Free Malware Removal Forum

[EdBoyle]

Dear agrarianmonk


I've attached the 2 logs a requested. However, I was unable to delete all the files in the Recycler folder because 1 was reported as still in use.

Ed


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, April 16, 2006 10:23:15 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 16/04/2006
Kaspersky Anti-Virus database records: 188381
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 75294
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 5
Duration of the scan process: 00:42:00

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\B34Z9JNF\sk02[1].exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\B34Z9JNF\sk02[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\archive.pst.old/Archive Folders/Sent Items/09 Oct 2003 18:00 to johnacton2001:Re: A funny website.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\archive.pst.old Mail MS Mail: suspicious - 1 skipped
C:\Dump\Outlook Express\Sent Items.dbx/[From "Ed Boyle" <teddy2@connectfree.co.uk>][Date Thu, 9 Oct 2003 19:00:44 +0100]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Dump\Outlook Express\Sent Items.dbx/[From "Ed Boyle" <teddy2@connectfree.co.uk>][Date Thu, 9 Oct 2003 19:00:44 +0100]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Dump\Outlook Express\Sent Items.dbx Mail MS Outlook 5: suspicious - 2 skipped

Scan process completed.






Logfile of HijackThis v1.99.1
Scan saved at 07:57:06, on 17/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\user\Desktop\Security\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=userinit.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\1vlwakiv.slt\prefs.js)
O3 - Toolbar: Bugnosis - {930E4DE1-973D-42D6-BF6E-6788E06BD003} - C:\Program Files\Bugnosis\WebBug.dll
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AntiSpy] C:\Program Files\Omniquad AntiSpy\AntiSpy.exe startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O15 - Trusted Zone: http://www.genesreunited.co.uk.
O15 - Trusted Zone: http://www.friendsreunited.co.uk
O15 - Trusted Zone: http://www.genesreunited.co.uk
O15 - Trusted Zone: http://www.my.if.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4601255156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GFI LANguard N.S.S. 5.0 attendant service - Unknown owner - C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" -service (file missing)
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

[agrarianmonk]

Sorry for the delay. You're doing great! We're almost done


Some security programs with active monitoring processes are known to interfere with automatic scanners and can actually prevent HJT fixes from taking effect.

Please turn off or disable any of the following programs you may have,

Spybot S&D (Teatimer)

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.


Copy/paste the following quote box into a new notepad document...

@echo off

VER|find "Windows 2000">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows XP">NUL
IF NOT ERRORLEVEL 1 GOTO NT

VER|find "Windows 95">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows 98">NUL
IF NOT ERRORLEVEL 1 GOTO win

VER|find "Windows Millennium">NUL
IF NOT ERRORLEVEL 1 GOTO winme

VER|find "Windows 2003">NUL
IF NOT ERRORLEVEL 1 GOTO NT

echo Unsupported Version
goto last

:NT
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\Snapshots\*.*
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\RegKeyWhite.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\RegKeyblack.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\ProcWhite.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\ProcBlack.sbe
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\logs\resident.log
del /q %SYSTEMDRIVE%\docume~1\alluse~1\applic~1\spybot~1\excludes\UpdateDL.sbe
exit

:win
deltree /y %WINDIR%\applic~1\spybot~1\snapshots\*.*
del %WINDIR%\applic~1\spybot~1\logs\resident.log
del %WINDIR%\applic~1\spybot~1\excludes\ProcBlack.sbe
del %WINDIR%\applic~1\spybot~1\excludes\ProcWhite.sbe
del %WINDIR%\applic~1\spybot~1\excludes\RegKeyWhite.sbe
del %WINDIR%\applic~1\spybot~1\excludes\RegKeyBlack.sbe
del %WINDIR%\applic~1\spybot~1\excludes\UpdateDL.sbe
exit

:winme
del /y %WINDIR%\alluse~1\applic~1\spybot~1\snapshots\*.*
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\UpdateDL.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\RegKeyWhite.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\RegKeyblack.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\ProcWhite.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\excludes\ProcBlack.sbe
del %WINDIR%\alluse~1\applic~1\spybot~1\logs\resident.log
exit

:last
echo Press any key to terminate,..
pause
exit

Save it to your desktop as ResetTeaTimer.bat. Save it as File Type All Files.

Double click ResetTeaTimer.bat.


Go to Start > Run and type Services.msc then hit Ok
Scroll down and find the below service:

Microsoft Windows Update Service (Windows Update Service)

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. close HijackThis.

Stil in HijackThis, Click on the Config button (bottom right), click on Misc Tools, then click on Delete an NT Service. A window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

Windows Update Service

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click NO.

Download: CCleaner (freeware)
http://www.majorgeeks.com/download4191.html
Once installed, run CCleaner click the Windows [tab]
Select the following:

Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit

• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  C:\WINDOWS\services.exe
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Post a new HiJackThis log after it reboots and let me know if you received any error messages.

[EdBoyle]

Dear agrarianmonk

So far so good.

Here is the Hijack log....

Ed




Logfile of HijackThis v1.99.1
Scan saved at 07:57:06, on 17/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\user\Desktop\Security\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=userinit.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\1vlwakiv.slt\prefs.js)
O3 - Toolbar: Bugnosis - {930E4DE1-973D-42D6-BF6E-6788E06BD003} - C:\Program Files\Bugnosis\WebBug.dll
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AntiSpy] C:\Program Files\Omniquad AntiSpy\AntiSpy.exe startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O15 - Trusted Zone: http://www.genesreunited.co.uk.
O15 - Trusted Zone: http://www.friendsreunited.co.uk
O15 - Trusted Zone: http://www.genesreunited.co.uk
O15 - Trusted Zone: http://www.my.if.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4601255156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GFI LANguard N.S.S. 5.0 attendant service - Unknown owner - C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" -service (file missing)
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Microsoft Windows Update Service (Windows Update Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

['KotaGuy]

Hi Ed!

agrarianmonk is away for a few days. I will be taking over the log until he gets back.

Did you disable TeaTimer exactly as previously instruced? If you did I shouldn't be seeing these in your log...

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Just right clicking on the icon in your System Tray wont work... you have to disable it from within the program itself.

TeaTimer is interfering with the fix. Please follow agrarianmonk's previous instructions exactly. You'll need to run the batch file and everything.

Post a new HJT log when done.

Thanks

[EdBoyle]

Dear KotaGuy

I've followed all the instructions carefully. Here is the Hijack log...

Ed

Logfile of HijackThis v1.99.1
Scan saved at 19:17:25, on 21/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\user\Desktop\Security\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
F2 - REG:system.ini: Shell=
F2 - REG:system.ini: UserInit=userinit.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents

and Settings\user\Application Data\Mozilla\Profiles\default\1vlwakiv.slt\prefs.js)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Bugnosis - {930E4DE1-973D-42D6-BF6E-6788E06BD003} - C:\Program

Files\Bugnosis\WebBug.dll
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AntiSpy] C:\Program Files\Omniquad AntiSpy\AntiSpy.exe startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star

Downloader\sdie.htm
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O15 - Trusted Zone: http://www.genesreunited.co.uk.
O15 - Trusted Zone: http://www.friendsreunited.co.uk
O15 - Trusted Zone: http://www.genesreunited.co.uk
O15 - Trusted Zone: http://www.my.if.com
O15 - Trusted Zone: http://www.rbs.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupda ... 4601255156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA194A6D-E152-4DC1-B7BC-3D871D436DF5}: NameServer =

80.225.248.50 80.225.248.58
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: GFI LANguard N.S.S. 5.0 attendant service - Unknown owner - C:\Program

Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" -service (file missing)
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation -

C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program

Files\Iomega\AutoDisk\ADService.exe

['KotaGuy]

Excellent! Log looks clean... see something new in it though... did you intentionally install StarDownloader? Also what did you disable with msconfig?

You can re-enable TeaTimer now too if you wish.

[EdBoyle]

I've been using Stardownloader for some time. In fact, since my dial-up days where it made a big speed difference. Should I continue to use it?

I disabled Spybot with msconfig. I found that disabling the resident option within the program itself, then rebooting, did not remove it. Have I done wrong?

It's been encouraging to have you and your colleague be so patient and help me for so long. Thank you for that. You may like to know that I use my PC mainly to maintain a local history website at ...

http://www.edwardboyle.com/EB/cambuslan ... slang.html

and your help will keep me straight.

I note that you accept donations. How can I make one?

Regards

Ed Boyle
Kilmarnock
Scotland

['KotaGuy]

I've been using Stardownloader for some time. In fact, since my dial-up days where it made a big speed difference. Should I continue to use it?

S'ok... I was just asking at it had appeared suddenly in your log.

I disabled Spybot with msconfig. I found that disabling the resident option within the program itself, then rebooting, did not remove it. Have I done wrong?

Thats ok as well... thought that might've been what you did as you were having issues with TeaTimer. Just wanted to make sure.

Donation link is here, if you are so inclined.

How is your PC running now? Any of the previous symptoms?

[Nick-YF19]

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.