Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I need help please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I need help please

Unread postby wakeboarder540 » August 11th, 2008, 11:29 am

Hi, I need help getting rid of a virus that is on my family's computer.

This seems to be a really bad virus, when the computer starts up it just goes to the desktop background and thats all it does, to use windows i have to "ctrl+ alt+del" and start a new task "explorer.exe" then i can get into windows, once in windows a program called Win Antivirus XP 2008 runs and i think thats part of the virus,so ive played around a bit and this is what ive found out.
I cant right click on the desktop and go to properties it doesnt do anything, can go to control panel but can not get anything in there to open like add/remove programs. cant get command prompt to run, cant get any program but AVG Install setup to run... but at the end it doesnt finish cause it cant start the program at the end of installation. I tried to run HiJiackThis but would not run. could not run programs like msconfig in run dialog.
I booted into safe mode, and the same thing,.. i couldnt get into windows cause explorer.exe does not start so i have to start manually, once i got in i tried everything above and everything else i could think of but cant do much, all i can do is browse the computer and delete some files that are running and get to task manager and end task things,

any suggestions or reformat comp?
wakeboarder540
Regular Member
 
Posts: 72
Joined: March 12th, 2006, 5:06 am
Advertisement
Register to Remove

Re: I need help please

Unread postby suebaby41 » August 12th, 2008, 10:30 am

Welcome to the Malware removal Forums. Please post a HijackThis Log. I need this log so I can analyze it. Thank you for your patience.

If you have already posted a log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: I need help please

Unread postby wakeboarder540 » August 12th, 2008, 6:25 pm

like i said i can not get programs to run, including HijackThis...I click on it I see it start up in the task manager and then it leaves task manager like its been end tasked, so I cant post the log, I need suggestions to get HijackThis to run so I can get you that log. Got any ideas?
wakeboarder540
Regular Member
 
Posts: 72
Joined: March 12th, 2006, 5:06 am

Re: I need help please

Unread postby suebaby41 » August 12th, 2008, 7:08 pm

Please rename HijackThis.exe to a name that you will remember such as HijackThis1991.exe and post a new HijackThis log. The reason you need to rename HijackThis.exe is because certain malware can hide from that file name.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: I need help please

Unread postby wakeboarder540 » August 12th, 2008, 10:16 pm

i re named it and still didnt work, other other suggestions on getting the hijackthis program to run?
wakeboarder540
Regular Member
 
Posts: 72
Joined: March 12th, 2006, 5:06 am

Re: I need help please

Unread postby suebaby41 » August 13th, 2008, 10:38 am

Please download DLLCompare
  1. Save it to the desktop.
  2. Double‑click on DllCompare.exe.[ to scan for DLL files.
  3. Click Run Locate.com and it will scan your system for files.
  4. When the scan finishes, click Compare to compare your files to valid Windows files.
  5. When it finishes comparing, click Make a Log of what was found.
  6. Click Yes at the View Log file? prompt to view the log.
  7. Copy and paste the entire log in your next reply.
  8. If you accidentally close out of the log, it is also saved as log.txt to where you saved DllCompare.exe.
  9. Click Exit to exit DLLCompare.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: I need help please

Unread postby wakeboarder540 » August 14th, 2008, 1:12 am

ok, so i couldnt run the DllCompare.exe,
so i played around some more and i found out that it let me have access to the restore points i made a few months ago, so i restored to a restore point and it restarted and i got into Windows without having to manually run explorer.exe in the task manager, but after a few seconds the desktop background changed to a warning about a virus infection... and AntiVirus XP 2008 installed itself and started to spread and go crazy and then I wasnt able to access the task manager, it said that it was disabled, but I was able to run programs and do everything else like run msconfig. With my AVG antivirus constantly finding new viruses to put in vault and the antivirus XP 2008 fake program going all crazy opening up warning windows it was really slowing down computer, it took awhile but i did get the DllCompare.exe to run and i got the log here it is:




* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

1,249 items found: 1,249 files, 0 directories.
Total of file sizes: 279,046,659 bytes 266.12 M

Administrator Account = True

--------------------End log---------------------





After I got the log... my computer just kept getting slower and slower, so i restarted into safe mode, ran ATF cleaner to cleaned things up, ran AVG virus scan and it found many viruses and moved them into the vault, from the things i did the on computer it seems quite stable now and looks like we can carry on with making the computer malware free :) Do you think we can use a command prompt or something to get access to the task manager again?

Well thats all i had time to do tonight, tomorrow i will post a highjackthis log along with a DllCompare.exe log if you want another one.
wakeboarder540
Regular Member
 
Posts: 72
Joined: March 12th, 2006, 5:06 am

Re: I need help please

Unread postby suebaby41 » August 14th, 2008, 10:22 am

Step 1

Please download, install and run Trojan Remover to automatically remove XPAntiVirus. Trojan Remover will work for a full 30 day trial period. When the trial period ends, you will be asked to purchase a license in order to continue to use the software.

Step 2

  • Please download, install and run RegSeeker.
  • Select Clean The Registry.
  • When it completes, click Select All.
  • Click Delete All.
  • Click the white "X" in the red square in the upper right corner of window to exit the program.
Step 3

Please post a new HijackThis log.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: I need help please

Unread postby wakeboarder540 » August 15th, 2008, 12:04 am

ok do those things and i have access to task manager now yay!

heres the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:15 PM, on 08/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Trojan Remover\Trjscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Admin\Desktop\new\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {A6C54318-5AC7-477D-B0A7-49AF5189300C} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: dpevflbg - {CE66268D-0208-4D9E-8BC7-12D91072A34D} - C:\WINDOWS\dpevflbg.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKLM\..\Policies\Explorer\Run: [dcyhYCKZYE] C:\Documents and Settings\All Users\Application Data\fepgnufe\rozydele.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.15-3.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 4012 bytes
wakeboarder540
Regular Member
 
Posts: 72
Joined: March 12th, 2006, 5:06 am

Re: I need help please

Unread postby suebaby41 » August 15th, 2008, 2:51 pm

  1. Please download SDFix and save it to your Desktop.
  2. Double click SDFix.exe and it will extract the files to C:\SDFix.
  3. Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
  4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
  5. Type Y to begin the cleanup process.
  6. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  7. When your computer restarts, the Fixtool will run again to complete the removal process.
  8. When Finished is displayed, press any key to end the script and load your desktop icons.
  9. After the desktop icons load, the SDFix report will open on screen and save into the SDFix folder as Report.txt. Report.txt will also be copied to Clipboard.
  10. Paste the contents of the Report.txt with a new HijackThis log in your next reply.
  11. If needed, see SDFix ReadMe
Step 2

  1. According to your Internet connection, please disconnect from the Internet.
    • Physically remove the cable for your broadband Internet service “Always On” Connection from your computer.
    • Turn your modem off.
    • Disconnect your modem cable from your computer.
  2. Turn the device off for Handheld wireless connections.
  3. Exit all processes and items in your System tray.
Step 3

Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

  1. Please download ComboFix save it to your desktop. **Note: It is important that it is saved directly to your desktop**.
  2. Close any open browsers.
  3. Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  4. Double click combofix.exe and follow the prompts.
  5. A window will open with a warning. Type 1 and press Enter to begin the scan.
  6. The scan will temporarily disable your desktop, and if interrupted, may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
  7. Caution - do not touch your mouse/keyboard until the scan has completed. Touching your mouse/keyboard while the scan is running may cause it to stall.
  8. When finished, ComboFix will produce a log for you and will automatically save the log file to C:\combofix.txt.
  9. ComboFix will create a folder called QooBox in C: (C:\QooBox). It will contain any folders that were quarantined. When you are done, you can delete this folder - QooBox.
  10. Note: ComboFix may reset a number of Internet Explorer's settings including making it the default browser. ComboFix resets some settings in IE in order to remove changes which may have been made by malware. It may also change the time format.
  11. Please post
    • ComboFix (combofix.txt)
    • SDFix (Report.txt)
    • a new HijackThis log
Thanks.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: I need help please

Unread postby wakeboarder540 » August 15th, 2008, 8:57 pm

ok heres the logs:

ComboFix 08-08-14.05 - Admin 2008-08-15 18:31:57.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.267 [GMT -6:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\Application Data\DriveCleaner Free
C:\Documents and Settings\Admin\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\#SharedObjects\AW698Y4H\interclick.com
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\#SharedObjects\AW698Y4H\interclick.com\ud.sol
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Admin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Admin\Application Data\rhcgavj0ea3n
C:\Documents and Settings\Admin\err.log
C:\Documents and Settings\Administrator.DANSCOMP-VT4VH2\Application Data\rhcgavj0ea3n
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\Common Files\drivecleaner free\udcpas.exe
C:\Program Files\Common Files\drivecleaner free\udcsdr.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-16 to 2008-08-16 )))))))))))))))))))))))))))))))
.

2008-08-15 18:14 . 2008-08-15 18:14 577,024 --a------ C:\WINDOWS\system32\dllcache\user32.dll
2008-08-15 18:12 . 2008-08-15 18:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-15 18:08 . 2008-08-15 21:15 <DIR> d-------- C:\SDFix
2008-08-14 16:53 . 2008-08-14 16:53 272,384 --a------ C:\WINDOWS\system32\yaywvuRh.dll.vir
2008-08-14 16:49 . 2008-08-14 16:49 <DIR> d-------- C:\Program Files\Trojan Remover
2008-08-14 16:49 . 2008-08-14 16:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-08-14 16:49 . 2008-08-14 16:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Simply Super Software
2008-08-14 16:49 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-08-14 16:49 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-08-14 16:49 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-08-14 16:49 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-08-14 16:49 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-08-14 16:43 . 2008-08-15 18:09 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-14 16:43 . 2008-08-15 18:09 32 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-14 16:39 . 2008-08-14 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-14 16:39 . 2008-08-14 16:41 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-08-14 16:38 . 2008-07-09 09:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-08-14 16:38 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2008-08-14 16:37 . 2008-08-14 16:37 <DIR> d-------- C:\Program Files\Zone Labs
2008-08-13 19:19 . 2008-08-13 19:19 <DIR> d-------- C:\Documents and Settings\Administrator.DANSCOMP-VT4VH2\Application Data\AVG7
2008-08-13 19:14 . 2008-08-13 19:14 <DIR> d-------- C:\Documents and Settings\Administrator.DANSCOMP-VT4VH2
2008-08-13 19:03 . 2008-08-13 19:03 <DIR> dr-h----- C:\$VAULT$.AVG
2008-08-13 18:51 . 2008-08-13 18:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-08-13 18:51 . 2008-08-13 18:51 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\AVG7
2008-08-13 18:50 . 2008-08-13 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-13 18:50 . 2008-08-13 18:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-08-13 18:42 . 2008-08-13 18:42 60,928 --a------ C:\WINDOWS\system32\blphclavj0ea3n.scr.vir
2008-08-13 18:42 . 2008-08-13 18:42 294 ---hs---- C:\WINDOWS\system32\qyoosqxf.ini
2008-08-13 18:39 . 2008-08-13 18:39 <DIR> d-------- C:\Program Files\Sony Pictures Games
2008-08-13 18:39 . 2008-08-13 18:39 <DIR> d-------- C:\Program Files\MSN Toolbar
2008-08-13 18:39 . 2008-08-13 18:39 <DIR> d-------- C:\Program Files\Hamachi
2008-08-13 18:39 . 2008-08-13 18:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-08-13 18:31 . 2008-08-13 18:31 <DIR> d-------- C:\Program Files\Magic Workstation
2008-08-13 18:31 . 2008-08-13 18:31 <DIR> d-------- C:\Program Files\Aspyr
2008-08-13 18:31 . 2008-08-13 18:31 <DIR> d-------- C:\My Games
2008-08-13 18:31 . 2008-08-13 18:31 <DIR> d-------- C:\My Download Files
2008-08-13 18:29 . 2008-08-13 18:29 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-08-13 18:29 . 2008-08-13 18:29 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-08-13 18:29 . 2008-08-13 18:29 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-08-10 19:20 . 2008-08-10 19:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-08-10 19:18 . 2008-08-10 19:18 <DIR> d---s---- C:\Documents and Settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-09 15:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-09 15:29 7561216]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-08-14 16:31 579584]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-07-30 15:00 909904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-08-13 18:58 219136]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run VNC Server.lnk]
backup=C:\WINDOWS\pss\Run VNC Server.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run VNC Server.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 01:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
--a------ 2007-05-29 16:21 520192 C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-03-09 15:29 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-03-09 15:29 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IDriverT"=3 (0x3)
"usnjsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Documents and Settings\\Admin\\My Documents\\SoF2 extract files\\SOF2\\SoF2MP.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Sony Pictures Games\\JEOPARDY!\\JEOPARDY!.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-lfwrrrtn - C:\WINDOWS\system32\fapypaba.exe
MSConfigStartUp-lphclavj0ea3n - C:\WINDOWS\system32\lphclavj0ea3n.exe
MSConfigStartUp-MSMSGS - C:\Program Files\Messenger\msmsgs.exe
MSConfigStartUp-PAS_Check - C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe
MSConfigStartUp-QuickTime Task - C:\Program Files\QuickTime\qttask.exe
MSConfigStartUp-SDR6_Check - C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe
MSConfigStartUp-SMrhcgavj0ea3n - C:\Program Files\rhcgavj0ea3n\rhcgavj0ea3n.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\tjqvrop2.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 18:35:31
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-15 18:37:04
ComboFix-quarantined-files.txt 2008-08-16 00:36:58

Pre-Run: 3,279,880,192 bytes free
Post-Run: 3,274,473,472 bytes free

148






-----------------------------------------------------------------------------------------------------------------------------------------



SDFix: Version 1.216
Run by Administrator on 08/15/2008 at 06:15 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\lphclavj0ea3n.exe - Deleted
C:\WINDOWS\SYSTEM32\PHCLAV~1.BMP - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk - Deleted



Folder C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008 - Removed
Folder C:\WINDOWS\privacy_danger - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 18:22:52
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Admin\\My Documents\\SoF2 extract files\\SOF2\\SoF2MP.exe"="C:\\Documents and Settings\\Admin\\My Documents\\SoF2 extract files\\SOF2\\SoF2MP.exe:*:Enabled:SoF2MP"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Sony Pictures Games\\JEOPARDY!\\JEOPARDY!.exe"="C:\\Program Files\\Sony Pictures Games\\JEOPARDY!\\JEOPARDY!.exe:*:Enabled:JEOPARDY!"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 30 Jan 2008 9,420,288 ...H. --- "C:\margaret\~WRL0003.tmp"
Sat 19 Apr 2008 23,543,236 ...H. --- "C:\My Games\THE GAME OF LIFE - Path to Success\THE GAME OF LIFE - Path to Success.exe"
Thu 21 Jun 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 19 Apr 2008 23,543,236 A..H. --- "C:\System Volume Information\_restore{336A5C33-C047-4319-ADB4-54C0FF619CF3}\RP268\A0030271.exe"
Thu 4 May 2006 444 ...HR --- "C:\Documents and Settings\Admin\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!



---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:25 PM, on 08/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Admin\Desktop\new\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 3435 bytes
wakeboarder540
Regular Member
 
Posts: 72
Joined: March 12th, 2006, 5:06 am

Re: I need help please

Unread postby suebaby41 » August 16th, 2008, 4:14 pm

Step 1

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 2

I noticed that you have some programs that need to be updated.

  • Your Java Runtime Environment is out of date.
    Older versions have vulnerabilities that malware can use to infect your system.
    Please follow these steps to remove the older versions of Java Runtime Environment..
    • Close any programs you may have running, ESPECIALLY your web browser
    • Click Start > Control Panel.
    • Click Add/Remove Programs.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove all versions of Java.
    • Reboot your computer after all Java components are removed.
    Please download the latest Java Runtime Environment.
    • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 7. The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
    • Click the Download button to the right. When a new window opens, you will see
      NOTE: This page offers files for different platforms - please be sure to download the proper file(s) for your platform.
      Required: You must accept the license agreement to download the product.
    • Click to place a check mark by Accept License Agreement.
    • Make the selection corresponding to your computer platform. For Windows, click on Windows Offline Installation, Multi-languagelink to download. Save it to your desktop.
    • On your desktop, double-click on jre-6u7-windows-i586-p.exe to install the newest version.
    After you have installed the Java software on your computer, you must restart your browser. You can verify that Java Runtime Environment (RTE) has been installed correctly by clicking on the Verify Installation button on the Welcome To Java and Verify Installation page.

  • Your AVG Program is out of date.

    1. Please download the installation file of AVG 8 Anti-Virus Free Edition to your desktop.
      Note: If you already have an antivirus program, do a custom install and do NOT install the "Resident Shield".
    2. The installation process will lead you through the following steps:
      • License Agreement - read and confirm you understand and accept the license agreement. Otherwise the installation process will be canceled.
      • Select Installation Type - two types of installation are available:
        • Standard Installation - recommended; will automatically install AVG with the predefined configuration of all its components.
        • Custom Installation - allows you to change the default program configuration preset by program vendor. Can be only recommended to experienced users.
      • Personalize AVG 8 Anti-Virus Free Edition - enter your name, and company name. Note: your "AVG 8 Anti-Virus Free Edition's" Free license number will already be entered.
      • Installation Summary - offers an overview of all installation parameters.
      • Application Termination - some of the programs that are currently running
        on your computer may conflict with the AVG 8 Anti-Virus Free Edition installation process and have to be terminated.
        Note: Should the installation fail for some reason, you will see the Details button in the dialog window. Click the button to display further diagnostic information. This data together with the installation log file AVG8INST.LOG (stored in the system’s TEMP directory) will help you solve possible installation problems.
      • After installation, AVG 8 Anti-Virus Free Edition's configuration is set up so that it provides optimal anti-virus protection. We strongly recommend that you keep to the default configuration unless you have an actual reason to change it!
        Note: There are significant differences and limitations in comparison with ("pay for use") software with (full) licenses of "AVG 8 Anti-Virus", and other "AVG 8" products. Please refer to the Grisoft website at http://www.grisoft.com for more information on "AVG 8" products purchase options!
    3. Update to Windows XP Service Pack 3 and Internet Explorer 7

      You need to install Windows Internet Explorer 7 or Internet Explorer 8 Beta 1 after you install Windows XP SP3. After you install Windows XP Service Pack 3 (SP3), you may not be able to uninstall Windows Internet Explorer 7 or Internet Explorer 8 Beta 1.

      How to obtain the latest Windows XP service pack.
      1. Scroll down the page until you come to Download the Windows XP Service Pack 3 package now.
      2. Click on Download the Windows XP Service Pack 3 package now to download the Windows XP Service Pack 3.
      3. Save it to your desktop.
      4. Click on the file and follow the directions.
      5. Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3. The security suite can then be reinstalled after the Service Pack 3 is installed.

      How to obtain Windows XP Service Pack 3 on a CD

      To order Windows XP SP3 on a CD, visit one of the following Microsoft Web sites, as appropriate for your region:

      Asia

      Europe and Africa

      North America

      South America

      Update To Windows Internet Explorer 7

      1. Please download
        Windows Internet Explorer 7.
      2. Click on Download.
      3. Save it to your desktop.
      4. Click on the file to install Windows Internet Explorer 7.
    Step 3

    In normal mode, run an online antivirus check from at least two and preferably three of the following sites
    BitDefender
    Computer Associates Online Virus Scan
    Panda's ActiveScan
    Trend Micro Housecall
    Windows Live Safety Center Free Online Scan
    This scanner from Trend does not require an Active X to run.
    1. Detects and removes malware ( viruses, worms, trojans, etc. )
    2. Detects and removes grayware and spyware
    3. Restores damage caused by malware to your system.
    4. Notifies about vulnerabilities in installed programs and connected network services.
    5. Multi-platform support for: Windows, Linux, Solaris.
    6. Easy-to-use with the Microsoft Internet Explorer and Mozilla Firefox.
    When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, make a note of the file location of anything that cannot be deleted so you can delete it yourself. Please post that list in your next reply.

    Step 4

    Please download Spybot-S&D.
    Please check this link, Using Spybot- Search and Destroy To Remove Spyware From Your Computer, for instructions on how to download, install and use Spybot-S&D. Run this program as soon as possible.

    Step 5

    Please download Ad-Aware 2008.
    Please check this link, Ad-Aware 2007/ 2008 for instructions on how to download, install and use Ad-Aware. Run this program as soon as possible.

    Step 6

    I recommend using Spyware Blaster.
    Please download SpywareBlaster. SpywareBlaster helps to:
    1. Prevent the installation of Active X-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
    2. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
    3. Restrict the actions of potentially unwanted sites in Internet Explorer.
    Please see Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware for instructions on how to download, install, and use SpywareBlaster.

    Step 7

    Windows Defender is a free program that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. It features Real-Time Protection, a monitoring system that recommends actions against spyware when it is detected and minimizes interruptions and helps you stay productive.

    Please download and install Windows Defender.
    1. Confirm that your computer meets the minimum system requirements to install Windows Defender.
    2. Visit the Windows Defender page in the Microsoft Download Center. Click the Continue button and follow the directions on the succeeding pages to download the program and start the Installation Wizard.
    3. Follow the steps in the Installation Wizard. You will be asked if you want to participate in the Microsoft SpyNet online community. We suggest you choose the first option,
    4. Use recommended settings.
    5. Click Next to continue.
    6. Click Install to begin installing Windows Defender.
    7. When installation is complete, click Finish. Windows Defender will begin to scan your computer.
    8. For more information, See How to install and set up Windows Defender
    Step 8

    ATF-Cleaner features include:
    • Cleaning of all user temp folders, administrator only can use this feature.
    • Cleaning of the Java cache, which seems to be harboring more and more malware.
    • Cleaning the cache, cookies, history, download history, visited links and saved passwords. You have the option of checking no if you want to save your passwords.
    Please download the ATF-Cleaner by Atribune.
    Instructions:
    • Double-click ATF-Cleaner.exe to run the program.
    • Check the boxes to the left of:
      • Windows Temp
      • Current User Temp
      • All Users Temp
      • Temporary Internet Files
      • Prefetch (Windows XP) only
      • Java Cache
    • The rest are optional - if you want to remove them all, check Select All.
    • Click the Empty Selected button.
    • When you get the Done Cleaning message, click OK.
    If you use the Firefox browser:
    • Click Firefox at the top and choose: Select All.
    • Click the Empty Selected button.
    • When you get the Done Cleaning message, click OK.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use the Opera browser:
    • Click Opera at the top and choose: Select All.
    • Click the Empty Selected button.
    • When you get the Done Cleaning message, click OK.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
If needed, Tutorial on ATF Cleaner with pictures.
Do not run it yet.

Step 9

Please disconnect from the Internet. Please close ALL browser windows (including this one).

Now we will address the HijackThis fixes.

Please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any):

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll


Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Step 10

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow_Computer_Check_here_first_it_may_not_be_malware.
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself.

Step 11

Let’s run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 12

Please run HijackThis in Normal Mode and post a new HijackThis log so I can make sure that all the malware was deleted according to plan.

Please post the list of file names and locations for any files that can’t be cleaned / deleted that were reported after you completed the online scans.

Please advise me of any problems you still have.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: I need help please

Unread postby wakeboarder540 » August 19th, 2008, 1:14 am

sorry ive been really busy with work and stuff the past few days,
I will hopefully have all that stuff done tomorrow night around this time,I'll post then...
thanks for your help
wakeboarder540
Regular Member
 
Posts: 72
Joined: March 12th, 2006, 5:06 am

Re: I need help please

Unread postby suebaby41 » August 19th, 2008, 1:13 pm

OK
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: I need help please

Unread postby wakeboarder540 » August 21st, 2008, 9:57 pm

ok sorry it took so long, one of the online virus scanners kept stalling on me when scanning, AVG kept detecting the files when the online scanner would find a threat for some reason. Had to disable AVG to do do the scan again and it worked fine, found a few threats and got rid of them.

heres the new log



Logfile of HijackThis v1.99.1
Scan saved at 7:49:19 PM, on 08/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Admin\Desktop\Hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
wakeboarder540
Regular Member
 
Posts: 72
Joined: March 12th, 2006, 5:06 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 508 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware