
Posts: 14
Joined: November 26th, 2005, 6:42 pm

Unread postby tim s » April 10th, 2007, 11:12 pm

Hi bess

Could I have the real time protection permanently disabled in Spyware Terminator and Superantispyware? My pc takes so long to boot up with all the protection and probably other progs that dont need to be starting.


I don't recommend it. I always instruct people to turn back on thier spyware protection programs, but I have mine on off until I boot my computer startsup then I turn them on when I am on the internet with all the bad stuff out there now you have to protect your self has best as you can. When my computer starts it does not connect to internet until I tell it to, thou. I think the reason they need to come on when computer boot up is so that people will have them on if your computer automatically connects to internet when it started for extra protection. So this depends on how your computer is setup and your choice.
Here is a link to some good information about programs that run at startup you will see in the list when you scroll down the page a bit.
Check for any unnecessary applications loading at startup
http://www.castlecops.com/postitle175256-0-0-.html

Do you think I have got "too much" protection? (although I still managed to get infected! )


The answer here is no I do not think you have to much protection. This again is personal choice I think SpywareBlaster would be a good addition to what you have. I am posting some information below in this post with link and SpywareBlaster is listed. You already have some of the programs now that is good that are listed below in this post.


Is it worth paying for AVG antispy for the extra benefits?


I will have to answer I don't know to that question because I have not use the paid for version yet. I think it is a great tool I use a lot. You can ask that question in the General Discussions room at this link http://www.malwareremoval.com/forum/viewforum.php?f=26
and some one with experience with the paid for version would be able to answer that better than me.
----------------------------------------------------------------------------------------

This is were we need to tidy up. You can now delete these programs that I had you download they are of no longer any use.
F-Secure BlackLight
FixWareout
WinPFind3U installer and its folder



You can go back and rehide system files:
  1. Close all programs so that you are at your desktop.
  2. Double-click on the My Computer icon (or click Start, then select My Computer)
  3. Select the Tools menu at top of this screen and click Folder Options.
  4. After the new window appears select the View tab.
  5. Remove checkmark in the checkbox labeled Display the contents of system folders.
  6. Under the Hidden files and folders section select the radio button(round circle) labeled Do not Show hidden files and folders.
  7. Put a checkmark in the checkbox labeled Hide file extensions for known file types.
  8. Put a checkmark in the checkbox labeled Hide protected operating system files.
  9. Press the Apply button and then the OK button and shutdown My Computer.


This is my normal post for when you are clear - which you now are - or seem to be. :-

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  1. Disable and Enable System Restore. - You are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
    You can find instructions on how to enable and re enable system restore here:

    Windows XP System Restore Guide
    re-enable system restore with instructions from tutorial above
  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:

    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.

      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialise and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
    Computer Safety On line - Anti-Virus
  4. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls
  6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  8. Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Stand up and be Counted.
NOW is the time you can start to hit back at the people who infected you.
Image
Please take the time to go and complain - that forum has a topic for your infection which is wareout please post as a reply, you will need to register to do so. It will also have a list of other places you can go to to register your complaint, depending on the country you are resident in. Please read the topics and complain, it is only with such complaints to goverment or government agances that something will get done.


May your God go with you.. safe surf'n
Tim s
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby bess » April 11th, 2007, 3:35 pm

Hi Tim
Again, many thanks for all your help and advice.
BTW, I do have Spywareblaster installed as well! It's also regularly updated.
Will keep to the free programs I think, and ban anyone else from using my PC!
Thanks again, cheerio :D
bess
Active Member
 
Posts: 14
Joined: November 26th, 2005, 6:42 pm

Unread postby tim s » April 11th, 2007, 8:22 pm

Hi bess

Your are welcome and glad we could help.

Tim s
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 24 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware