Post by: Seamoose on December 10, 2005, 07:59:48 PM
Some of the pop-ups are:
"Sfondi desktop" - asking me to download tacky screensavers which seems to be related to...
"Startnet Di Alessandro Casini"
Also a blue pop up "warning" me that "Spyware and Adware may be damaging my computer"
And a casino/gambling ad with some ugly cartoon chick on it (but I haven't got that for a couple of days.)
Also when I use NoAdware (is this good?) it tells me about a "severe" thing called VX2/ReplaceLink which it removes but it comes back on re-boot (at some point).
Oh, and in IE (which I don't use, but sometimes relatives still do out of habit), in the history file, it keeps telling me it has visited www.winfixer.com and advnt05.com, specifically a page called 'pop-send".
Thanks for your help in advance.
Logfile of HijackThis v1.99.1
Scan saved at 11:45:47 AM, on 11/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\System32\HotfixQ0306270.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01 (http://\"http://g.ninemsn.com.au/0SEDEAT/SAOS01\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/ (http://\"http://www.optusnet.com.au/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01 (http://\"http://g.ninemsn.com.au/0SEDEAT/SAOS01\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SU Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-au\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\System32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.Email (http://\"http://by16fd.bay16.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe (http://\"http://www.xblock.com/download/xclean_micro.exe\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab (http://\"http://www.stumbleupon.com/stumble.cab\")
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...645/mcfscan.cab (http://\"http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4645/mcfscan.cab\")
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab\")
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Leadtek Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Unknown owner - C:\Program Files\PurgeIE\PurgeIE_Service.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Post by: guestolo on December 10, 2005, 09:35:31 PM
Your way behind on Windows updates
Can you first visit the following link
http://www.microsoft.com/windowsxp/downloa...1/expresso.mspx (http://\"http://www.microsoft.com/windowsxp/downloads/updates/sp1/expresso.mspx\")
Download the installer and double click to run
Follow the prompts
Reboot when prompted, afterwards come back here and post a fresh hijackthis log
NOTE: Don't install Service Pack 2 yet, this is not recommended until after we get you clean
Additionally, let me know the following please
Have you done any fixes with Hijackthis already?
Are you controlling anything from running on startup with Msconfig or any startup control software?
As far as the spyware removal tools
I would hold onto Ad-Aware and Spybot
Make sure you have the latest versions
I would dump NoAdware and Xoftspy if you didn't pay for either
Post by: Seamoose on December 11, 2005, 07:19:29 AM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />First thing that happened when following your instructions was that Microsoft doesn't like my vibe:
"The product key used to install windows is invalid. Please contact MS … to obtain valid product key. U may contact Microsoft etc if u have purchased pirated Microsoft software etc etc…"
I have been getting the picture for a while that the dude who "set up" my computer for me a couple of years back installed some crud - as in pirated stuff right? I can never install the MS updates.
??? Please I have no idea - if my version of windows is illegal then I will buy the new one or whatever...
Moving on from that:
"Have you done any fixes with Hijackthis already?"
Nope. Wouldn't dare.
"Are you controlling anything from running on startup with Msconfig or any startup control software?"
Err, I did muck about with it once or twice to try and speed up boot up (gulp?) as in I unchecked this and that. (double gulp)
"As far as the spyware removal tools
I would hold onto Ad-Aware and Spybot
Make sure you have the latest versions
I would dump NoAdware and Xoftspy if you didn't pay for either"
I did pay for Xoftspy - but whatever - if it is no good i will dump it as suggested - whatever works (I just want to get on with the actual reasons I have a computer ... )
Thank you for the reply. I have not posted a new hijack this as it seems i have a problem with my Microsoft software??? I am not sure but I don't think I could follow the prompts.
Please advise from here.
Thank you again.
Post by: guestolo on December 11, 2005, 12:31:28 PM
By not being able to apply any security patches on your machine
You keep yourself open for infections
After saying that, we'll try the best to clean you up and keep you that way
But no guarantees, the Windows updates are important in keeping your system secure
Can you do the following please
I want to see everything on startup
Go to START>>RUN>>type in msconfig
Hit OK
Under the STARTUP tab choose Enable ALL
Under the General tab choose Normal startup
Apply it and close>>reboot the computer
Back in Windows
From my signature below please run an online virus scan at Panda's
You will have to use Internet Explorer to run this
It's safe to supply them with a legit email address
Choose to scan "Local Disks"
When the scan is done click See Report
Choose to save the report to your desktop
Copy and paste back the whole contents of this report back here
Also, Post back a fresh hijackthis log
Post by: Seamoose on December 11, 2005, 07:08:34 PM
Yes, will have to fork out and recitify that windows situation, but meanwhile...
I followed the start up/misconfig instructions and here is the panda report (it pasted a bit messy but i think it still makes sense. It is mercifully short.)
Incident Status Location
Dialer:dialer.asl Not desinfected C:\WINDOWS\Downloaded Program Files\internazionale_ver10.INF
And here is the new HJT...
Logfile of HijackThis v1.99.1
Scan saved at 11:01:12 AM, on 12/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\System32\HotfixQ0306270.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\E-Color\Common\IconMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01 (http://\"http://g.ninemsn.com.au/0SEDEAT/SAOS01\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/ (http://\"http://www.optusnet.com.au/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01 (http://\"http://g.ninemsn.com.au/0SEDEAT/SAOS01\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SU Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-au\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\System32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [HijackThis startup scan] C:\unzipped\hijackthis\HijackThis.exe /startupscan
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.Email (http://\"http://by16fd.bay16.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe (http://\"http://www.xblock.com/download/xclean_micro.exe\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab (http://\"http://www.stumbleupon.com/stumble.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...645/mcfscan.cab (http://\"http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4645/mcfscan.cab\")
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab\")
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Leadtek Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Unknown owner - C:\Program Files\PurgeIE\PurgeIE_Service.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Thanks again, you rule!
Post by: guestolo on December 11, 2005, 07:20:36 PM
Go to START>>RUN>>type in cmd
Hit OK
At the prompt copy and paste this into the black box then hit ENTER on your keyboard
cd C:\WINDOWS\Downloaded Program Files
Now you should be at this prompt
C:\WINDOWS\Downloaded Program Files>
copy and paste the following command in bold then hit ENTER
del internazionale_ver10.INF
then type in EXIT and hit ENTER
Open Hijackthis>>Open Misc tools section>>>Open Uninstall manager
Click the SAVE LIST button
Save this list to your desktop and then copy and paste the contents back here please
Post by: Seamoose on December 11, 2005, 08:05:42 PM
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Illustrator 9.0
Adobe MPEG Encoder
Adobe Photoshop 7.0
Adobe Premiere 6.5
Adobe SVG Viewer
Advanced RealMedia Export Plug-in for Premiere 6.0
AKAI professional VST Collection v1.0
ArcSoft PhotoBase
ArcSoft PhotoStudio 2000
ArcSoft PhotoStudio Suite v2.0
BoDetect 3.5
Bojo OrganOne VSTi v1.05
Caere Scan Manager 5.1
Canon iP4200
Canon PhotoRecord
Canon PIXMA iP3000
Canon ScanGear Toolbox CS 2.2
Canon Setup Utility 2.0
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CCleaner (remove only)
Celtx (0.9.4)
ContextPlus
DirectX 9 Hotfix - KB839643
DivX 4.12 Codec
Easy-WebPrint
FlashFXP
Graphic Converter 2003
Hello (remove only)
HijackThis 1.99.1
Instant French Level 1
Ipswitch WS_FTP Home 2006
iTunes
Java 2 Runtime Environment, SE v1.4.2_01
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia FreeHand 10
Macromedia HomeSite+
Macromedia Shockwave Player
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Mozilla Firefox (1.5)
MSN Add-in for Windows Messenger
MSN Messenger 6.2
MSN Toolbar
NI Absynth v1.3.4-OxYGeN
NoAds
OmniPage Pro 9.0
OptusNet Dial-up
Outlook Express Q823353
Panda ActiveScan
Pioneer RecordNow DX
Pioneer RecordNow DX Update Manager
QuickBooks EasyStart: First Business 2005/06
QuickTime
Quintessential Player
ReaConverter 4.0 Pro
RealPlayer
Reason
ReCycle 2.0
S450
Search Assistant - My Web Search
Security Task Manager 1.6e
SmartUSB56 Voice Modem
Spybot - Search & Destroy 1.3
Steinberg Cubase SX 1.02
Steinberg Nuendo
Steinberg Nuendo/Cubase Dual Dongle Emu
TC Native Essentials 2.02
USB Flash Disk Utility
Windows Media Player 10
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883357
Windows XP Hotfix - KB887822
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q311967 for more information]
Windows XP Hotfix (SP1) [See Q313450 for more information]
Windows XP Hotfix (SP1) [See Q314862 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q318138 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q324096 for more information]
Windows XP Hotfix (SP1) [See Q324380 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) [See Q328940 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q328310
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q331953
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q811493
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP1) Q819696
Windows XP Hotfix (SP2) [See Q329115 for more information]
WinFast® Display Driver
WinFast® Display Driver
WinRAR archiver
XoftSpy
Cheers
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />O BTW as for "C:\WINDOWS\Downloaded Program Files>" it didn't really look like this it was more like Just "C:\"
I still entered the commands as you prompted - not much happened...
sorry think i stuffed it up give me a minute
Whoops - mucked up the instructions the first time but did it right the second... OK I have reposted the refreshed hijack this list in case it is different.
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Illustrator 9.0
Adobe MPEG Encoder
Adobe Photoshop 7.0
Adobe Premiere 6.5
Adobe SVG Viewer
Advanced RealMedia Export Plug-in for Premiere 6.0
AKAI professional VST Collection v1.0
ArcSoft PhotoBase
ArcSoft PhotoStudio 2000
ArcSoft PhotoStudio Suite v2.0
BoDetect 3.5
Bojo OrganOne VSTi v1.05
Caere Scan Manager 5.1
Canon iP4200
Canon PhotoRecord
Canon PIXMA iP3000
Canon ScanGear Toolbox CS 2.2
Canon Setup Utility 2.0
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
CCleaner (remove only)
Celtx (0.9.4)
ContextPlus
DirectX 9 Hotfix - KB839643
DivX 4.12 Codec
Easy-WebPrint
FlashFXP
Graphic Converter 2003
Hello (remove only)
HijackThis 1.99.1
Instant French Level 1
Ipswitch WS_FTP Home 2006
iTunes
Java 2 Runtime Environment, SE v1.4.2_01
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia FreeHand 10
Macromedia HomeSite+
Macromedia Shockwave Player
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Mozilla Firefox (1.5)
MSN Add-in for Windows Messenger
MSN Messenger 6.2
MSN Toolbar
NI Absynth v1.3.4-OxYGeN
NoAds
OmniPage Pro 9.0
OptusNet Dial-up
Outlook Express Q823353
Panda ActiveScan
Pioneer RecordNow DX
Pioneer RecordNow DX Update Manager
QuickBooks EasyStart: First Business 2005/06
QuickTime
Quintessential Player
ReaConverter 4.0 Pro
RealPlayer
Reason
ReCycle 2.0
S450
Search Assistant - My Web Search
Security Task Manager 1.6e
SmartUSB56 Voice Modem
Spybot - Search & Destroy 1.3
Steinberg Cubase SX 1.02
Steinberg Nuendo
Steinberg Nuendo/Cubase Dual Dongle Emu
TC Native Essentials 2.02
USB Flash Disk Utility
Windows Media Player 10
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883357
Windows XP Hotfix - KB887822
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q311967 for more information]
Windows XP Hotfix (SP1) [See Q313450 for more information]
Windows XP Hotfix (SP1) [See Q314862 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q318138 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q324096 for more information]
Windows XP Hotfix (SP1) [See Q324380 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) [See Q328940 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q328310
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q331953
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q811493
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP1) Q819696
Windows XP Hotfix (SP2) [See Q329115 for more information]
WinFast® Display Driver
WinFast® Display Driver
WinRAR archiver
XoftSpy
Post by: guestolo on December 11, 2005, 10:27:08 PM
It appears you have had Avast installed at one time and may of not been uninstalled completely
You may want to run the uninstall utility they supply
Look HERE (http://\"http://www.avast.com/eng/avast_uninstall_util.html\")
Save the uninstaller to the desktop
and then double click to run
In the path to the folder copy and paste the next path in bold
C:\Program Files\Alwil Software
Then click Uninstall
You may have to reboot the computer afterwards
Back in Windows
Access your add/remove programs and remove if you can
Search Assistant - My Web Search
Also remove
Spybot - Search & Destroy 1.3
Spybot isn't malware, but we should update you too the latest version
You should be prompted to reboot again, do so
Back in Windows
Download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe (http://\"http://swandog46.geekstogo.com/aproposfix.exe\")
Save it to your desktop but do NOT run it yet.
Download and Install Spybot 1.4 from
HERE (http://\"http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button\")
or HERE (http://\"http://www.safer-networking.org/en/download/index.html\")
Don't activate the Tea Timer when installing
You can do this after you are clean if you wish
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, then download all updates
After it's updated, don't run a scan yet
==Download and then Install
Ewido Security Suite (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!
RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter
In safe mode
Double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
Afterwards
Start Ccleaner
click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right)
==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows
Open Spybot 1.4
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED
RESTART the computer back to Normal mode
Back in Windows, I need to see a few logs please
1. Run hijackthis again and post a fresh log
2. Post the whole report from Ewido's you saved earlier
3. Post The entire contents of the log.txt file in the aproposfix folder
Post by: Seamoose on December 12, 2005, 12:11:38 AM
Firstly, I could not remove Search Assistant - My Web Search using the add/remove programs function. By the way you framed the instruction I guess this is not surprising.
I did remove spybot 1.3 and download 1.4 as per instructions.
Same for Apropos and Ewido. Did not run them (as instructed).
My main problem/question is that when I restart and go into the startup menu by tapping F8, the computer freezes everytime I choose SAFE MODE. Just sits there with the safe mode function highlighted but does not respond.
Suggestion?
Once again, many thanks.
Post by: guestolo on December 12, 2005, 12:28:17 AM
Make sure you printed the instructions I gave you out
Physically disconnect your computer from the Internet
Close down all unnecessary programs running in the background
Open your task manager
End the process on any of these that don't need to be running
C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\System32\HotfixQ0306270.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\E-Color\Common\IconMgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
Then go ahead and try running the instructions I gave you previously
Let's see if we can kill some things in Normal mode with minimum running
Make sure that after you run Spybot you Reboot the computer
Post by: Seamoose on December 12, 2005, 02:43:07 AM
Logfile of HijackThis v1.99.1
Scan saved at 6:36:10 PM, on 12/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\System32\HotfixQ0306270.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\E-Color\Common\IconMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01 (http://\"http://g.ninemsn.com.au/0SEDEAT/SAOS01\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/ (http://\"http://www.optusnet.com.au/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01 (http://\"http://g.ninemsn.com.au/0SEDEAT/SAOS01\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SU Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-au\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\System32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [HijackThis startup scan] C:\unzipped\hijackthis\HijackThis.exe /startupscan
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.Email (http://\"http://by16fd.bay16.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe (http://\"http://www.xblock.com/download/xclean_micro.exe\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab (http://\"http://www.stumbleupon.com/stumble.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...645/mcfscan.cab (http://\"http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4645/mcfscan.cab\")
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab\")
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Leadtek Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Unknown owner - C:\Program Files\PurgeIE\PurgeIE_Service.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Here's Ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 6:00:13 PM, 12/12/2005
+ Report-Checksum: 2DDFC678
+ Scan result:
HKLM\SOFTWARE\Classes\TypeLib\{B000D07B-6877-4D37-B6B2-BB800504ADE1} -> Dialer.Generic : Cleaned with backup
:mozilla.8:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.9:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.10:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.11:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.12:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.13:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.14:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.15:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.16:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.17:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.18:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.19:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.20:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.25:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.33:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.48:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.49:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.53:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.54:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.55:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.56:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.57:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.58:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.73:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.81:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.82:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.83:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.84:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.85:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Estat : Cleaned with backup
:mozilla.94:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.95:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.115:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.124:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.125:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.127:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Comclick : Cleaned with backup
:mozilla.128:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Comclick : Cleaned with backup
:mozilla.130:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.134:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.135:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.136:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.137:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.151:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.152:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.153:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.154:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.155:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.156:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.157:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.158:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.159:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.160:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.161:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.167:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.180:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.181:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.220:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.221:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.222:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\choq3esr.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.16:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\zti7cp45.Default User\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.31:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\zti7cp45.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.32:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\zti7cp45.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.33:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\zti7cp45.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.34:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\zti7cp45.Default User\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.35:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\zti7cp45.Default User\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.36:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\zti7cp45.Default User\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\zti7cp45.Default User\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.38:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\zti7cp45.Default User\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.56:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\zti7cp45.Default User\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.68:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\zti7cp45.Default User\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.69:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\zti7cp45.Default User\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.82:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\zti7cp45.Default User\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.84:C:\Documents and Settings\lt\Application Data\Mozilla\Firefox\Profiles\zti7cp45.Default User\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@2o7[1].txt.bak -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@2o7[2].txt.bak -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@advertising[1].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@advertising[2].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@atdmt[1].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@atdmt[2].txt.bak -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@bfast[1].txt.bak -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@bfast[2].txt.bak -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@bluestreak[1].txt.bak -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@bluestreak[2].txt.bak -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@casalemedia[1].txt.bak -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@casalemedia[2].txt.bak -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@centrport[1].txt.bak -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@commission-junction[1].txt.bak -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@commission-junction[2].txt.bak -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@doubleclick[1].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@doubleclick[2].txt.bak -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@fastclick[1].txt.bak -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@fastclick[2].txt.bak -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@gator[1].txt.bak -> Spyware.Cookie.Gator : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@hitbox[1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@hitbox[2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@linksynergy[2].txt.bak -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@mediaplex[1].txt.bak -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@mediaplex[2].txt.bak -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@paycounter[1].txt.bak -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@paycounter[2].txt.bak -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@qksrv[1].txt.bak -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@qksrv[2].txt.bak -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@questionmarket[1].txt.bak -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@questionmarket[2].txt.bak -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@revenue[2].txt.bak -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.bak -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@sexlist[2].txt.bak -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@targetnet[1].txt.bak -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@valueclick[1].txt.bak -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@valueclick[2].txt.bak -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@weborama[1].txt.bak -> Spyware.Cookie.Weborama : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@weborama[2].txt.bak -> Spyware.Cookie.Weborama : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@xxxtoolbar[1].txt.bak -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\lt@xxxtoolbar[2].txt.bak -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.bak -> Spyware.Cookie.Adserver : Cleaned with backup
::Report End
and finally Apropos:
Log of AproposFix v1
************
Running from directory:
C:\Documents and Settings\lt\Desktop\aproposfix
************
Registry entries found:
************
No service found!
Removing hidden folder:
No folder found!
Deleting files:
Backing up files:
Done!
Removing registry entries:
REGEDIT4
Done!
Finished!
Cool! what now?
Post by: guestolo on December 12, 2005, 08:13:55 PM
C:\Program Files\Enigma Software Group <-this folder
If you don't have any firewall
Make sure you have enabled XP's firewall immediately
http://www.microsoft.com/windowsxp/using/n...rnmore/icf.mspx (http://\"http://www.microsoft.com/windowsxp/using/networking/learnmore/icf.mspx\")
You don't need hijackthis set to run at startup
Up to you to have this feature enabled
Open Hijackthis>>Open Misc tools section>>Click on MAIN button
Uncheck Run Hijackthis scan at startup
Make sure the Messenger service is disabled
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Messenger
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
You can do the same for Alerter as well
What are you running for Anti-Virus software?
Do you need a free solution?
It's not safe being without an Active AV in the background
For added protections
You should install this free tool
SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"
Check for updates every couple of weeks
after every update just simply click the "enable protection...."
Afterwards, I want to try and remove a couple entries in your log
Do another scan with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
The next ones are not needed on startup, safe to fix also
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
If you don't make use of the Microsoft Office Shortcut Bar outside an office program
It's safe to disable this next one too, Office works fine without it
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot your computer
Come back here and let me know how things are running
We should still get an AV installed and ran if you require one
Post by: Seamoose on December 13, 2005, 01:40:31 AM
C:\Program Files\Enigma Software Group
I don't think I have a firewall - and Microsoft would not let me download one. Same problem. I understand the reccomendation here would be to get a legit version of XP and so I shall - but not this week! A bit expensive!
Stpped and disabled the Messenger and Alerter.
As for AV - I have the reccomended spyware detectors/killers - but I get the idea you are talking about something that runs in the background stopping them in the first place???
I added the Spywareblaster as reccomended - is this what you mean by an AV - or do I need something additional?
Did the Hijack this fixes and rebooted with no worries.
As for how the computer is running now - I had one screen freeze since but is this malware related? (it always happened since I got the PC - once or twice a day.)
Also I had one of the pop-ups reappear - the "Sfondi desktop" - asking me to download tacky screensavers which seems to be related to "Startnet Di Alessandro Casini" (one of those "do you want to ..." things with a yes /no click - like you get when downloading software) which pops up over the "Sfondi" one.
Anyway - have I missed anything? And thanks very much so far. I wasn't sure if you wanted another Hijack this log so what the hey... here 'tis
Logfile of HijackThis v1.99.1
Scan saved at 5:40:00 PM, on 13/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\System32\HotfixQ0306270.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\E-Color\Common\IconMgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01 (http://\"http://g.ninemsn.com.au/0SEDEAT/SAOS01\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/ (http://\"http://www.optusnet.com.au/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01 (http://\"http://g.ninemsn.com.au/0SEDEAT/SAOS01\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SU Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-au\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\System32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.Email (http://\"http://by16fd.bay16.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe (http://\"http://www.xblock.com/download/xclean_micro.exe\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134441134249 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134441134249\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab (http://\"http://www.stumbleupon.com/stumble.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {B495C654-5860-45D4-8EAA-5663B9393F33} (OVA Class) - http://go.microsoft.com/fwlink/?linkid=49480 (http://\"http://go.microsoft.com/fwlink/?linkid=49480\")
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...645/mcfscan.cab (http://\"http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4645/mcfscan.cab\")
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab\")
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Leadtek Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Unknown owner - C:\Program Files\PurgeIE\PurgeIE_Service.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Post by: guestolo on December 13, 2005, 01:55:44 AM
I asked you to make sure the one built into XP is enabled
This link will explain how to make sure it's running
http://www.microsoft.com/windowsxp/using/n...rnmore/icf.mspx (http://\"http://www.microsoft.com/windowsxp/using/networking/learnmore/icf.mspx\")
SpywareBlaster isn't the same thing as an Active AV
It's a tools that sets killbits to the registry to help prevent malware from being installed
Let's get an Anti-Virus software on your computer
Install either on of these 2 AV's
ONLY install ONE, more than one can cause conflicts
Both have a free edition
AVG 7 by Grisoft (http://\"http://free.grisoft.com/doc/2/lng/us/tpl/v5\")
Avast Home Edition by ALWIL (http://\"http://www.avast.com/eng/down_home.html\")
After either is installed, make sure it is updated and run a full system scan
Let it fix whatever it finds
When it's done, reboot the computer
Come back here and post one last hijackthis log
Let me know how things are running after that
After you have done the above
Additionally, I'm curious, are you now able to be into safe mode
Make sure you give it enough time to load
Post by: Seamoose on December 13, 2005, 07:00:28 AM
I installed AVG 7 and ran it ok (the computer wigged out and restarted itself once but then the scan went ok the second time) Nothing found.
Also I got the blue pop up again (as desribed in the first post) "warning" of possible spyware.
Now I go try Safe Mode.
(Insert Gadzillions of appreciative remarks here:) )
Logfile of HijackThis v1.99.1
Scan saved at 10:53:59 PM, on 13/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\System32\HotfixQ0306270.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\E-Color\Common\IconMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01 (http://\"http://g.ninemsn.com.au/0SEDEAT/SAOS01\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/ (http://\"http://www.optusnet.com.au/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01 (http://\"http://g.ninemsn.com.au/0SEDEAT/SAOS01\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SU Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-au\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\System32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.Email (http://\"http://by16fd.bay16.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe (http://\"http://www.xblock.com/download/xclean_micro.exe\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134441134249 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134441134249\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab (http://\"http://www.stumbleupon.com/stumble.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {B495C654-5860-45D4-8EAA-5663B9393F33} (OVA Class) - http://go.microsoft.com/fwlink/?linkid=49480 (http://\"http://go.microsoft.com/fwlink/?linkid=49480\")
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...645/mcfscan.cab (http://\"http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4645/mcfscan.cab\")
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab\")
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Leadtek Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Unknown owner - C:\Program Files\PurgeIE\PurgeIE_Service.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Post by: Seamoose on December 13, 2005, 07:15:44 AM
What next? Lets kill those nasty pop-ups!
Oh - also I have a pop up killer called No-Ads running - recommended???
Will check in again tommorrow. Thank you.
Post by: guestolo on December 13, 2005, 10:09:54 AM
Can you check for updates with AVG, in case there are any
I may repeat myself, but
Download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe (http://\"http://swandog46.geekstogo.com/aproposfix.exe\")
Save it to your desktop but do NOT run it yet.
==Download and save WinPFind.zip (http://\"http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip\")
UNZIP the contents to your desktop
Don't run it yet
Reboot into Safe mode
Once in safe mode
Double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
Run another full scan with AVG
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after
Reboot back to Normal mode
Post the results of the WindPFind.txt located in the WinPFind folder
Post The entire contents of the log.txt file in the aproposfix folder
Post by: Seamoose on December 13, 2005, 06:53:32 PM
Updated AVG found no virus (but, when run in safe mode it did say that for both the Partition Table and the Boot Sector of disc C: that there was a "reading error." I don't know if this is relevant or not.)
Here is the (very long) WinPFind.txt
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Current Build Number: 2600
Internet Explorer Version: 6.0.2600.0000
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
UPX! 27/01/2005 2:09:50 PM 4918270 C:\Program Files\Firefox Setup 1.0.exe
Checking %WinDir% folder...
PECompact2 27/09/2005 12:38:48 PM 15914303 C:\WINDOWS\LPT$VPN.857
qoologic 27/09/2005 12:38:48 PM 15914303 C:\WINDOWS\LPT$VPN.857
SAHAgent 27/09/2005 12:38:48 PM 15914303 C:\WINDOWS\LPT$VPN.857
UPX! 13/12/2004 12:43:22 PM 18432 C:\WINDOWS\ss3unstl.exe
UPX! 27/09/2005 12:38:50 PM 170053 C:\WINDOWS\tsc.exe
UPX! 2/12/2003 5:00:10 AM 45056 C:\WINDOWS\Unwash5.exe
PECompact2 27/09/2005 12:38:48 PM 15914303 C:\WINDOWS\VPTNFILE.857
qoologic 27/09/2005 12:38:48 PM 15914303 C:\WINDOWS\VPTNFILE.857
SAHAgent 27/09/2005 12:38:48 PM 15914303 C:\WINDOWS\VPTNFILE.857
UPX! 27/09/2005 12:38:50 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 27/09/2005 12:38:50 PM 1044560 C:\WINDOWS\vsapi32.dll
Checking %System% folder...
UPX! 9/07/2005 8:03:06 PM 433152 C:\WINDOWS\SYSTEM32\aswBoot.exe
PEC2 23/08/2001 11:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
UPX! 25/11/2001 6:31:48 AM 65536 C:\WINDOWS\SYSTEM32\DVDAudio.ax
UPX! 25/11/2001 6:28:14 AM 86528 C:\WINDOWS\SYSTEM32\DVDVideo.ax
PTech 4/11/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 8/09/2005 10:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/09/2005 10:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
PTech 21/06/2005 2:21:12 PM 382216 C:\WINDOWS\SYSTEM32\OVAControl.DLL
Umonitor 12/02/2002 7:14:12 PM 630784 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 23/08/2001 11:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
UPX! 13/12/2005 9:44:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 13/12/2005 9:44:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 13/12/2005 9:44:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 13/12/2005 9:44:10 PM 749600 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 7/04/2002 9:52:54 PM 1804560 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
14/12/2005 9:02:06 AM S 2048 C:\WINDOWS\bootstat.dat
14/12/2005 8:56:32 AM H 24 C:\WINDOWS\p5cwc
8/12/2005 7:38:38 PM H 0 C:\WINDOWS\LastGood\INF\oem29.inf
8/12/2005 7:38:38 PM H 0 C:\WINDOWS\LastGood\INF\oem29.PNF
14/12/2005 8:59:22 AM H 8192 C:\WINDOWS\system32\config\default.LOG
14/12/2005 9:02:20 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
14/12/2005 9:02:10 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
14/12/2005 10:19:38 AM H 176128 C:\WINDOWS\system32\config\software.LOG
14/12/2005 9:03:34 AM H 1032192 C:\WINDOWS\system32\config\system.LOG
12/12/2005 2:44:36 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
14/12/2005 8:57:28 AM H 6 C:\WINDOWS\Tasks\SA.DAT
Checking for CPL files...
Microsoft Corporation 23/08/2001 11:00:00 PM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Avance Logic, Inc. 21/03/2002 2:41:28 PM 544768 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 23/08/2001 11:00:00 PM 558592 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 130048 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 294912 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 119808 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 29/08/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 19/08/2003 6:23:34 PM 61547 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Kristal Studio 3/03/2001 1:39:28 PM 121856 C:\WINDOWS\SYSTEM32\Mp3cnfg.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA® Corporation 19/01/2002 1:33:26 AM 36864 C:\WINDOWS\SYSTEM32\NVACpl.cpl
NVIDIA Corporation 9/03/2002 11:53:00 AM 106496 C:\WINDOWS\SYSTEM32\nvTUICpl.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
4/05/2000 10:57:38 PM 303104 C:\WINDOWS\SYSTEM32\scmgrcpl50.cpl
SmartLink 26/03/2002 5:23:56 PM 339968 C:\WINDOWS\SYSTEM32\slcpappl.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 270848 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 26/05/2005 5:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 558592 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 130048 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 294912 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 119808 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 29/08/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 270848 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 23/08/2001 11:00:00 PM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
NVIDIA Corporation 9/03/2002 11:53:00 AM 106496 C:\WINDOWS\SYSTEM32\WinFast\Graphics\nvTUICpl.cpl
NVIDIA Corporation 2/04/2003 4:40:00 PM 139264 C:\WINDOWS\SYSTEM32\WinFast\WHQL\Graphics\nvtuicpl.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
26/06/2003 4:00:30 PM 986 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
23/04/2003 5:00:16 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
23/01/2002 11:35:12 PM 771 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\E-Color.lnk
Checking files in %ALLUSERSPROFILE%\Application Data folder...
24/04/2003 2:46:04 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
8/12/2005 8:38:16 PM 6918 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
Checking files in %USERPROFILE%\Startup folder...
23/04/2003 5:00:16 PM HS 84 C:\Documents and Settings\lt\Start Menu\Programs\Startup\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
24/04/2003 2:46:02 AM HS 62 C:\Documents and Settings\lt\Application Data\desktop.ini
20/09/2005 10:46:52 PM 20136 C:\Documents and Settings\lt\Application Data\GDIPFONTCACHEV1.DAT
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
StumbleUpon.com 1.822 =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WS_FTP
{797F3885-5429-11D4-8823-0050DA59922B} = C:\Program Files\Ipswitch\WS_FTP Home\wsftpsi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\shell32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WS_FTP
{797F3885-5429-11D4-8823-0050DA59922B} = C:\Program Files\Ipswitch\WS_FTP Home\wsftpsi.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WinZip\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\shell32.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D44BBB61-E17F-4AE6-A502-8D7E0B29E616}
SU Toolbar Helper = C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E5A1691B-D188-4419-AD02-90002030B8EE}
FlashFXP Helper for Internet Explorer = C:\PROGRA~1\FlashFXP\IEFlash.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{22D003CE-6952-46C5-80B9-D19B479620AB} = Stumble&Upon : C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} = MSN Toolbar : C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-au\msntb.dll
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} = Easy-WebPrint : C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B13B4423-2647-4cfc-A4B3-C7D56CB83487}
ButtonText = Share in Hello :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\shell32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
{22D003CE-6952-46C5-80B9-D19B479620AB} = Stumble&Upon : C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
{4D5C8C2A-D075-11D0-B416-00C04FB90376} = Microsoft CommBand : %SystemRoot%\System32\browseui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
StorageGuard "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
Prolific_PLUtil C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
PLFFAP C:\WINDOWS\System32\HotfixQ0306270.exe
Easy-PrintToolBox C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
nwiz nwiz.exe /install
NvCplDaemon RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
NeroCheck C:\WINDOWS\System32\NeroCheck.exe
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
Desktop Service Centre C:\Program Files\OptusNet Dial-up Internet\DSC.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
Register Homesite+.exe "C:\Program Files\Macromedia\HomeSite+\Homesite+.exe" /REGSERVER
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
NoAds "C:\Program Files\NoAds\NoAds.exe"
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\\NVMCTRAY.DLL,NvTaskbarInit
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun ÿ
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\shell32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\shell32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} =
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 14/12/2005 10:29:05 AM
And here is the Apropos log.txt
Log of AproposFix v1
************
Running from directory:
C:\Documents and Settings\lt\Desktop\aproposfix
************
Registry entries found:
[HKEY_LOCAL_MACHINE\Software\C5TP7AF3flp9]
@="\\l5Go5SVWWVWWXW\\7CmPHKVWWVlYW1rwmx1\\W\\TNO9HcbW8MDQ9MNWHNKJN8Q8XNTN"
"Device"="\\\\.\\SchDump"
"DriverPath"="C:\\WINDOWS\\System32\\drivers\\msposdvd.sys"
"DriverName"="SCalFax"
"HideUninstallerName"="C:\\Program Files\\Lave emu\\dmi4dmod.exe"
"UninstallerPath"="C:\\WINDOWS\\System32\\pinipbrd.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{D12349B6-D58A-42ED-8E89-9DC68EAB6CB3}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\System32\\fec50_32.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{Xea8b41a-6a96-36df-38ce-e84cead3a5ca}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Lave emu\\cfmgntfs.exe"
************
Removing hidden service:
Service SCalFax removed.
Removing hidden folder:
Deleting files:
Deletion of file C:\WINDOWS\System32\drivers\msposdvd.sys succeeded!
Deletion of file C:\WINDOWS\System32\ciodsdmo.exe succeeded!
Deletion of file C:\WINDOWS\System32\fec50_32.dll succeeded!
Deletion of file C:\WINDOWS\System32\pinipbrd.exe succeeded!
Backing up files:
Done!
Removing registry entries:
REGEDIT4
[-HKEY_CURRENT_USER\Software\C5TP7AF3flp9]
[-HKEY_LOCAL_MACHINE\Software\C5TP7AF3flp9]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D12349B6-D58A-42ED-8E89-9DC68EAB6CB3}]
Done!
Finished!
Thanks again - hope work was not too bad, really appreciate your help.
Post by: guestolo on December 14, 2005, 07:44:13 PM
Can you do one last thing please
Open Hijackthis>>Open Misc tools section>>Open Delete File on Reboot
In the Filename field, copy and paste the following path in bold below and then hit the OPEN button
C:\WINDOWS\ss3unstl.exe
Hijackthis should prompt that the file will be deleted and too reboot now
DON'T reboot yet
Instead, also enter this path to the Delete file on Reboot in hijackthis
C:\WINDOWS\p5cwc
This time allow the computer to reboot,
Back in Windows, post one last hijackthis log and let me know how things are running
Any more popups?
Could you also do the following please
I just want to check out one file
Can you go to this site
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")
Give this site time to load if busy
Use the browse button and navigate to this file on your hard drive
C:\WINDOWS\SYSTEM32\scmgrcpl50.cpl <-this file
Right click on it and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scans back here please
Post by: Seamoose on December 15, 2005, 12:14:25 AM
cool - just got back home have worked thru instructions until the running of hijack this - will now go do the Jotti's Online Malware scan and get back to ya. No need to apologize for (very short) delay (I wasn't online anyway) - you are a saint.
Will need a couple of hours to know about the pop ups as they only happen once or twice a day and (seemingly) very randomly (little buggers).
(gosh - I'm liking my brackets today what?) (be back soon with the rest!)
Logfile of HijackThis v1.99.1
Scan saved at 4:08:12 PM, on 15/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\System32\HotfixQ0306270.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\E-Color\Common\IconMgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01 (http://\"http://g.ninemsn.com.au/0SEDEAT/SAOS01\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/ (http://\"http://www.optusnet.com.au/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01 (http://\"http://g.ninemsn.com.au/0SEDEAT/SAOS01\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SU Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-au\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\System32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.Email (http://\"http://by16fd.bay16.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe (http://\"http://www.xblock.com/download/xclean_micro.exe\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134441134249 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134441134249\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab (http://\"http://www.stumbleupon.com/stumble.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {B495C654-5860-45D4-8EAA-5663B9393F33} (OVA Class) - http://go.microsoft.com/fwlink/?linkid=49480 (http://\"http://go.microsoft.com/fwlink/?linkid=49480\")
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...645/mcfscan.cab (http://\"http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4645/mcfscan.cab\")
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab\")
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Leadtek Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Unknown owner - C:\Program Files\PurgeIE\PurgeIE_Service.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Post by: Seamoose on December 15, 2005, 08:12:50 PM
Here is a cut n paste of the results:
Service load: 0% 100%
File: scmgrcpl50.cpl
Status: OK
MD5 eeac213ab63aa86d0c46893199735e72
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
Also at the bottom of the page, after the disclaimers, there was the following - I found it hard to tell if it refers to my computer or what:
Last file scanned at least one scanner reported something about: a8o1v.exe, detected by:
Scanner Malware name
AntiVir X
ArcaVir Trojan.Kolweb.G
Avast X
AVG Antivirus Generic.DUM
BitDefender X
ClamAV X
Dr.Web Trojan.Click.767
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus Trojan.Win32.Kolweb.g
NOD32 Win32/Kolweb.G
Norman Virus Control W32/Kolweb.G
UNA X
VBA32 Trojan.Win32.Kolweb.g
Thanks again!
Post by: guestolo on December 15, 2005, 08:46:49 PM
C:\WINDOWS\SYSTEM32\scmgrcpl50.cpl
Right click on it and left click properties
If a version tab, open it
Do you know what it's related too?
I take it there's no more popups?
Post by: Seamoose on December 15, 2005, 10:43:45 PM
So far today have not had any pop up action. Haven't used the computer much though and it usually happens quite randomly, sometimes hours after booting up so *fingers crossed* eh?
Anything else I should do you think?
Would it be possible for you to advise me what I should regularly do - what software I should run, etc to avoid this from happening again? I am a little confused as to which programs to keep and use.
Thanks again.
Post by: guestolo on December 15, 2005, 11:04:38 PM
If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Make sure you reenable system restore feature
What to keep
I would opt to keep the following
Spybot and AdAware
Check for updates every couple of weeks and run scans when there is an update
Additionally in Spybot, click on the Immunize button>>OK>>Click Immunize at the top green cross
Do this after every update
Ewido is optional, I would keep it however, in about a week in will turn into a limited version
But it's still a great scanner
Definitely hold onto AVG, keep it updated
Definitely hold onto SpywareBlaster and check for updates every couple of weeks
You can delete Aproposfix and WPFind
Additionally, hold onto hijackthis for awhile, after a couple weeks if everything is still running fine
Go into your add/remove programs and remove Hijackthis
and then delete the whole folder where hijackthis is located
C:\HJT <-this folder
Post by: Seamoose on December 16, 2005, 12:30:52 AM
Thanks again for your help.
I haven't had any pop ups so far today so all is looking good, also i don't seem to be getting wierd dodgy adresses showing up in the IE history files anymore.
I have a couple more quick questions. I am happy to get rid of NoAdware if you think it is no good - but it seems to 'catch' a lot every day - mostly 'tracking cookies'. Why is this, and is this not a threat?
Also, NoAdware still picks up something called VX2/LinkReplacer which it labels as 'severe' and about which it states 'VX2 is a variant of the netpal/transponder spyware that is responsible for browser hijacking and pop-up ads.'
Do you have any comments about this?
Thanks again, hopefully we shall be done very soon now. You deserve a medal!
Post by: guestolo on December 17, 2005, 04:49:17 AM
Show me a log!
Then we can go from there
Take a look at this link
Although they're not on the bogus list any more
Interesting reading about them
http://www.spywarewarrior.com/rogue_anti-spyware.htm (http://\"http://www.spywarewarrior.com/rogue_anti-spyware.htm\")
Still, if you have a log to show me from them, let me see it please
Post by: Seamoose on December 17, 2005, 07:51:52 PM
[TYPE:COOKIE]
[ACTION:DELETED]
[VALUE:itc]
[TYPE:COOKIE]
[ACTION:DELETED]
[VALUE:com]
[TYPE:COOKIE]
[ACTION:DELETED]
[VALUE:statcounter]
[TYPE:COOKIE]
[ACTION:DELETED]
[VALUE:server.iad.liveperson]
[TYPE:COOKIE]
[ACTION:DELETED]
[VALUE:0]
I guess if this is no problem then we are done?
I don't seem to get any pop-ups anymore YAY! So I must thank you again - you rock Guestolo!
Post by: guestolo on December 17, 2005, 10:19:56 PM
Nothing major, just keep SpywareBlaster updated
There was a recent update on the 13th, day after you installed it
Open SpywareBlaster>>Click on the Update button
Allow to update, once loaded click the "Enable protection on all unprotected items"
I forgot about an entry in your hijackthis log
You appear to of had a program installed
Possibly by the name of "PurgeIE"
You may of uninstalled it or it may be corrupt
If this is true
Do a "System scan only" with Hijackthis and put a check next to these entries:
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Unknown owner - C:\Program Files\PurgeIE\PurgeIE_Service.exe (file missing)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot your computer
Back in Windows
Go to START>>RUN>>In the open field copy and paste the below command in bold then hit OK
sc delete PurgeIEservice
Can you post one last Hijackthis log please, if it's clean I'll lock this topic and let you have a good Xmas
Post by: Seamoose on December 17, 2005, 11:19:27 PM
Logfile of HijackThis v1.99.1
Scan saved at 3:14:46 PM, on 18/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
C:\WINDOWS\System32\HotfixQ0306270.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\OptusNet Dial-up Internet\DSC.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\E-Color\Common\IconMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01 (http://\"http://g.ninemsn.com.au/0SEDEAT/SAOS01\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au/ (http://\"http://www.optusnet.com.au/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEDEAT/SAOS01 (http://\"http://g.ninemsn.com.au/0SEDEAT/SAOS01\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SU Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\msgr.en-us.en-au\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\System32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet Dial-up Internet\DSC.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.Email (http://\"http://by16fd.bay16.Email\") Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe (http://\"http://www.xblock.com/download/xclean_micro.exe\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134441134249 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134441134249\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab (http://\"http://www.stumbleupon.com/stumble.cab\")
O16 - DPF: {B495C654-5860-45D4-8EAA-5663B9393F33} (OVA Class) - http://go.microsoft.com/fwlink/?linkid=49480 (http://\"http://go.microsoft.com/fwlink/?linkid=49480\")
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...645/mcfscan.cab (http://\"http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4645/mcfscan.cab\")
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_1_5_0.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab\")
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Leadtek Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
I just did a CCleaner registery issue fix and it gave me a few of these:
The COM component AVG.AvgAmInternalPluginConfigGui references an invalid CLSID. These are often left behind after uninstalling software.
or very similar. As I have only just installed AVG would these be best ignored or should I blast 'em?
Thanks again
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: guestolo on December 17, 2005, 11:29:55 PM
But seeing as you just installed AVG, that entry looks legit
Your log looks good
Optionally,
You don't need this running on startup
realsched.exe
Quote
To disable tkbell.exe in the new version (1) Start RealOne Player (2) Tools - Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK
Additionally, with all other windows closed
run a scan only with hijackthis and fix these entries
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Reboot afterwards
I'll lock this topic if you have no other problems
Let me know please
You are on dialup aren't you, or are you on DSL?
The firewall supplied with XP without the latest service pack is not that great
If you would like a better free firewall, let me know please
Post by: Seamoose on December 18, 2005, 12:26:58 AM
Yeah if the firewall I have is no good then I would definately like a better one, are there free options?
Cheers
/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />
Post by: guestolo on December 18, 2005, 12:43:13 AM
I use Sygate's, but unfortunately Symantec's bought it out
So it won't have no online support or updates
You can still install it I believe, I haven't uninstalled my version yet
Many other users use ZoneAlarm
Heard it may be somewhat of a resource hog however
But it's a good one
Another free version that went bye bye was Kerio's
It was very good and recommended
The great thing is that Sunbelt has come to the rescue and will be supporting it again
I'm going to add it back to the links soon
Take a look at this link
http://www.kerio.com/kpf_download.html (http://\"http://www.kerio.com/kpf_download.html\")
Or you may want to try Outpost
Here's a link to the others
http://www.thetechguide.com/forum/index.php?showtopic=15894 (http://\"http://www.thetechguide.com/forum/index.php?showtopic=15894\")
I'm going to leave the decision to you, all have a free version
I would opt to try Kerio Personal Firewall
I may remove Sygate's and try it myself soon
But if you do install it can you let me know what you think please
I'll leave this topic open until you post back
No matter what you decide on, once you have your Firewall installed and ready to go
Please disable the Windows XP firewall
You don't want more than one software firewall running on your computer
Just like an AV, more than one firewallcan cause conflicts and decrease performance