Author Topic: Spyware infection and comp is lagging (Read 2291 times)

guestolo · « **Reply #20 on:** January 16, 2006, 12:02:33 AM »

Can you do the following please
Make sure that the XP's Firewall is enabled in the control panel

After that is done
I want to make sure we have some backups, in case anything goes wrong
Can you do the following
Go to START>>RUN>>In the open field
type in msconfig
Click the Launch System Restore button
Click on Create a New Restore point
Name it and click Create
When that's done

Download and save to desktop
WinsockXP Fix
In case we need it

Download and UNZIP this free registry cleaner
RegSeeker 1.45
http://www.hoverdesk.net/freeware.htm
Don't run it yet

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- McAfee.com McShield

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Do the same for these next ones too
McAfee SecurityCenter Update Manager
McAfee.com VirusScan Online Realtime Engine

Open Hijackthis>>Open misc tools section>>Open "Delete an NT service"
In the open field, copy and paste the following below in bold then hit OK

MCVSRte

Hijackthis should prompt that the service was found and too reboot your computer
Don't reboot yet
Instead, do the same for the following entries

mcupdmgr.exe

McShield
After you have entered the last one, allow the computer to reboot

Open the RegSeeker Folder and double click on RegSeeker.exe
Click on "Clean the registry" in the left menu
Hit OK
Let it finish scanning and then ensure Backup before deletion is checked

Choose "Select all"
Right click and Delete all selected
Reboot your computer again

Back in Windows, post a fresh hijackthis log, let me know how things are running then

NOTE: If, at any time, you lose Internet connection
With all other windows closed run
WinsockFix and use the Fix option and restart your computer
If it doesn't work, go back to System Restore and restore back to the last restore point you made

Athrin · « **Reply #21 on:** January 16, 2006, 01:11:41 AM »

here it is, things are going good, doesn't lag anymore but skips like every so often about 2-3 seconds but other than that, i think i'm ok

Logfile of HijackThis v1.99.1
Scan saved at 1:09:40 AM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\avant.exe
C:\Documents and Settings\CYNTHIA\My Documents\HJT\hijackthis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to AD Black List - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\Search.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

guestolo · « **Reply #22 on:** January 16, 2006, 01:42:12 AM »

~~Some final cleanup~~

Do a "System scan only" with Hijackthis and put a check next to these entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Let me know how things are running after that

Athrin · « **Reply #23 on:** January 16, 2006, 01:59:44 AM »

Hmm, pretty good, it has a very very low lag like 1-2 seconds every so often, might be cuz of Avant browser and what i have up, no idea, oh well, i guess i'll fix that lol, thanks for your help

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Athrin · « **Reply #24 on:** January 16, 2006, 12:25:08 PM »

You know, i think the problem is we may have deleted somethin to make my comp run good and smooth w/o any lag, think that might be it?

guestolo · « **Reply #25 on:** January 16, 2006, 03:26:48 PM »

Quote

You know, i think the problem is we may have deleted somethin to make my comp run good and smooth

I don't think that's it
When I asked you to go to services.msc

What in there did you disable
I seen entries in your log related too
Microsoft SQL Server
In one of your hijackthis logs, but not in this one?

Also, I had you run Aproposfix earlier
I'm just double checking on something
I can't stress enough that this must be run in safe mode
If that's what you did, fine, but I would like you too run it again, when you posted back the log from Aproposfix
You didn't post back the whole log

Let's try this again please
Download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe
Save it to your desktop but do NOT run it yet.
This tool must be run in safe mode
Reboot into safe mode

IN SAFE MODE
Double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

Reboot back to normal mode

Post back a fresh Hijackthis log
Also, Post the WHOLE log from in the aproposfix folder>>>log.txt
Don't tell me it found nothing, let me see it for myself please
Again, if it's not run in safe mode it won't work!!!!

Athrin · « **Reply #26 on:** January 16, 2006, 04:04:23 PM »

ok here are both things

Logfile of HijackThis v1.99.1
Scan saved at 4:03:38 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\avant.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\CYNTHIA\My Documents\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to AD Black List - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\Search.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\windows\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\CYNTHIA\Desktop\aproposfix

************

Registry entries found:

************

No service found!

Removing hidden folder:
No folder found!

Deleting files:

Backing up files:
Done!

Removing registry entries:

REGEDIT4

Done!

Finished!

guestolo · « **Reply #27 on:** January 16, 2006, 04:06:25 PM »

Here's the name of this thread

Quote

Spyware infection and comp is lagging

Quote

I don't think that's it
When I asked you to go to services.msc

What in there did you disable
I seen entries in your log related too
Microsoft SQL Server
In one of your hijackthis logs, but not in this one?

EDIT>>Can I get you to try something else please
Download F-Secure's BlackLight from HERE and save it to your Desktop.

Locate and double click blbeta.exe to run it - you will need to accept the license agreement.

Click the Scan button to start and then Next when it has finished scanning.(this scan won't take too long)

Let Blacklite rename the malicious files it finds any
If prompted, don't rename wbemtest.exe which is legitimate

The tool will ask if you want to reboot (restart), choose Yes.

A text file, fsbl-date/time, will be saved to your Desktop, copy and paste this into your next post.

I may be misinterputting what you stated, are you still having problems?

Athrin · « **Reply #28 on:** January 16, 2006, 04:17:52 PM »

I only disabled the 3 things you told me to, i tried starting it and it said it cant find the path to it

guestolo · « **Reply #29 on:** January 16, 2006, 04:19:56 PM »

Did you see my edit above?

Also, what do you mean by this?

Quote

I only disabled the 3 things you told me to, i tried starting it and it said it cant find the path to it

Athrin · « **Reply #30 on:** January 16, 2006, 04:35:59 PM »

yup, i saw it, the 3 mcafee things you told me to disable, i only disabled those and here is the log for you, and things are running good now, it seems my comp runs smooth, lags whenever it wants to lol

01/16/06 16:22:12 [Info]: BlackLight Engine 1.0.30 initialized
01/16/06 16:22:12 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/16/06 16:22:19 [Note]: 7019 4
01/16/06 16:22:19 [Note]: 7005 0
01/16/06 16:22:28 [Note]: 7006 0
01/16/06 16:22:28 [Note]: 7011 1452
01/16/06 16:22:38 [Note]: FSRAW library version 1.7.1014
01/16/06 16:24:56 [Info]: Hidden file: C:\WINDOWS\system32\drivers\i386p.sys
01/16/06 16:24:56 [Note]: 10002 1
01/16/06 16:25:26 [Info]: Hidden file: C:\WINDOWS\system32\msctl32.dll
01/16/06 16:25:26 [Note]: 10002 1
01/16/06 16:27:44 [Note]: 7007 0

guestolo · « **Reply #31 on:** January 16, 2006, 05:09:32 PM »

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Still a couple bad files
Open blbeta.exe (blacklight) again.
Click Scan>>>Next

When it's done
It will show you these next entries:

C:\WINDOWS\system32\drivers\i386p.sys
C:\WINDOWS\system32\msctl32.dll

Now select each entry and click the 'rename' button.
Do this for both.
Blacklight adds the rename to those entries.
Click next and it will tell you that those files will get renamed and if you are sure. Click
Yes>>OK
Then it will ask you to reboot.
Click yes.
Your system must reboot now.

After reboot,
Back in windows
Find and delete these next files:

C:\WINDOWS\system32\drivers\i386p.sys.ren <-this file
C:\WINDOWS\system32\msctl32.dll.ren <-this file

Post one last hijackthis log and let me know how things are running again

Athrin · « **Reply #32 on:** January 16, 2006, 05:44:49 PM »

wow, my comp is no longer lagging, runs faster, and is great! Man, thanks a lot, if i had the money, i'd donate but you know, i'm kinda uhh...Broke right now lol i'll post here now and then, thanks

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/happy.gif\' class=\'bbc_emoticon\' alt=\'^_^\' />

Logfile of HijackThis v1.99.1
Scan saved at 5:43:35 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\avant.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\CYNTHIA\My Documents\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to AD Black List - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\Search.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\windows\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: msctl32.dll - msctl32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

guestolo · « **Reply #33 on:** January 16, 2006, 05:53:04 PM »

Do a "System scan only" with Hijackthis and put a check next to these entries:

O20 - Winlogon Notify: msctl32.dll - msctl32.dll (file missing)

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot and then post one final hijackthis log

Athrin · « **Reply #34 on:** January 16, 2006, 06:09:54 PM »

k here it is

Logfile of HijackThis v1.99.1
Scan saved at 6:09:09 PM, on 1/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\avant.exe
C:\Documents and Settings\CYNTHIA\My Documents\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to AD Black List - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Documents and Settings\CYNTHIA\My Documents\Avant Browser\Search.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\windows\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

guestolo · « **Reply #35 on:** January 16, 2006, 06:25:36 PM »

Your log looks good
Can you do the following please

If everything is running better
We should clear all your restore points to ensure you don't restore any nasties that may be residing in the
restore folders
Go to START>>RUN>>In the open field
type in msconfig
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"

Apply it and OK out of there>>Reboot your computer

Back in Windows, Go back and take the check out of Turn off system restore
This will reenable the System Restore feature and creates a new restore point

For added protections
You should install this free tool
SpywareBlaster 3.5.1 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

Check for updates every couple of weeks
after every update just simply click the "enable protection on all unprotected items"

In addition, open Spybot 1.4
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Do this after every update

You appear to be up to date on Windows updates
Just a reminder, if you are not set to Autoupdate, make a habit of visiting Windows Updates
and check for High Priority updates a couple times a month
This is important in keeping your system secure

Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Athrin · « **Reply #36 on:** January 17, 2006, 12:24:04 AM »

k, done, again, thanks a lot =)

guestolo · « **Reply #37 on:** January 17, 2006, 12:25:24 AM »

No problem, I'll lock this topic as your problems are resolved
Take care

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News: