Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

New Hijackthis log for your help please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: New Hijackthis log for your help please

Unread postby chryssi2001 » June 5th, 2008, 2:39 pm

Hi, remove Combofix and CF-Script from your desktop please.

We will re-install. I will give you another fix.

I will be back in a few minutes.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Advertisement
Register to Remove

Re: New Hijackthis log for your help please

Unread postby chryssi2001 » June 5th, 2008, 3:01 pm

Hello DJGarry, i am back :)

Let's hope this will work now. ;)

Download Combofix again (at your Desktop) using one of the links below:
(Updated version)

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
----------------------------------------------
Safe Mode

Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.
Go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Right click & choose to run Hijackthis as Administrator.
Place a checkmark next to these lines(if still present).

O2 - BHO: (no name) - {81AA6A16-B8CA-43C4-A347-A487764FF528} - C:\Windows\system32\ssqNHyax.dll
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Garry\AppData\Local\Temp\rQhEwUNg.dll


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=31196&st=0&sk=t&sd=a&start=15
    
    Collect::
    C:\Windows\System32\fcccbaWp.dll
    C:\Windows\System32\xxyabyaB.dll
    C:\Windows\System32\hgGxYSIB.dll
    C:\Windows\System32\ssqNHyax.dll
    C:\Users\Garry\AppData\Local\Temp\rQhEwUNg.dll
    C:\Users\Garry\AppData\Local\Temp\fjcbfjgk.dll
    C:\Users\Garry\AppData\Local\Temp\wabvcduq.dll
    
    File::
    C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Garry.job
    
    Folder::
    C:\ProgramData\Symantec
    c:\PROGRA~1\NORTON~1
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81AA6A16-B8CA-43C4-A347-A487764FF528}]
    
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image

    Note: If CF-Script refuse to run, just run Combofix by double-clicking on it.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Now in Normal mode.

Run Kaspersky Online AV Scanner
Using Internet Explorer Go to http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html and click the Accept button at the end of the page.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply.
----------------------------------------------
Run HijackThis again.
----------------------------------------------
Post back:
Combofix report.
Kaspersky report.
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: New Hijackthis log for your help please

Unread postby DJGarry » June 6th, 2008, 11:43 am

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, June 06, 2008 4:35:05 PM
Operating System: Microsoft Windows Vista Home Edition, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/06/2008
Kaspersky Anti-Virus database records: 833663
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 130981
Number of viruses found: 5
Number of infected objects: 62
Number of suspicious objects: 0
Duration of the scan process: 02:10:56

Infected Object Name / Virus Name / Last Action
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Office.en-us/OfficeMUI.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Office.en-us/OfficeMUI.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Office.en-us/OfficeMUISet.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Office.en-us/OfficeMUISet.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Office64.en-us/Office64MUI.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Office64.en-us/Office64MUI.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Office64.en-us/Office64MUISet.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Office64.en-us/Office64MUISet.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Proofing.en-us/Proof.en/Proof.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Proofing.en-us/Proof.en/Proof.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Proofing.en-us/Proof.es/Proof.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Proofing.en-us/Proof.es/Proof.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Proofing.en-us/Proof.fr/Proof.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Proofing.en-us/Proof.fr/Proof.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Proofing.en-us/Proofing.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Proofing.en-us/Proofing.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Rosebud.en-us/RosebudMUI.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Rosebud.en-us/RosebudMUI.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/setup.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/setup.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/WebDesigner.en-us/WebDesignerMUI.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/WebDesigner.en-us/WebDesignerMUI.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/WebDesigner.WW/Office64WW.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/WebDesigner.WW/Office64WW.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/WebDesigner.WW/WebDesignerWW.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/WebDesigner.WW/WebDesignerWW.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar RAR: infected - 26 skipped
C:\Program Files\InstallShield Installation Information\{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}\Setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{B145EC69-66F5-11D8-9D75-000129760D75}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{B804C424-B66D-447A-84BD-C6B88C392C3A}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}\setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{F79A208D-D929-11D9-9D77-000129760D75}\setup.ilg Object is locked skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU9839.txt Object is locked skipped
C:\ProgramData\avg7\Log\emc.log Object is locked skipped
C:\ProgramData\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\ProgramData\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\3dd73f2ffceff2e1a38ac7bf71e02846_1813b7fa-6b78-40c7-97a3-a02bb7b5f3ac Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\5432b656786d809c24c1c61f27b0205a_2d40fb33-49e0-49ec-893b-9503ec2e2da5 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\9f7a53ae8a998b18ee83b063f84cbb68_2d40fb33-49e0-49ec-893b-9503ec2e2da5 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a245bed7ae991b8daff703982d5e4ead_1813b7fa-6b78-40c7-97a3-a02bb7b5f3ac Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ae312568acf22e79789e507e6269a537_1813b7fa-6b78-40c7-97a3-a02bb7b5f3ac Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\bc0b31a1775b8384e942ee50d0562f6b_1813b7fa-6b78-40c7-97a3-a02bb7b5f3ac Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\bf8aece8b782c452da9452251c2e86d1_2d40fb33-49e0-49ec-893b-9503ec2e2da5 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\cd73efca1b828f9bcc99a0b81402654e_1813b7fa-6b78-40c7-97a3-a02bb7b5f3ac Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ddf2bcbaf53106d123d4455d08aacf6f_2d40fb33-49e0-49ec-893b-9503ec2e2da5 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\eb347e7b01c6b9c21b1691a8f0eef7e3_2d40fb33-49e0-49ec-893b-9503ec2e2da5 Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f00241eae9bfaf501cd8a1b3152ce025_1813b7fa-6b78-40c7-97a3-a02bb7b5f3ac Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f56f394e3272cd5a9e9ce3eb2e6e95e3_5b4feb49-5573-42f5-bc41-2614fccf585d Object is locked skipped
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f5c726b72b72a4c1352f3ee68e701f4a_1813b7fa-6b78-40c7-97a3-a02bb7b5f3ac Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\ProgramData\Microsoft\Windows\DRM\drmstore.hds Object is locked skipped
C:\ProgramData\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Users\Garry\AppData\Local\Ahead\Nero Home\bl.db Object is locked skipped
C:\Users\Garry\AppData\Local\Ahead\Nero Home\is2.db Object is locked skipped
C:\Users\Garry\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Users\Garry\AppData\Local\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Users\Garry\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db Object is locked skipped
C:\Users\Garry\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
C:\Users\Garry\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008060620080607\index.dat Object is locked skipped
C:\Users\Garry\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Users\Garry\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Users\Garry\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Users\Garry\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
C:\Users\Garry\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
C:\Users\Garry\AppData\Local\Microsoft\Windows\UsrClass.dat{c9ea72bd-78ca-11dc-affa-0016d354dfda}.TM.blf Object is locked skipped
C:\Users\Garry\AppData\Local\Microsoft\Windows\UsrClass.dat{c9ea72bd-78ca-11dc-affa-0016d354dfda}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Garry\AppData\Local\Microsoft\Windows\UsrClass.dat{c9ea72bd-78ca-11dc-affa-0016d354dfda}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Users\Garry\AppData\Local\Microsoft\Windows Defender\FileTracker\{028688B7-DFAB-44D0-B444-620BF98D774E} Object is locked skipped
C:\Users\Garry\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
C:\Users\Garry\AppData\Local\Temp\~DFA7DF.tmp Object is locked skipped
C:\Users\Garry\AppData\Local\Temp\~DFA7E9.tmp Object is locked skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\! CDRoller v7.00 - Crack Included\CDRoller700_en.exe/data0000.cab/update.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.qpu skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\! CDRoller v7.00 - Crack Included\CDRoller700_en.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.Virtumonde.qpu skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\! CDRoller v7.00 - Crack Included\CDRoller700_en.exe Rsrc-Package: infected - 2 skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Office.en-us/OfficeMUI.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Office.en-us/OfficeMUI.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Office.en-us/OfficeMUISet.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Office.en-us/OfficeMUISet.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Office64.en-us/Office64MUI.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Office64.en-us/Office64MUI.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Office64.en-us/Office64MUISet.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Office64.en-us/Office64MUISet.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Proofing.en-us/Proof.en/Proof.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Proofing.en-us/Proof.en/Proof.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Proofing.en-us/Proof.es/Proof.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Proofing.en-us/Proof.es/Proof.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Proofing.en-us/Proof.fr/Proof.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Proofing.en-us/Proof.fr/Proof.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Proofing.en-us/Proofing.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Proofing.en-us/Proofing.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Rosebud.en-us/RosebudMUI.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/Rosebud.en-us/RosebudMUI.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/setup.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/setup.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/WebDesigner.en-us/WebDesignerMUI.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/WebDesigner.en-us/WebDesignerMUI.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/WebDesigner.WW/Office64WW.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/WebDesigner.WW/Office64WW.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/WebDesigner.WW/WebDesignerWW.exe/update.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar/Microsoft Expression Web (FrontPage 2007)/WebDesigner.WW/WebDesignerWW.exe Infected: Trojan.Win32.Monder.ld skipped
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar RAR: infected - 26 skipped
C:\Users\Garry\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
C:\Users\Garry\Desktop\[4]-Submit_2008-06-06@1.18.zip/rQhEwUNg.dll Infected: Trojan.Win32.Monder.gen skipped
C:\Users\Garry\Desktop\[4]-Submit_2008-06-06@1.18.zip ZIP: infected - 1 skipped
C:\Users\Garry\Downloads\Nero-8.1.1.0b_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Users\Garry\Downloads\Nero-8.1.1.0b_eng_trial.exe 7-Zip: infected - 1 skipped
C:\Users\Garry\ntuser.dat Object is locked skipped
C:\Users\Garry\ntuser.dat.LOG1 Object is locked skipped
C:\Users\Garry\ntuser.dat.LOG2 Object is locked skipped
C:\Users\Garry\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf Object is locked skipped
C:\Users\Garry\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Users\Garry\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\bthservsdp.dat Object is locked skipped
C:\Windows\Debug\PASSWD.LOG Object is locked skipped
C:\Windows\Debug\sam.log Object is locked skipped
C:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.log Object is locked skipped
C:\Windows\Logs\CBS\CBS.persist.log Object is locked skipped
C:\Windows\Logs\DPX\setupact.log Object is locked skipped
C:\Windows\Logs\DPX\setuperr.log Object is locked skipped
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
C:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
C:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
C:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
C:\Windows\SA0594035.tmp Object is locked skipped
C:\Windows\security\database\secedit.sdb Object is locked skipped
C:\Windows\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\Windows\SoftwareDistribution\EventCache\{15F8C4B7-8CA7-4B9E-AC7F-1F47B6EC9F07}.bin Object is locked skipped
C:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
C:\Windows\System32\catroot2\edb.log Object is locked skipped
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\Windows\System32\config\COMPONENTS Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
C:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
C:\Windows\System32\config\DEFAULT Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
C:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
C:\Windows\System32\config\SAM Object is locked skipped
C:\Windows\System32\config\SAM.LOG1 Object is locked skipped
C:\Windows\System32\config\SAM.LOG2 Object is locked skipped
C:\Windows\System32\config\SECURITY Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
C:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
C:\Windows\System32\config\SOFTWARE Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
C:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
C:\Windows\System32\config\SYSTEM Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
C:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{5ff84fe7-7f10-11dc-a7ee-0016d354dfda}.TxR.0.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{5ff84fe7-7f10-11dc-a7ee-0016d354dfda}.TxR.1.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{5ff84fe7-7f10-11dc-a7ee-0016d354dfda}.TxR.2.regtrans-ms Object is locked skipped
C:\Windows\System32\config\TxR\{5ff84fe7-7f10-11dc-a7ee-0016d354dfda}.TxR.blf Object is locked skipped
C:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
C:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagerr.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\diagwrn.xml Object is locked skipped
C:\Windows\System32\sysprep\Panther\setupact.log Object is locked skipped
C:\Windows\System32\sysprep\Panther\setuperr.log Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\1EBE968EB7AF815A32641E6185350A9E.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\3460B7617E0429A960E481B197F238A3.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\75054C3771DF289038069A9BB1C1FB6E.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\7BDE76979585395D59B5DA1D62E63C50.mof Object is locked skipped
C:\Windows\System32\wbem\AutoRecover\DFB9AD54AC2D3B8122567AAD3BF3EB7F.mof Object is locked skipped
C:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
C:\Windows\System32\wbem\repository\INDEX.BTR Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING1.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\MAPPING2.MAP Object is locked skipped
C:\Windows\System32\wbem\repository\OBJECTS.DATA Object is locked skipped
C:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Media Center.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-PLA%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ParentalControls%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
C:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
C:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
C:\Windows\WindowsUpdate.log Object is locked skipped
C:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped
D:\My Music\Limewire Shared\Eighties classic.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped

Scan process completed.








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:35, on 2008-06-06
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Users\Garry\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wermgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\Windows\TEMP\E_S9CFA.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/ ... 586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: eNetHook.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9792 bytes
DJGarry
Regular Member
 
Posts: 55
Joined: May 30th, 2008, 11:05 am
Location: UK

Re: New Hijackthis log for your help please

Unread postby chryssi2001 » June 6th, 2008, 12:51 pm

Hello DJGarry,

I need the Combofix report please.
----------------------------------------------
For now please read this - http://malwareremoval.com/forum/viewtopic.php?t=550

Your kaspersky log shows evidence of illegally copied/pirated software present on your harddrive.

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following Folders/Files: Right-Click and remove them all.

C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\! CDRoller v7.00 - Crack Included
C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar
C:\Users\Garry\Downloads\Nero-8.1.1.0b_eng_trial.exe

If D:\ is an external Hard-Drive or a USB stick or iPod, please stick it to the pc and remove this song as it's infected.
D:\My Music\Limewire Shared\Eighties classic.wma

C:\Users\Garry\Desktop\[4]-Submit_2008-06-06@1.18.zip << remove this also if it's submitted.
Otherwise submit and then delete it.
----------------------------------------------
Confirm that the above are deleted.
----------------------------------------------
Post back:
Combofix report.
Is the pc running better now?
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: New Hijackthis log for your help please

Unread postby DJGarry » June 6th, 2008, 2:19 pm

C:\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar
Not present. program uses other save destination (Virtual Store).


C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\! CDRoller v7.00 - Crack Included
Deleted


C:\Users\Garry\AppData\Local\VirtualStore\Program Files\BitLord\Downloads\Microsoft Expression Web (FrontPage 2007).rar
Deleted


C:\Users\Garry\Downloads\Nero-8.1.1.0b_eng_trial.exe
Deleted


D:\My Music\Limewire Shared\Eighties classic.wma
Deleted

C:\Users\Garry\Desktop\[4]-Submit_2008-06-06@1.18.zip << remove this also if it's submitted.
Don't know i this has been submitted or not but it's not present


The laptop does seems to running lost better now.
It still has a slight issue in booting up sometimes...... Hangs on a black screen just after the little welcome tune occationally.
Have to hold down power button to get it to turn off.

When it does reboot ok I usually get an error message that says:

Windows Logon User Interface Host stopped working and was closed
followed by a system tray message saying that it was the Data Execution Prevention that closed it.

I quite often have problems getting some new programs to run. Downloaded .exe files are probably the worst. I think it's some sort of permissions thing to keep the pc protected but maybe it's settings are too high.
Don't know if that's anything you can fix or not.


Anyway,
Here's the Combofix report:



ComboFix 08-06-05.3 - Garry 2008-06-06 9:42:41.4 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1638 [GMT 1:00]
Running from: C:\Users\Garry\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Users\Garry\AppData\Local\Temp\rQhEwUNg.dll
C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Garry.job
C:\ProgramData\Symantec . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 01:28 13,025 ----a-w C:\Users\Garry\AppData\Roaming\nvModes.dat
2008-06-05 19:00 --------- d-----w C:\Users\Garry\AppData\Roaming\Skype
2008-06-05 18:23 --------- d-----w C:\Users\Garry\AppData\Roaming\skypePM
2008-06-05 18:23 --------- d-----w C:\Users\Garry\AppData\Roaming\OpenOffice.org2
2008-06-05 12:05 --------- d-----w C:\Users\Garry\AppData\Roaming\AVG7
2008-06-03 22:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-03 22:27 --------- d-----w C:\PROGRA~2\Symantec
2008-06-03 11:35 --------- d-----w C:\Program Files\Trend Micro
2008-05-26 11:56 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-26 11:54 --------- d-----w C:\PROGRA~2\Spybot - Search & Destroy
2008-05-19 10:29 5,642 --sha-w C:\Windows\System32\KGyGaAvL.sys
2008-05-18 20:36 --------- d-----w C:\Program Files\THQ
2008-05-18 20:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-14 14:52 --------- d-----w C:\Users\Garry\AppData\Roaming\Corel
2008-05-14 14:43 --------- d-----w C:\Program Files\Common Files\Corel
2008-05-14 14:41 --------- d-----w C:\Program Files\Corel
2008-05-14 10:43 --------- d-----w C:\Program Files\Windows Mail
2008-05-13 13:52 --------- d-----w C:\Program Files\Yamp 2.3
2008-04-29 22:46 691,545 ----a-w C:\Windows\unins000.exe
2008-04-15 12:07 --------- d-----w C:\PROGRA~2\EPSON
2008-04-15 11:43 --------- d-----w C:\Program Files\epson
2008-04-04 13:26 32 ----a-w C:\Users\All Users\ezsid.dat
2008-04-04 13:26 32 ----a-w C:\PROGRA~2\ezsid.dat
2008-03-13 18:53 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-03-08 04:30 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:30 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:30 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:30 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 04:30 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-03-08 00:37 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-03-08 00:22 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2007-10-13 17:54 174 --sha-w C:\Program Files\desktop.ini
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot@2008-06-04_16.18.20.74 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 15:07:27 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-06-06 08:36:40 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-06-04 15:09:18 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-06 08:35:44 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-06-06 08:35:44 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-06-04 15:17:29 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-06 08:35:44 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-06-06 08:35:44 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-06-04 10:41:11 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-05 14:32:17 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-04 10:41:11 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-05 14:32:17 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-04 10:41:11 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-05 14:32:17 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-06-04 15:14:01 108,526 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-06-06 08:40:55 107,332 ----a-w C:\Windows\System32\perfc009.dat
- 2008-06-04 15:14:01 623,342 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-06-06 08:40:55 621,746 ----a-w C:\Windows\System32\perfh009.dat
- 2008-06-04 15:09:59 14,108 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3213793974-2534403334-2120894616-1000_UserData.bin
+ 2008-06-05 18:23:45 14,188 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3213793974-2534403334-2120894616-1000_UserData.bin
- 2008-06-04 15:09:59 66,976 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-06-05 18:23:45 67,190 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-06-04 15:09:59 60,752 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-05 18:23:44 60,940 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-10 04:01 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:35 125440]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 16:35 202024]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2007-12-14 20:31 1637312]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-06 18:37 21898024]
"EPSON Stylus DX4400 Series"="C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICAE.exe" [2007-01-25 07:00 179200]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 19:57 3784704 C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 20:00 815104]
"Acer Tour"="" []
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2006-12-20 21:50 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-12-20 21:50 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-12-20 21:50 81920]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-01-03 02:58 464168]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [2006-12-21 01:02 659456]
"eRecoveryService"="" []
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 21:48 57344]
"Acer Tour Reminder"="C:\Acer\AcerTour\Reminder.exe" [2007-01-14 19:38 151552]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 03:31 36352]
"AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [1999-04-12 01:00 203264]
"Creative Launcher"="C:\Program Files\Creative\Launcher\CTLauncher.exe" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 10:51 1836328]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"pdfSaver3"="" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-19 08:53 579584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 16:27 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Corel Photo Downloader"="C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-08-28 12:00 531272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="" []
"GrpConv"="grpconv -o" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-24 18:04 219136]

C:\Users\Garry\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

C:\Users\Garry\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-24 18:00 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C1990356-814B-4F86-B2DC-14464FAD9AE5}"= UDP:C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{2B755953-EFE3-41CF-9C65-416CBCFDC842}"= TCP:C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{DF10B9AE-A742-4E36-AD58-DC079F98D0C9}"= C:\Program Files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

S3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-13 10:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{74eb9dd2-e5f6-11dc-9a85-0016d354dfda}]
\shell\AutoRun\command - F:\setupSNK.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 09:46:09
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-06 9:46:59
ComboFix-quarantined-files.txt 2008-06-06 08:46:51
ComboFix2.txt 2008-06-05 14:04:06
ComboFix3.txt 2008-06-05 12:53:42
ComboFix4.txt 2008-06-04 15:18:58

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

171 --- E O F --- 2008-05-30 02:02:47
DJGarry
Regular Member
 
Posts: 55
Joined: May 30th, 2008, 11:05 am
Location: UK

Re: New Hijackthis log for your help please

Unread postby chryssi2001 » June 6th, 2008, 3:00 pm

Hello DJGarry,

The problems you described are not related to the infections you had on your pc.

See below forums for general troubleshooting of computers, and post there for help after we finish from here.

http://forums.whatthetech.com/forums.html
http://www.techguy.org/
http://www.bleepingcomputer.com/forums/

You can post a link to this thread, so they will see what we've done to clean your pc.
----------------------------------------------
Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 6.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 6 and click on Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u6-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer
----------------------------------------------
I can't see any firewall in your HijackThis log, so i assume you use windows firewall.

FIREWALL
Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly. It's preferable to install one of the suggested firewalls.
Vista users, must check compatibility with Vista before installation.

FREE FIREWALLS
Tutorial about Firewalls can be found here
----------------------------------------------
Post back:
A new HijackThis log.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: New Hijackthis log for your help please

Unread postby DJGarry » June 6th, 2008, 3:12 pm

Ok, I'll look at the sites you mentioned later. I'm off out in a bit... Friday night and all that... but will sort out those and Java out then.

As for the firewall, I never usually run with just Windows firewall. Norton (that I un-installed) had a firewall with it that I was using. I've always used ZoneAlarm on all my other PC's and only kept Norton on here for the firewall really.
I'm going to un-install AVG7 and upgrade to AVG8, install ZoneAlarm and sort out Java too (tommorrow, as I'll probly of had too many beers to get it right later tonight)

Next post will have a new hijack this log.

Cheers, Garry
DJGarry
Regular Member
 
Posts: 55
Joined: May 30th, 2008, 11:05 am
Location: UK

Re: New Hijackthis log for your help please

Unread postby DJGarry » June 6th, 2008, 3:13 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:11, on 2008-06-06
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Garry\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wermgr.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 2027 bytes
DJGarry
Regular Member
 
Posts: 55
Joined: May 30th, 2008, 11:05 am
Location: UK

Re: New Hijackthis log for your help please

Unread postby chryssi2001 » June 7th, 2008, 1:00 am

Hi DJGarry,

The HijackThis log you posted is not complete.
Did you close HijackThis before it finished?
See the other HijackThis log you posted and you will see what i mean. The one you posted has only processes and 023 lines.
All the rest lines are missing.
----------------------------------------------
It seems that Symantec is Still on your pc, and even if i tried to remove it it's still there. It still shows on 2 locations:

C:\ProgramData\Symantec . . . . failed to delete
C:\PROGRA~2\Symantec << as i don't have a Vista pc, the part PROGRA~2 might be PROGRAM FILES or PROGRAMS AND FEATURES.

Are there more users than 1 on this pc? If yes Symantec might be installed in the 2nd user account.

REMOVE PROGRAMS-VISTA
  • Go to start > control panel > programs and features.
  • Right click on each instance of:

    Symantec
  • Click Uninstall & then follow the prompts to remove it.

Additional to that please click HERE and follow the instructions to download and run the norton removal tool for your own version.

Also make a search for "Symantec" using Start > Run > Search for Files and Folders and remove any remainants.
----------------------------------------------
Post back a proper HijackThis log, after you update java, and let me know if you found Symantec and removed it.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: New Hijackthis log for your help please

Unread postby DJGarry » June 8th, 2008, 8:44 am

Hi.

Don't know why the hijack log was incomplete. new one in a minute.......

I did use the removal tool from symantec to get rid of it before. What was left was just a couple file folders from the program files directory. don't knoe why it missed them. I deleted them anyway. no sign of anything else on the laptop... did a scan and it seemed clear now.

There is only one user on this pc.



AVG now on v8, Java on v6 u6, pcseems much better now. Now more popups, freezing and restarting. Just the occational boot hang but as you said, that's not related and I'll get to work on that shortly.

And now.... a hijackthis log to follow.........


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:37, on 2008-06-08
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Users\Garry\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\system32\wermgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\Windows\TEMP\E_S9CFA.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Fac ... oader3.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: eNetHook.dll,avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9096 bytes
DJGarry
Regular Member
 
Posts: 55
Joined: May 30th, 2008, 11:05 am
Location: UK

Re: New Hijackthis log for your help please

Unread postby chryssi2001 » June 8th, 2008, 11:32 am

Hello DJGarry,

Everything looks good :) . You are free from malware :cheers: .

Still can't see Zone Alarm though. ;)
If you installed AVG8 free you will need to install an independant firewall.
----------------------------------------------
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Image
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
----------------------------------------------
Congratulations you are clean! :)
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Here are some free programs I recommend that could help you improve your computer's security.
(Vista users must ensure that any programs are Vista compatible BEFORE installing)

Spybot Search and Destroy 1.5.2
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Happy safe surfing!
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: New Hijackthis log for your help please

Unread postby Elrond » June 10th, 2008, 9:27 am

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 567 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware