Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

i have win32 qhost.df which is a trojan.. help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

i have win32 qhost.df which is a trojan.. help

Unread postby bob1976 » July 17th, 2006, 8:37 am

i can not get rid of the trojan win32 qhost.df it is located hkey_local_machine\software\microsoft\windows\currentversion\ruins i have HJT but i dont know how to post the log... please help.. thanks
bob1976
Active Member
 
Posts: 8
Joined: July 16th, 2006, 5:01 pm
Advertisement
Register to Remove

Unread postby ChrisRLG » July 17th, 2006, 8:41 am

http://www.nellie2.co.uk/extract.htm

The last part of the page :)

Copy that log file and 'paste' into the reply post to this topic please.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

here is the log

Unread postby bob1976 » July 17th, 2006, 8:46 am

Logfile of HijackThis v1.99.1
Scan saved at 20:41:34, on 16/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BTBROA~2\Help\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\BT Broadband 210\Help\bin\mpbtn.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\Documents and Settings\martyn jordan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
R3 - URLSearchHook: (no name) - {DC02115C-6C45-C5FF-9F0D-D7FFBDFB08F6} - _ctcp.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [systemdll] LOPTCON.exe
O4 - HKLM\..\Run: [iesetupdll] Serviceprocess.exe
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [WhatsNewBot] ATLIEHELPER.exe
O4 - HKCU\..\Run: [utsgmon] powerdll.exe
O4 - HKCU\..\Run: [LOPTCON] teqq32.exe
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 210\Help\bin\matcli.exe
O9 - Extra button: Spin Palace Poker - {3A56EF1B-B8B8-45f6-9F79-1CC1778B9091} - C:\Program Files\spinpalaceMPP\MPPoker.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/c ... /tt4_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EB4135E-4874-4ED0-8440-729D4AA74C35}: NameServer = 85.255.114.108,85.255.112.143
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5D5080B-D74F-45B9-802E-778CAD0F9E18}: NameServer = 85.255.114.108,85.255.112.143
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.108 85.255.112.143
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.108 85.255.112.143
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


hello there this is my hijack this log.. i have a virus called win32qhost.df
my email is [edit by ChrisRLG]Email link removed - or the spam bots will find it[/edit]
please please please help
bob1976
Active Member
 
Posts: 8
Joined: July 16th, 2006, 5:01 pm

Unread postby markkhunt » July 17th, 2006, 11:17 am

Hi, bob1976. Welcome to Malware Removal. Let’s see what we can do about getting your computer clean. You may want to print out these instructions for easy reference, since you will have to restart your computer during the fix.

The first thing I recommend you do is to remove KillAndClean through Add/Remove Programs in the Windows Control Panel because it is a remover of dubious repute. Please refer to Spyware Warrior’s list of rogue programs for more details.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/l ... areout.exe


Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt. The report from FixWareOut may be quite long. I do need to see the complete report, so you may split the report into separate posts if necessary.
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7913
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

i'm a begginer

Unread postby bob1976 » July 17th, 2006, 11:58 am

hi there.. thanks for your time, i tried to follow your instructions as closely as possible but i am a begginer and i kinda struggled with the system settings part of yor reccomendations.. here is the HJT log that you need followed by the other log u asked for, i struggled to find this second log so i hope it is right

Logfile of HijackThis v1.99.1
Scan saved at 16:51:27, on 17/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BTBROA~2\Help\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\BT Broadband 210\Help\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\martyn jordan\Desktop\HijackThis.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\PROGRA~1\MSNMES~1\msnmsgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
R3 - URLSearchHook: (no name) - {DC02115C-6C45-C5FF-9F0D-D7FFBDFB08F6} - _ctcp.dll (file missing)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [systemdll] LOPTCON.exe
O4 - HKLM\..\Run: [iesetupdll] Serviceprocess.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [WhatsNewBot] ATLIEHELPER.exe
O4 - HKCU\..\Run: [utsgmon] powerdll.exe
O4 - HKCU\..\Run: [LOPTCON] teqq32.exe
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 210\Help\bin\matcli.exe
O9 - Extra button: Spin Palace Poker - {3A56EF1B-B8B8-45f6-9F79-1CC1778B9091} - C:\Program Files\spinpalaceMPP\MPPoker.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/c ... /tt4_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - http://esupport.cf1live.com/esupport/st ... aunch2.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5D5080B-D74F-45B9-802E-778CAD0F9E18}: NameServer = 85.255.114.108,85.255.112.143
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.108 85.255.112.143
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.108 85.255.112.143
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

here is the fix wareout report (i hope)

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmlxk.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSKMG.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSKMG.EXE 51,285 2006-07-14
C:\WINDOWS\SYSTEM32\DMLXK.EXE 62,046 2004-08-04
Other suspects
Directory of C:\WINDOWS\system32
{5A733A3C-EAAE-4F5B-AEF9-5B84A0347620}.exe
{42D04C4C-5EE9-4CEA-8750-A4A3339297E7}.exe
{C17E30AE-4569-4BDB-971E-BF90B54B7544}.exe
{EB94FDC0-0261-49D2-BDA0-8A8E08E7033C}.exe
{F62BC8FF-E880-49DB-8BD3-B32C0E6785EB}.exe
{01F670E4-7D56-478A-B806-F061D2D58F99}.exe
{0C3D883D-7E2B-4EDC-9B94-97BE98F60030}.exe
{83161E6F-4959-4509-9BC1-077038302D5C}.exe
{16724A98-63E7-4FAE-B93A-C15250A708EA}.exe
{8700BBBD-62B4-408D-BC09-637F59C953AD}.exe
{9FC4C425-99F1-4EF8-813E-1E5337E5ECBF}.exe
{DDF0AF7E-13DF-4BA5-9E2E-DFA931A3CB28}.exe
{19E16A93-72D0-4EE0-982A-A7817F399612}.exe
{F111B741-8D72-4AAD-95BA-B2CAC3B3041D}.exe
{C0B5567F-8AB9-449E-8662-318D3ABCA974}.exe
{7B862D66-AED7-4B0F-B525-381165D07575}.exe
{480C70B2-B3FA-46B1-9564-B7DAA8963BDE}.exe
{2AAF1613-BFCF-428C-A2E0-0DA2AA82FCD6}.exe
{E5059ADB-EC94-4D73-BB8E-A571A014F883}.exe
{B61426B8-4704-4CAD-8589-1B93BA08403A}.exe
{805D69B4-477B-4881-BCD8-AC0B84F34834}.exe
{36B9BF95-CABD-4C14-B23C-F9ECFF1210F0}.exe
{29F73BFC-9426-4514-9BBD-53A6D46AA9A0}.exe
{A4780484-097C-4F36-9808-149707633C91}.exe
{3BBE8BB2-A64E-4B60-B4BA-4F515146AB6F}.exe
{BB89027A-A8D3-4D93-8D41-9AD93CDB2590}.exe
{49A95EB1-F53D-46EC-8F66-E02698F93652}.exe
{E8181D5C-03D5-4E1B-8D41-976B3CF1D3FF}.exe
{7C25D5C4-D246-4993-B253-FD9539E8ACB6}.exe
{63D29D1C-64EA-45BC-8EF8-B6D0F0C2E949}.exe
{83CDCE1B-FAAA-48C0-9932-B2AC27EEE5A1}.exe
{CBD120A3-4983-41D5-BEA3-7FF18F3A513A}.exe
{9825DD69-B446-4DA6-8980-172E37C827C5}.exe
{A2270FAE-08FA-4B70-B865-1B239BB4F37F}.exe
{B00FD8BC-67FC-4CF7-BDAB-83150D57B9D8}.exe
{5EE482D8-F790-4492-BCB8-559C61A1BCB8}.exe
{BC562097-F200-4FC7-9ED4-6F61017C85D5}.exe
{E6DE9412-4599-4075-9913-BBB72D5DAA23}.exe
{AB47D7C9-5EE1-4226-9580-3F370F5ACF94}.exe
{3530D393-4E28-433A-BDB0-EBB48FBD0EEC}.exe
{E3D922E7-B0C3-4E94-9731-9691B61AEAFA}.exe
{8F5EAE04-DB97-4126-864D-23BB3323137F}.exe
{58ACB65E-6B43-4D54-9A3A-EE715E998D43}.exe
{2ADA4354-2DE7-478A-9816-A74B4C5F414A}.exe
{89EB6A52-FB4A-4FB0-8DA1-69B7F1D71146}.exe
{92B9F41A-8372-49D5-8077-2D6485269F86}.exe
{77677CFF-320C-4410-91DE-9F4782CF3914}.exe
{BD7A035C-921E-4408-A3A5-7A34413F2818}.exe
{F73FC204-F83A-449A-B32A-B9010AE9D694}.exe
{DF367580-4E39-440D-B0E6-99E6B3948DE3}.exe
{24399E96-9DBB-4D12-83A4-488605C36FC7}.exe
{D7BB036C-7613-4A5A-8C88-524EF7596708}.exe
{90667845-AE4B-46D1-8BED-E09983535401}.exe
{061A4A35-F7E4-4AEB-8486-CB709FFFC12D}.exe
{A6E382FD-A653-416F-8415-911F736F99E6}.exe
{52DE8B08-D7D3-4061-AE01-B73F1D737943}.exe
{437673EA-07E6-4C11-B55C-331225EF3612}.exe
{1B587F9F-F44A-4B62-A413-E301E0E1D77B}.exe
{ED873742-F70B-4A6F-902A-D91507C99588}.exe
{3586053A-50B3-4036-AB28-D56B2B43C0D6}.exe
{799683D5-4D8E-446D-AACE-EEC6F34E5B24}.exe
{9ABCD2FA-0006-4B0D-B3B5-C3501B3858F7}.exe
{2ACAA079-64B5-400A-A47E-DC9E49ECCA0E}.exe
{73736D86-E02D-4EB6-BE3E-FEA7DB222199}.exe
{E9C08DDE-14C5-4973-9970-0654AD5C1B57}.exe
{3B0DDB86-F20E-4521-A4B8-09A27A7F1C61}.exe
{801A7A09-1076-4C64-8DEF-0C7FEE7970CB}.exe
{9D0D83F5-B00C-44F7-8B5B-CBA168EA6AF2}.exe
{63575CC6-BBE5-420C-A280-78D20F734CDF}.exe
{2AEE053B-81AD-4E14-A074-68EBCAC6A7C1}.exe
{E5353226-9BD0-4696-8D56-DB182644FD4B}.exe
{27019FF6-F95D-49BD-8174-967792283B0D}.exe
{02F37DE1-4B95-48AF-9945-578884F133E2}.exe
{2739344B-B2C5-4416-9031-7E1CAB11A75C}.exe
{9C9719E2-8AE8-41D6-8CE0-5E1C1D0B011E}.exe
bob1976
Active Member
 
Posts: 8
Joined: July 16th, 2006, 5:01 pm

system settings

Unread postby bob1976 » July 17th, 2006, 12:19 pm

i tried your system settings instructions and got this response.. could not flush the DNS resolverCACHE function failed during execution...
bob1976
Active Member
 
Posts: 8
Joined: July 16th, 2006, 5:01 pm

Unread postby markkhunt » July 17th, 2006, 4:37 pm

Hi, bob1976. Don’t worry. You did just fine. :)

Please download the Killbox and unzip/extract it to your desktop, but do NOT run it yet.

We need to make sure you can see all files, including hidden and system files. Please click Start => My Computer. On the menu bar select Tools => Folder Options, and then select the View tab. Under the Hidden files and folders heading, please make sure Show hidden files and folders is checked and Hide protected operating system files (recommended) is unchecked. Click Yes to confirm, and then click OK.

Copy the list of files inside the Code box below to your Windows Clipboard (Highlight the list and and then Ctrl+C)

Code: Select all
C:\WINDOWS\SYSTEM32\CSKMG.EXE
C:\WINDOWS\SYSTEM32\DMLXK.EXE 
C:\WINDOWS\SYSTEM32\{5A733A3C-EAAE-4F5B-AEF9-5B84A0347620}.exe 
C:\WINDOWS\SYSTEM32\{42D04C4C-5EE9-4CEA-8750-A4A3339297E7}.exe 
C:\WINDOWS\SYSTEM32\{C17E30AE-4569-4BDB-971E-BF90B54B7544}.exe 
C:\WINDOWS\SYSTEM32\{EB94FDC0-0261-49D2-BDA0-8A8E08E7033C}.exe 
C:\WINDOWS\SYSTEM32\{F62BC8FF-E880-49DB-8BD3-B32C0E6785EB}.exe 
C:\WINDOWS\SYSTEM32\{01F670E4-7D56-478A-B806-F061D2D58F99}.exe 
C:\WINDOWS\SYSTEM32\{0C3D883D-7E2B-4EDC-9B94-97BE98F60030}.exe 
C:\WINDOWS\SYSTEM32\{83161E6F-4959-4509-9BC1-077038302D5C}.exe 
C:\WINDOWS\SYSTEM32\{16724A98-63E7-4FAE-B93A-C15250A708EA}.exe 
C:\WINDOWS\SYSTEM32\{8700BBBD-62B4-408D-BC09-637F59C953AD}.exe 
C:\WINDOWS\SYSTEM32\{9FC4C425-99F1-4EF8-813E-1E5337E5ECBF}.exe 
C:\WINDOWS\SYSTEM32\{DDF0AF7E-13DF-4BA5-9E2E-DFA931A3CB28}.exe 
C:\WINDOWS\SYSTEM32\{19E16A93-72D0-4EE0-982A-A7817F399612}.exe 
C:\WINDOWS\SYSTEM32\{F111B741-8D72-4AAD-95BA-B2CAC3B3041D}.exe 
C:\WINDOWS\SYSTEM32\{C0B5567F-8AB9-449E-8662-318D3ABCA974}.exe 
C:\WINDOWS\SYSTEM32\{7B862D66-AED7-4B0F-B525-381165D07575}.exe 
C:\WINDOWS\SYSTEM32\{480C70B2-B3FA-46B1-9564-B7DAA8963BDE}.exe 
C:\WINDOWS\SYSTEM32\{2AAF1613-BFCF-428C-A2E0-0DA2AA82FCD6}.exe 
C:\WINDOWS\SYSTEM32\{E5059ADB-EC94-4D73-BB8E-A571A014F883}.exe 
C:\WINDOWS\SYSTEM32\{B61426B8-4704-4CAD-8589-1B93BA08403A}.exe 
C:\WINDOWS\SYSTEM32\{805D69B4-477B-4881-BCD8-AC0B84F34834}.exe 
C:\WINDOWS\SYSTEM32\{36B9BF95-CABD-4C14-B23C-F9ECFF1210F0}.exe 
C:\WINDOWS\SYSTEM32\{29F73BFC-9426-4514-9BBD-53A6D46AA9A0}.exe 
C:\WINDOWS\SYSTEM32\{A4780484-097C-4F36-9808-149707633C91}.exe 
C:\WINDOWS\SYSTEM32\{3BBE8BB2-A64E-4B60-B4BA-4F515146AB6F}.exe 
C:\WINDOWS\SYSTEM32\{BB89027A-A8D3-4D93-8D41-9AD93CDB2590}.exe 
C:\WINDOWS\SYSTEM32\{49A95EB1-F53D-46EC-8F66-E02698F93652}.exe 
C:\WINDOWS\SYSTEM32\{E8181D5C-03D5-4E1B-8D41-976B3CF1D3FF}.exe 
C:\WINDOWS\SYSTEM32\{7C25D5C4-D246-4993-B253-FD9539E8ACB6}.exe 
C:\WINDOWS\SYSTEM32\{63D29D1C-64EA-45BC-8EF8-B6D0F0C2E949}.exe 
C:\WINDOWS\SYSTEM32\{83CDCE1B-FAAA-48C0-9932-B2AC27EEE5A1}.exe 
C:\WINDOWS\SYSTEM32\{CBD120A3-4983-41D5-BEA3-7FF18F3A513A}.exe 
C:\WINDOWS\SYSTEM32\{9825DD69-B446-4DA6-8980-172E37C827C5}.exe 
C:\WINDOWS\SYSTEM32\{A2270FAE-08FA-4B70-B865-1B239BB4F37F}.exe 
C:\WINDOWS\SYSTEM32\{B00FD8BC-67FC-4CF7-BDAB-83150D57B9D8}.exe 
C:\WINDOWS\SYSTEM32\{5EE482D8-F790-4492-BCB8-559C61A1BCB8}.exe 
C:\WINDOWS\SYSTEM32\{BC562097-F200-4FC7-9ED4-6F61017C85D5}.exe 
C:\WINDOWS\SYSTEM32\{E6DE9412-4599-4075-9913-BBB72D5DAA23}.exe 
C:\WINDOWS\SYSTEM32\{AB47D7C9-5EE1-4226-9580-3F370F5ACF94}.exe 
C:\WINDOWS\SYSTEM32\{3530D393-4E28-433A-BDB0-EBB48FBD0EEC}.exe 
C:\WINDOWS\SYSTEM32\{E3D922E7-B0C3-4E94-9731-9691B61AEAFA}.exe 
C:\WINDOWS\SYSTEM32\{8F5EAE04-DB97-4126-864D-23BB3323137F}.exe 
C:\WINDOWS\SYSTEM32\{58ACB65E-6B43-4D54-9A3A-EE715E998D43}.exe 
C:\WINDOWS\SYSTEM32\{2ADA4354-2DE7-478A-9816-A74B4C5F414A}.exe 
C:\WINDOWS\SYSTEM32\{89EB6A52-FB4A-4FB0-8DA1-69B7F1D71146}.exe 
C:\WINDOWS\SYSTEM32\{92B9F41A-8372-49D5-8077-2D6485269F86}.exe 
C:\WINDOWS\SYSTEM32\{77677CFF-320C-4410-91DE-9F4782CF3914}.exe 
C:\WINDOWS\SYSTEM32\{BD7A035C-921E-4408-A3A5-7A34413F2818}.exe 
C:\WINDOWS\SYSTEM32\{F73FC204-F83A-449A-B32A-B9010AE9D694}.exe 
C:\WINDOWS\SYSTEM32\{DF367580-4E39-440D-B0E6-99E6B3948DE3}.exe 
C:\WINDOWS\SYSTEM32\{24399E96-9DBB-4D12-83A4-488605C36FC7}.exe 
C:\WINDOWS\SYSTEM32\{D7BB036C-7613-4A5A-8C88-524EF7596708}.exe 
C:\WINDOWS\SYSTEM32\{90667845-AE4B-46D1-8BED-E09983535401}.exe 
C:\WINDOWS\SYSTEM32\{061A4A35-F7E4-4AEB-8486-CB709FFFC12D}.exe 
C:\WINDOWS\SYSTEM32\{A6E382FD-A653-416F-8415-911F736F99E6}.exe 
C:\WINDOWS\SYSTEM32\{52DE8B08-D7D3-4061-AE01-B73F1D737943}.exe 
C:\WINDOWS\SYSTEM32\{437673EA-07E6-4C11-B55C-331225EF3612}.exe 
C:\WINDOWS\SYSTEM32\{1B587F9F-F44A-4B62-A413-E301E0E1D77B}.exe 
C:\WINDOWS\SYSTEM32\{ED873742-F70B-4A6F-902A-D91507C99588}.exe 
C:\WINDOWS\SYSTEM32\{3586053A-50B3-4036-AB28-D56B2B43C0D6}.exe 
C:\WINDOWS\SYSTEM32\{799683D5-4D8E-446D-AACE-EEC6F34E5B24}.exe 
C:\WINDOWS\SYSTEM32\{9ABCD2FA-0006-4B0D-B3B5-C3501B3858F7}.exe 
C:\WINDOWS\SYSTEM32\{2ACAA079-64B5-400A-A47E-DC9E49ECCA0E}.exe 
C:\WINDOWS\SYSTEM32\{73736D86-E02D-4EB6-BE3E-FEA7DB222199}.exe 
C:\WINDOWS\SYSTEM32\{E9C08DDE-14C5-4973-9970-0654AD5C1B57}.exe 
C:\WINDOWS\SYSTEM32\{3B0DDB86-F20E-4521-A4B8-09A27A7F1C61}.exe 
C:\WINDOWS\SYSTEM32\{801A7A09-1076-4C64-8DEF-0C7FEE7970CB}.exe 
C:\WINDOWS\SYSTEM32\{9D0D83F5-B00C-44F7-8B5B-CBA168EA6AF2}.exe 
C:\WINDOWS\SYSTEM32\{63575CC6-BBE5-420C-A280-78D20F734CDF}.exe 
C:\WINDOWS\SYSTEM32\{2AEE053B-81AD-4E14-A074-68EBCAC6A7C1}.exe 
C:\WINDOWS\SYSTEM32\{E5353226-9BD0-4696-8D56-DB182644FD4B}.exe 
C:\WINDOWS\SYSTEM32\{27019FF6-F95D-49BD-8174-967792283B0D}.exe 
C:\WINDOWS\SYSTEM32\{02F37DE1-4B95-48AF-9945-578884F133E2}.exe 
C:\WINDOWS\SYSTEM32\{2739344B-B2C5-4416-9031-7E1CAB11A75C}.exe 
C:\WINDOWS\SYSTEM32\{9C9719E2-8AE8-41D6-8CE0-5E1C1D0B011E}.exe


Please run Killbox.
  • On the menu bar, click File => Paste from Clipboard.
  • Now, select the option to Delete on Reboot
  • Click the red and white Delete File button.
  • Click Yes to the first prompt.
  • Click No to the second prompt.


Run HijackThis, click Do a system scan only, and check the box next to each of these items. If something isn’t there, just continue with the next item on the list.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R3 - URLSearchHook: (no name) - {DC02115C-6C45-C5FF-9F0D-D7FFBDFB08F6} - _ctcp.dll (file missing)
O4 - HKLM\..\Run: [systemdll] LOPTCON.exe
O4 - HKLM\..\Run: [iesetupdll] Serviceprocess.exe
O4 - HKCU\..\Run: [WhatsNewBot] ATLIEHELPER.exe
O4 - HKCU\..\Run: [utsgmon] powerdll.exe
O4 - HKCU\..\Run: [LOPTCON] teqq32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5D5080B-D74F-45B9-802E-778CAD0F9E18}: NameServer = 85.255.114.108,85.255.112.143
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.108 85.255.112.143
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.108 85.255.112.143


Now, please close all open windows and browsers, including this one, and click Fix Checked.

Please click Start => Search => All files and folders. In the All or part of the file name: box, please type LOPTCON.exe and make sure Look in: is set to search your Local Drive C:. Click Search. When the search has been completed, the file (if found) will appear in the right-hand panel. Please delete every instance of the file found.

Now, repeat the search and delete process for the following four files:

ATLIEHELPER.exe
Serviceprocess.exe
powerdll.exe
teqq32.exe


Restart your computer.

Now, let’s run FixWareOut again. Use Windows Explorer and go to the C:\fixwareout folder. You should find a file called FixIt.bat. Double-click the file to run it, and follow the prompts like you did the first time.

When FixWareOut has finished running, please restart your computer.

Run HijackThis again and post a fresh log for me to review, along with the contents of the C:\fixwareout\report.txt.
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7913
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

phew

Unread postby bob1976 » July 17th, 2006, 6:36 pm

hi mark.. sorry for my delayed post,, all that was a bit of a head spin plus i dont have a printer :( .. anyhow again i have followed yor instructions as closely as possible and have renewed logs for you to flick through.. once again thanks for your help and time

Logfile of HijackThis v1.99.1
Scan saved at 23:27:53, on 17/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BTBROA~2\Help\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\BT Broadband 210\Help\bin\mpbtn.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\martyn jordan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 210\Help\bin\matcli.exe
O9 - Extra button: Spin Palace Poker - {3A56EF1B-B8B8-45f6-9F79-1CC1778B9091} - C:\Program Files\spinpalaceMPP\MPPoker.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/c ... /tt4_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - http://esupport.cf1live.com/esupport/st ... aunch2.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE




Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\DMLXK.EXE 62,046 2004-08-04
Other suspects
Directory of C:\WINDOWS\system32
{27019FF6-F95D-49BD-8174-967792283B0D}.exe


this log looks a bit small compared to last time.. hope its the right one
bob1976
Active Member
 
Posts: 8
Joined: July 16th, 2006, 5:01 pm

Unread postby markkhunt » July 17th, 2006, 6:50 pm

Hi, bob1976. I'm glad I can help. :)

Your log is looking much better now. Just a couple of bad files are still showing, so we'll repeat part of the fix we just did to see if we can get the rest.

Copy the list of files inside the Code box below to your Windows Clipboard (Highlight the list and and then Ctrl+C)

Code: Select all
C:\WINDOWS\SYSTEM32\DMLXK.EXE
C:\WINDOWS\system32\{27019FF6-F95D-49BD-8174-967792283B0D}.exe 


Please run Killbox.
  • On the menu bar, click File => Paste from Clipboard.
  • Now, select the option to Delete on Reboot
  • Click the red and white Delete File button.
  • Click Yes to the first prompt.
  • Click Yes to the second prompt to allow your computer to restart.

Now, let’s run FixWareOut again. Use Windows Explorer and go to the C:\fixwareout folder. You should find a file called FixIt.bat. Double-click the file to run it, and follow the prompts like you did the first time.

When FixWareOut has finished running, please restart your computer.

Run HijackThis again and post a fresh log for me to review, along with the contents of the C:\fixwareout\report.txt.
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7913
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

more logs

Unread postby bob1976 » July 17th, 2006, 7:36 pm

ok.. done that.... fingers crossed


Logfile of HijackThis v1.99.1
Scan saved at 00:32:54, on 18/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BTBROA~2\Help\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\BT Broadband 210\Help\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\martyn jordan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 210\Help\bin\matcli.exe
O9 - Extra button: Spin Palace Poker - {3A56EF1B-B8B8-45f6-9F79-1CC1778B9091} - C:\Program Files\spinpalaceMPP\MPPoker.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/c ... /tt4_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - http://esupport.cf1live.com/esupport/st ... aunch2.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE






Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects
Directory of C:\WINDOWS\system32
{27019FF6-F95D-49BD-8174-967792283B0D}.exe
bob1976
Active Member
 
Posts: 8
Joined: July 16th, 2006, 5:01 pm

Unread postby markkhunt » July 17th, 2006, 10:48 pm

bob1976, your HijackThis log looks clean now, but we've got one file in there that doesn't want to seem to go away. I'm going to have you try to remove it one more time, but we'll also dig a little deeper and run some other scans to see if we can find what may be stopping the fix from working the way it's supposed to work. I'll try to be as gentle as possible and to not make your head spin any more than I have to. :D

Copy the text inside the Code box below to the Windows Clipboard. (Highlight the text and and then Ctrl+C)

Code: Select all
C:\Windows\System32\{27019FF6-F95D-49BD-8174-967792283B0D}.exe


Please run Killbox.
  • On the menu bar, click File => Paste from Clipboard.
  • Now, select the option to Delete on Reboot
  • Click the red and white Delete File button.
  • Click Yes to the first prompt.
  • Click Yes to the second prompt to allow your computer to restart.
Now, let’s run FixWareOut again. Use Windows Explorer and go to the C:\fixwareout folder. You should find a file called FixIt.bat. Double-click the file to run it, and follow the prompts like you did the first time.

When FixWareOut has finished running, please restart your computer.

Download Blacklight Beta.
  • Click I Accept
  • Download blbeta.exe to your desktop.
  • Double-click blbeta.exe to install the program.
  • Click to accept the agreement
  • Click Scan.

The scan could take a while to complete, but please be patient and let it finish. There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers). Please post the contents of that log in your next reply.

Download WinPFind and unzip/extract it to it's own folder, something like C:\WinPFind.
  • Double-click WinPFind.exe
  • Click Start Scan

The scan would take a while to complete, but please be patient and let it finish. There will be a log in WinPFind's folder called winpfind.txt . Please post the contents of that lat in your next reply.

Run HijackThis again and post a fresh log for me to review, along with the contents of the C:\fixwareout\report.txt, the fsbl.xxxxxxx.log, and the winpfind.txt. You may need to make more than one post to make sure I get all the content from all the logs.
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7913
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

here goes

Unread postby bob1976 » July 18th, 2006, 5:23 am

hi markkhunt... i did as u asked but i had real probs getting winpfind to work... here are the other logs though and in the mean time i will persist with winpfind... also its my birthday today (the big 30) so it may take some time for me to reply to yor next post... thanks for your time


07/18/06 09:44:04 [Info]: BlackLight Engine 1.0.42 initialized
07/18/06 09:44:04 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/18/06 09:44:05 [Note]: 7019 4
07/18/06 09:44:05 [Note]: 7005 0
07/18/06 09:44:18 [Note]: 7006 0
07/18/06 09:44:18 [Note]: 7011 1744
07/18/06 09:44:19 [Note]: 7026 0
07/18/06 09:44:20 [Note]: 7026 0
07/18/06 09:45:17 [Note]: FSRAW library version 1.7.1019




Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects
Directory of C:\WINDOWS\system32





Logfile of HijackThis v1.99.1
Scan saved at 10:17:28, on 18/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BTBROA~2\Help\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\BT Broadband 210\Help\bin\mpbtn.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\martyn jordan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tiscali
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~2\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 210\Help\bin\matcli.exe
O9 - Extra button: Spin Palace Poker - {3A56EF1B-B8B8-45f6-9F79-1CC1778B9091} - C:\Program Files\spinpalaceMPP\MPPoker.exe
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Program Files\Titan Poker\casino.exe
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tiscali.co.uk
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/c ... /tt4_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} (CWebLaunchCtl Object) - http://esupport.cf1live.com/esupport/st ... aunch2.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
bob1976
Active Member
 
Posts: 8
Joined: July 16th, 2006, 5:01 pm

Unread postby markkhunt » July 18th, 2006, 8:55 am

Hi, bob1976. I’m sorry you had trouble with WinPFind, but you don’t have to worry about getting a log from it. I’ve already seen enough. The last persistent file is finally gone, so my birthday present to you is to tell you that your logs look clean. Happy Birthday! :D How's the computer running? Are you experiencing any trouble?

Viruses, Adware, and Spyware are running rampant, but taking a few simple precautions can prevent many of them. Below, I have listed a number of recommendations for protecting your computer from future malware infections. Unfortunately, nothing can guarantee you will never become infected, but following these few simple steps can stave off the vast majority of spyware problems.

I highly recommend you regularly visit the Windows Update site and install all High Priority updates as soon as possible. I cannot stress enough how important this is. If you have not already, you may want to set up your computer to receive updates from Microsoft automatically. For instructions, on enabling automatic updates, visit the Microsoft website.

1) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

2) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here.

3) When you use Internet Explorer, add another level of protection to your browser by blocking certain sites that are known to contain malware. IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. IE-SPYAD may be found here.

4) You already have antivirus software. Excellent! For your own protection, please be sure to run it regularly, and to keep it up-to-date.

5) I can’t see any signs of a firewall in any of your logs. You may be running the one that comes with Windows XP, but it only protects against incoming connections. It doesn’t stop anything that does get onto your system from “phoning home,â€
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7913
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

brilliant

Unread postby bob1976 » July 18th, 2006, 12:29 pm

thanks ever so much for your help mark.. you really have gone above and beyond the call of duty... as i cant thank you personaly i will make a donation... yours happy and clean bob
bob1976
Active Member
 
Posts: 8
Joined: July 16th, 2006, 5:01 pm

Unread postby markkhunt » July 18th, 2006, 3:59 pm

You're very welcome, Bob. I'm glad we could be of assistance to you.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. See Nellie2's blog here or post in our dedicated forum here
The infection you had was ......WareOut
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7913
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 333 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware