Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please help! Ive got some very annoying issues!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Please help! Ive got some very annoying issues!

Unread postby quazzer » July 17th, 2007, 3:49 pm

Hi all.

I have used this website once before with an issue i had which was resolved very quickly, and i was most pleased and extremely thankful.

I have come across another problem and i'm sure i'm bugged, heres a list of my problems..

- When mouse is left for a short while, then the cursor won't move again unless you click a button. sounds stupid but its very annoying.

- I always get a pop-up window, http://www.beautyscreens.com i think, which is always annoying.

The main problem however is this...

- When I shut the computer down, I always get end program messages. The last one i had was 'end program - HIDDEN WINDOW', but I have had various ones over the last few months.

Would you be kind enough to help me out and look at my hijack ths log. I can't begin to tell you how thankful I would be...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:41:08, on 17/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

Many thanks!
quazzer
Regular Member
 
Posts: 76
Joined: January 21st, 2007, 3:49 pm
Location: South West
Advertisement
Register to Remove

Unread postby Katana » July 18th, 2007, 9:36 am

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please note that I am training, this means that any reply I give to you has to be checked first by an expert.
I apologize for any delay this might cause.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

Please can you post the entire HJT log for me to see :)
Last edited by Katana on July 18th, 2007, 10:39 am, edited 1 time in total.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby quazzer » July 18th, 2007, 9:44 am

Thank you very much!
quazzer
Regular Member
 
Posts: 76
Joined: January 21st, 2007, 3:49 pm
Location: South West

Unread postby Katana » July 18th, 2007, 10:46 am

Hi quazzer,

You are showing Two antivirus programs running, this is not recommended.
It can lead to conflicts leaving you unprotected, and also cause system instability.
AntiVir PersonalEdition Classic
AVG7

Please remove one and post back with the full HJT log

K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby quazzer » July 18th, 2007, 11:16 am

Hi Katana.

Just removed one. Didn't know that it was bad to run two :oops: . Anyway after uninstalling, I restarted my computer and ran hijackthis

Heres the log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13:24, on 18/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Oli\My Documents\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb1\Ofb1.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSIns ... cat_uid=11
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://oli-quarry.spaces.live.com//Phot ... nPUpld.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\SuperCD\IntraLaunch.CAB
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Wind ... lisher.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AFF45BA-9C4B-4BA4-A17B-3B71EC8D917E}: NameServer = 62.241.163.200 62.241.162.201
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe

--
End of file - 10839 bytes
quazzer
Regular Member
 
Posts: 76
Joined: January 21st, 2007, 3:49 pm
Location: South West

Unread postby Katana » July 19th, 2007, 1:42 pm

Hi Quazzer,

I see AVG AntiSpyware is installed, please make sure it is updated

Update AVG Anti-Spyware
  • Start AVG Anti-Spyware
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.



Run AVG Anti-Spyware
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Do not automatically generate reports
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.


Please post the AVG log along with a fresh HJT log in your reply
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby quazzer » July 19th, 2007, 7:32 pm

Hi,

When I ran AVG, I had done the steps before to make sure it was set to quarantine, although when the scan had finished, it said 'delete' next to each error. I then did what you said by left clicking and changing to quarantine on that page, but when i applied all actions it said 'deleted' next to each item, so i don't know whether they were deleted or quarantined. anyway....
_______________________________________________________

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 00:26:47 20/07/2007

+ Scan result:



:mozilla.79:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.80:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.81:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.187:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.188:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.189:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.190:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.191:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.192:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.203:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.52:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.53:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.54:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.55:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.182:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.110:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.206:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Fortunecity : Cleaned.
:mozilla.207:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Fortunecity : Cleaned.
:mozilla.258:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.282:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Intelli-direct : Cleaned.
:mozilla.144:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Oli\Cookies\oli@real[1].txt -> TrackingCookie.Real : Cleaned.
:mozilla.45:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.46:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.47:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.48:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.49:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.50:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.175:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.204:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.205:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.77:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.25:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.26:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.27:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.28:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.29:C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Oli\Cookies\oli@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end
__________________________________________________________

HijackThis Log file...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:31:47, on 20/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Oli\My Documents\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb1\Ofb1.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSIns ... cat_uid=11
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://oli-quarry.spaces.live.com//Phot ... nPUpld.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\SuperCD\IntraLaunch.CAB
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Wind ... lisher.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AFF45BA-9C4B-4BA4-A17B-3B71EC8D917E}: NameServer = 62.241.163.200 62.241.162.201
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe

--
End of file - 10960 bytes
quazzer
Regular Member
 
Posts: 76
Joined: January 21st, 2007, 3:49 pm
Location: South West

Unread postby Katana » July 20th, 2007, 12:40 am

Installed Programs
Please could you give me a list of the programs that are installed. This will help me create a fix for you.
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby quazzer » July 20th, 2007, 7:24 am

Here It is...

µTorrent
ACE-HIGH Text To Speech Reader V1.30 Build 030220
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.9
Adobe Stock Photos 1.0
Alcohol 52%
ASAPI Update
ASIO4ALL
Audacity 1.2.6
AVG 7.5
AVG Anti-Rootkit Free
AVG Anti-Spyware 7.5
CCleaner (remove only)
Creative Audio Console
Digimax Master
Disc2Phone
Dr SpeedTouch
Enigma
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
hp deskjet 5550 series (Remove only)
hp print screen utility
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
Java(TM) SE Runtime Environment 6 Update 1
Lernout & Hauspie TruVoice American English TTS Engine
LimeWire 4.12.11
MA_CMIDI
MediaShow 3.0
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (2.0.0.2)
Mozilla Firefox (2.0.0.4)
MSXML 4.0 SP2 (KB927978)
Music Cleaning Studio
Nero 7
NVIDIA Drivers
PhotoNow! 1.0
Power2Go 4.0
PowerBackup 1.0
PowerCinema 4.0
PowerDirector Express
PowerDVD
PowerDVD Copy 1.0
PowerProducer
PowerStarter
QuickTime
RealPlayer
Reason 3.0
Registry Mechanic 6.0
rgc:audio sfz VSTi v1.96
rgcAudio z3ta Plus v1.40
Samsung USB Driver
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB939373)
Sound Blaster X-Fi Xtreme Audio
SpeedTouch 330
SpeedTouch USB Software
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
WatchinEye_screensaver_1
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Media Center Edition 2005 KB908250
WinRAR archiver
Yahoo! Messenger
Yahoo! Toolbar
quazzer
Regular Member
 
Posts: 76
Joined: January 21st, 2007, 3:49 pm
Location: South West

Unread postby Katana » July 21st, 2007, 1:26 am

Hi Quazzer,

I see Enigma in your programs list, which program do you have ?
I also see WatchinEye_screensaver_1 I can find no information on this, where did you get it from ?
I ask this because the popup you mention is for a screensaver site.

You are running a P2P filesharing program.
  • Many of these programs come with unwanted components bundled with them.
  • If you wish to find out whether the one you're using does click here.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.


My recommendation is you uninstall it.

Please note: you must NOT use this whilst we are cleaning your machine.



Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb1\Ofb1.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSIns ... cat_uid=11
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Wind ... lisher.exe

O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

Delete Files and Folders
( you may need to show hidden files and folders. See HERE for help)
Find and delete the following Files and Folders if present
C:\Program Files\Ofb1 <<< This Folder


Kaspersky Online Scanner .

Go Here http://www.kaspersky.com/virusscanner

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • kaspersky log
  • A fresh HJT log (after all the above has been done )
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby quazzer » July 21st, 2007, 10:01 am

Hi Katana,

In response to your questions, the enigma program is for an axiom midi keyboard which allows you to configurate the piece of hardware. I have to be honest now. The screensaver I downloaded was from a pop-up and i suppose I was stupid enough to download off of it, having said that though, the screensavers actually quite nice, but do you think I should uninstall it to stop the pop-up?

I did eveything you stated, so here it goes...

Kaspersky Log...


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 21, 2007 2:51:57 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/07/2007
Kaspersky Anti-Virus database records: 366099
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 114509
Number of viruses found: 2
Number of infected objects: 3 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:53:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\cert8.db Object is locked skipped
C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\history.dat Object is locked skipped
C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\key3.db Object is locked skipped
C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\parent.lock Object is locked skipped
C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Oli\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Oli\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Oli\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Oli\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Oli\Local Settings\Application Data\Identities\{56BBEF71-70BA-419E-9ED2-9E4E9F5A2CF0}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Oli\Local Settings\Application Data\Identities\{56BBEF71-70BA-419E-9ED2-9E4E9F5A2CF0}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Oli\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Oli\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Oli\Local Settings\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Oli\Local Settings\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Oli\Local Settings\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Oli\Local Settings\Application Data\Mozilla\Firefox\Profiles\3fn92tio.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Oli\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Oli\Local Settings\History\History.IE5\MSHist012007072120070722\index.dat Object is locked skipped
C:\Documents and Settings\Oli\Local Settings\Temp\Perflib_Perfdata_f0c.dat Object is locked skipped
C:\Documents and Settings\Oli\Local Settings\Temp\~DFEAFA.tmp Object is locked skipped
C:\Documents and Settings\Oli\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Oli\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Oli\ntuser.dat Object is locked skipped
C:\Documents and Settings\Oli\ntuser.dat.LOG Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AGENT_LOG1.txt Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BINARY\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db-journal Object is locked skipped
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_Oli.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_Oli.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_Oli.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7159C566-B27D-45B5-9001-47F14422CFC9}\RP117\A0024502.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{7159C566-B27D-45B5-9001-47F14422CFC9}\RP117\A0024503.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{7159C566-B27D-45B5-9001-47F14422CFC9}\RP203\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{FF9274B8-9A16-4E8D-B46E-A339D7442614}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

HijackThis Log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:59:56, on 21/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Oli\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] "C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://oli-quarry.spaces.live.com//Phot ... nPUpld.cab
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} (IntraLaunch.MainControl) - file://E:\SuperCD\IntraLaunch.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AFF45BA-9C4B-4BA4-A17B-3B71EC8D917E}: NameServer = 62.241.162.200 62.241.163.201
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: M-Audio CMIDI Installer (MA_CMIDI_InstallerService) - Unknown owner - C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe

--
End of file - 10043 bytes

Also after doing the hijack this procedure I now have a backup file on my desktop. What would you recommend me to do with this?

Many thanks
quazzer
Regular Member
 
Posts: 76
Joined: January 21st, 2007, 3:49 pm
Location: South West

Unread postby Katana » July 22nd, 2007, 4:53 am

Hi Quazzer,
I have to be honest now. The screensaver I downloaded was from a pop-up and i suppose I was stupid enough to download off of it, having said that though, the screensavers actually quite nice, but do you think I should uninstall it to stop the pop-up?

Were you getting pop-ups before you installed it ??
Do you still have the install file for the screen saver ?

Also after doing the hijack this procedure I now have a backup file on my desktop.

You moved HiJackThis.exe !!
I would recommend that you create a new folder on your C:/ drive called HJT,
move HiJackThis.exe along with the backup file/folder into the new folder ( just Drag and Drop ).
After you have moved HiJackThis.exe right click it and select Send to Desktop >> Create Shortcut

Delete Files and Folders
( you may need to show hidden files and folders. See HERE for help)
Find and delete the following Files and Folders if present
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll <<<< This File


Download and Run ComboFix

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall


How is it running now ?
please post the ComboFix log along with the answers in your reply

K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby quazzer » July 22nd, 2007, 4:09 pm

Were you getting pop-ups before you installed it ??

I don't know to be honest. Really can't remember. I don't think so though. I only got the pop up asking me to download this screensaver.
Do you still have the install file for the screen saver ?

No I deleted it after installing. The screen saver program is displayed in my 'all programs' list, and has an uninstall option for it.
You moved HiJackThis.exe !!

oops sorry, didn't know that was a bad thing to do. I just moved it from the desktop to my documents. But I have now done what you said, and created a folder in programs.
Delete Files and Folders

Have deleted the stated plugin now. Thanks.

And heres the combofix log:-

"Oli" - 2007-07-22 20:48:36 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\tmp40.tmp


((((((((((((((((((((((((( Files Created from 2007-06-22 to 2007-07-22 )))))))))))))))))))))))))))))))


2007-07-22 20:48 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-22 12:20 <DIR> d-------- C:\Program Files\HJT
2007-07-21 13:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-17 21:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-17 00:42 <DIR> d-------- C:\Program Files\PeerGuardian2
2007-07-09 13:34 <DIR> d-------- C:\Program Files\Vstplugins
2007-07-03 17:11 <DIR> d-------- C:\WINDOWS\lhsp
2007-07-03 17:10 <DIR> d-------- C:\WINDOWS\speech
2007-07-03 17:10 <DIR> d-------- C:\Program Files\attsr
2007-06-28 13:10 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-06-28 13:02 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-28 01:25 <DIR> d-------- C:\Program Files\MyProduct
2007-06-24 23:37 <DIR> d-------- C:\WINDOWS\Cache
2007-06-24 23:36 83,968 --a------ C:\WINDOWS\system32\Skbase40.dll
2007-06-24 23:36 8,704 --a------ C:\WINDOWS\system32\vidccleaner.exe
2007-06-24 23:36 552,960 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-06-24 23:36 217,088 --a------ C:\WINDOWS\system32\skjpeg40.dll
2007-06-24 23:36 159,744 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-06-24 23:36 <DIR> d-------- C:\Program Files\Samsung
2007-06-23 15:49 <DIR> d-------- C:\Program Files\Viewpoint
2007-06-23 15:49 <DIR> d-------- C:\DOCUME~1\Oli\APPLIC~1\Viewpoint
2007-06-23 15:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-06-22 09:35 514,999 --a------ C:\WINDOWS\system32\WatchinEye_screensaver_1.Scr


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-22 19:45:10 -------- d-----w C:\Program Files\SpywareBlaster
2007-07-20 11:07:03 -------- d-----w C:\Program Files\Cakewalk
2007-07-14 13:23:19 -------- d-----w C:\DOCUME~1\Oli\APPLIC~1\uTorrent
2007-06-28 00:19:46 -------- d-----w C:\DOCUME~1\Oli\APPLIC~1\LimeWire
2007-06-24 22:36:36 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-13 14:38:54 -------- d-----w C:\Program Files\M-Audio
2007-06-13 14:38:53 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-12 15:26:35 -------- d-----w C:\Program Files\ASIO4ALL v2
2007-06-12 14:31:10 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-06-12 14:31:10 114,688 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-06-12 13:56:19 -------- d-----w C:\Program Files\Creative
2007-06-12 11:51:28 -------- d-----w C:\Program Files\M-Audio MA_CMIDI
2007-05-31 00:11:41 -------- d-----w C:\DOCUME~1\Oli\APPLIC~1\Cakewalk
2007-05-25 13:22:10 -------- d-----w C:\DOCUME~1\Oli\APPLIC~1\Ableton
2007-05-24 15:18:38 -------- d-----w C:\Program Files\rgcaudio software
2007-05-23 12:13:16 -------- d-----w C:\DOCUME~1\Oli\APPLIC~1\Steinberg
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-26 13:40:18 0 ----a-w C:\DOCUME~1\Oli\APPLIC~1\wklnhst.dat
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-10-26 10:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
2006-08-31 20:33 322368 --a------ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-02 10:10]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2005-01-14 19:21]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 19:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 15:06 C:\WINDOWS\system32\ptipbmf.dll]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-28 10:56]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 12:38]
"diagnostics"="C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" [2007-02-13 19:43]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-22 13:41]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-13 21:52]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2006-10-30 14:12]
"P17Helper"="SPIRun.dll" [2006-07-03 12:43 C:\WINDOWS\system32\SPIRun.dll]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 15:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 17:14]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 13:49]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 13:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-22 20:50:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
P17Helper = Rundll32 SPIRun.dll,RunDLLEntry?
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????????????|?@?|?@?D??????w???????????????w|?@?|?@????? ???????????g??w???w???????w???wx??????????w???????? ??????????????|x???0???????????? st???w?????????????????X??e???M???????|?@?|?@????????w??????@?????|?@?H?@?|?@?3??s????????????????????H?@?_??sH?@?H?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-22 20:50:31
C:\ComboFix-quarantined-files.txt ... 2007-07-22 20:50

--- E O F ---
quazzer
Regular Member
 
Posts: 76
Joined: January 21st, 2007, 3:49 pm
Location: South West

Unread postby Katana » July 23rd, 2007, 12:50 am

Hi Quazzer,

Nothing jumps out from that log as "bad",

Do you know what the following folders relate to ?
C:\Program Files\MyProduct
C:\Program Files\Cakewalk
C:\Documents and Settings\Oli\Application Data\Cakewalk
C:\Documents and Settings\Oli\Application Data\Ableton
C:\Documents and Settings\Oli\Application Data\Steinberg


If not could you please have a look in them and make a list of any files they contain
( DO NOT open/run any files if you don't know what they are !! )
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby quazzer » July 23rd, 2007, 7:55 am

C:\Program Files\MyProduct

This folder has the uninstall for the screensaver. Should I uninstall it? Since I'm still getting the pop up window.

C:\Program Files\Cakewalk
C:\Documents and Settings\Oli\Application Data\Cakewalk
C:\Documents and Settings\Oli\Application Data\Ableton
C:\Documents and Settings\Oli\Application Data\Steinberg


I have deleted these folders now. These are music software applications, which I had removed.

Since I've been following instructions from you, I have now got my firewall alert popping up for programs such as msn messenger. this didn't happen before, but I guess its just re-applying the blocking and un-blocking function. am I right?

Unfortunately my mouse is still freezing and like I said before, that pop keeps opening in a new window now and again.

Thank you very much so far though for taking your time to help me. MUCH appreciated.
quazzer
Regular Member
 
Posts: 76
Joined: January 21st, 2007, 3:49 pm
Location: South West
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 298 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware