Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

services being disabled is this a virus?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Navigator » September 15th, 2007, 8:00 pm

I'll be around... :D
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri
Advertisement
Register to Remove

Unread postby thefrenchlady » September 18th, 2007, 3:46 pm

HELLO AGAIN
tHE KASPERSKY ONLINE SCANNER WOULD NOT WORK WHEN i PRESSED ACCEPT TO THE CONDITIONS

Here is the HJT report

regards and thanks again
thefrenchlady

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 20:17:10, on 18/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Documents and Settings\JON\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Config] msconf.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Zonealarm] iexplore.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Media Player] msa.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Win32 DRK Driver] wdrk32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoftkeysd] systemproc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Update] vgcntfy.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nvsv32.exe] nvsv32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows TM] rundlI32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Norton Personal Firewall] lah.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [prutpct] C:\WINDOWS\System32\prutpct.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [System Services] svcsenes32a.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [180ClientStubInstall] "C:\WINDOWS\TEMP\sais.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [kmuw] C:\PROGRA~1\COMMON~1\kmuw\kmuwm.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Zonealarm] iexplore.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Windows Monitor] winmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Zonealarm] iexplore.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Windows Monitor] winmon.exe (User 'Default user')
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.13\AMVConverter\grab.html
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.13\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.centrexonline.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3354245246
O17 - HKLM\System\CCS\Services\Tcpip\..\{22A9F669-F09D-4BA1-8E5F-B00BCE82F38A}: NameServer = 212.67.120.148 212.67.96.129
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVK Service (AVKService) - Unknown owner - C:\Program Files\AVP2K5\AVKService.exe
O23 - Service: AVP Monitor (AVKWCtl) - Unknown owner - C:\Program Files\AVP2K5\AVKWCtl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8270 bytes
thefrenchlady
Active Member
 
Posts: 13
Joined: September 6th, 2007, 1:26 pm

Unread postby Navigator » September 18th, 2007, 7:55 pm

Hello thefrenchlady.

You are using the BETA version of HJT, not the latest version. I need you to uninstall the BETA version on your computer, and then do this:

Step # 1: Download and Run HijackThis
Download HJTInstall.exe to your Desktop.

  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

I also need to know something that the BETA version of HJT may have pointed out...How many other 'user accounts' are on this machine? I believe that the infections on this computer may possibly be in another users account...?
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby thefrenchlady » September 19th, 2007, 4:35 pm

hello - have done this here is the log
there are five users on the pc
hope you get something from the log
regards
thefrenchlady

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:05:55, on 19/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Config] msconf.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Zonealarm] iexplore.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Media Player] msa.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Win32 DRK Driver] wdrk32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoftkeysd] systemproc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Update] vgcntfy.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nvsv32.exe] nvsv32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows TM] rundlI32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Norton Personal Firewall] lah.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [prutpct] C:\WINDOWS\System32\prutpct.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [System Services] svcsenes32a.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [180ClientStubInstall] "C:\WINDOWS\TEMP\sais.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [kmuw] C:\PROGRA~1\COMMON~1\kmuw\kmuwm.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Zonealarm] iexplore.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Windows Monitor] winmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Zonealarm] iexplore.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Windows Monitor] winmon.exe (User 'Default user')
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.13\AMVConverter\grab.html
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.13\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.centrexonline.co.uk/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3354245246
O17 - HKLM\System\CCS\Services\Tcpip\..\{22A9F669-F09D-4BA1-8E5F-B00BCE82F38A}: NameServer = 212.67.120.148 212.67.96.129
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVK Service (AVKService) - Unknown owner - C:\Program Files\AVP2K5\AVKService.exe
O23 - Service: AVP Monitor (AVKWCtl) - Unknown owner - C:\Program Files\AVP2K5\AVKWCtl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8145 bytes
thefrenchlady
Active Member
 
Posts: 13
Joined: September 6th, 2007, 1:26 pm

Unread postby Navigator » September 19th, 2007, 6:02 pm

thefrenchlady wrote:hello - have done this here is the log
there are five users on the pc
hope you get something from the log
regards
thefrenchlady



Thank you.

Well, I can get plenty from the log.....for example:

O4 - HKUS\S-1-5-18\..\Run: [Microsoft Config] msconf.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Zonealarm] iexplore.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Media Player] msa.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Win32 DRK Driver] wdrk32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoftkeysd] systemproc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Update] vgcntfy.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [nvsv32.exe] nvsv32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows TM] rundlI32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Norton Personal Firewall] lah.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [prutpct] C:\WINDOWS\System32\prutpct.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [System Services] svcsenes32a.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [180ClientStubInstall] "C:\WINDOWS\TEMP\sais.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [kmuw] C:\PROGRA~1\COMMON~1\kmuw\kmuwm.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [Zonealarm] iexplore.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Windows Monitor] winmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [Zonealarm] iexplore.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Windows Monitor] winmon.exe (User 'Default user')


These are MULTIPLE instances of infection, most if not all of which are SDBots, RBot, Backdoors and Worms that can compromise the system's security and allow remote (or backdoor) access to the machine. It is quite possible that someone else has complete control of this computer system...which would explain how your 'services' are being disabled after you enable them.

If you would like to read up on some of these infections, here are some references:

Winmon.exe: SDBOT.VB Worm http://www.sophos.com/security/analyses/w32sdbotvb.html

msconf.exe: W32/Rbot-AFX - Worm http://www.sophos.com/security/analyses/w32rbotafx.html

msa.exe: RBOT-SI Worm http://www.sophos.com/security/analyses/w32rbotsi.html

wdrk32.exe: W32/FORBOT-CA Worm http://www.sophos.com/security/analyses ... botca.html

systemproc.exe: FORBOT-BI Worm http://www.sophos.com/security/analyses ... botbi.html

And this is just a part of what is listed above and only what we have found/identified so far.

These files/entries are found in the User Account called 'System', but once installed and operational on the computer can affect all user accounts.

You need to make an assessment of what this computer is used for and decide whether or not you want to try and clean it....and even if we get it 'clean' (which may or may not be possible due to the heavy infestation of the system...'cleaning' it might render the system inoperable), I cannot guarantee the security of the system going forward. I am going to give you another reference that deals with the decision of whether or not to wipe the system clean and reinstall the OS which highlights some of what I am telling you:

http://www.dslreports.com/faq/10063

In short, if you require any measure of security on this system (use for personal information, business, professional or financial transactions etc.), it would be my recommendation that you would be best be served by reformatting and reinstalling the OS.

Look over the above, and let me know what you want to do...and feel free to ask further questions if you have any. Sorry for the bad news, but I wouldn't want you to be negatively impacted by an unsecure computer or stolen information...
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby thefrenchlady » September 23rd, 2007, 2:06 pm

Thank again although it is bad news
I will probably take a few days to make this decision. The only security problem is that I use the computer for making purchases on line occasionally.
Will look through the literature you have kindly directed me to and consult others beforehand.

regards
thefrenchlady
thefrenchlady
Active Member
 
Posts: 13
Joined: September 6th, 2007, 1:26 pm

Unread postby Navigator » September 23rd, 2007, 2:44 pm

Hello thefrenchlady...

Some of these infections on the computer have the ability to steal information and log keypresses. I would recommend that this computer NOT be used for any financial transactions. If I were you, I would strongly consider immediately disconnecting the computer from the internet and go to a known clean computer and change all passwords for sites/accounts with financial information. I would also consider contacting any financial institutions whose account information was used on this system and notify them of potential compromise...at the very least I would closely monitor these accounts for potential fraud.

Unfortunately, it really would be in your best interest to reformat the HD and reinstall the OS....otherwise, this machine cannot be trusted.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby thefrenchlady » September 25th, 2007, 3:03 pm

I will have to do this
Thank you so much for all your advice
over the past few weeks

regards
thefrenchlady
thefrenchlady
Active Member
 
Posts: 13
Joined: September 6th, 2007, 1:26 pm

Unread postby Navigator » September 25th, 2007, 3:47 pm

thefrenchlady wrote:I will have to do this
Thank you so much for all your advice
over the past few weeks

regards
thefrenchlady


You are welcome. Good luck...
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby askey127 » October 17th, 2007, 9:38 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.
If you are the topic starter, you will need a valid, working link to the closed topic, along with the user name used.
The user name must match the one in the linked thread linked to avoid having the email deleted.

You can help support this site from this link :
Donations For Malware Removal
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 360 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware