Author Topic: Play Poker (Read 1339 times)

pquinn140369 · « **on:** March 27, 2005, 06:28:50 AM »

Hi there

Any help gratefully appreciated.

I cannot free myself of internet betting pop-ups - basically it's a never ending succession of randomly appearing IE pop-ups encouraging me to play "Strip-Poker: The Hottest Click on the Net", and suchlike.

AVG lists the following as the problematic executables:

wowdbe.exe
sprmover.exe
winwiz32.exe
sethcd.exe
upncont32.exe

Attempts to heal or delete do not work.

A search does not find these files.

I've downloaded the latest version of HijackThis, the log is below.

Many thanks in advance for any help you can offer.

pat q

- - - - - - - - - - - - - - - - - - - - - - - -

Logfile of HijackThis v1.99.1
Scan saved at 12:11:14, on 27/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\AVerTV DVB-T\QuickDVB-T.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAMSUNG\RF KeyboardMouse\mmkbd.exe
C:\Program Files\Opera\opera.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\eDonkey2000\edonkey2000.exe
C:\Program Files\AVerTV DVB-T\AVerTVDVB-T.exe
C:\WINDOWS\System32\smbdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiny.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\PATRIC~1\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {23E7BA68-0DCF-7155-6F32-7F334934B8F1} - corrida.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2ABB41C7-D533-4752-8D14-FFB2F05C44AF} - C:\WINDOWS\System32\kiha.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Name - {836B20C7-C69C-427D-9768-9F68B6A7CBD1} - C:\WINDOWS\System32\mslki.dll
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll (file missing)
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\dwj.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\System32\wer1316.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll (file missing)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iesp2.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [QuickDVBT] C:\Program Files\AVerTV DVB-T\QuickDVB-T.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ARC2000] "C:\Program Files\AMC2000\ARC2000\ARC2000.exe" /sysstart
O4 - HKLM\..\Run: [BlueTray] C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
O4 - HKLM\..\Run: [Kargo] ssweeper.exe
O4 - HKLM\..\Run: [jopplerg] hyandex.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunOnce: [pj5nn.exe] C:\WINDOWS\System32\pj5nn.exe /k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [NukeSpan] Kargo.exe
O4 - HKCU\..\Run: [browsebar] LOPTCON.exe
O4 - HKCU\..\Run: [StatusCheck] jopplerg.exe
O4 - Global Startup: RF Keyboard&Mouse Program.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/bltd/361.chm::/file.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{255957FF-6189-4228-9696-446EDEFDAFCB}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{3ABFA85B-B623-4488-B63F-4F094F03A1D1}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D35ADFE-73F7-4D28-8C13-6DDADFAB1B1B}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C016D2B-F93C-4E71-A2C8-24E812D191B0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CBD6123-8C3E-4D64-B00E-B37FE62A00F7}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{7781A1C2-EFDD-4912-9CD7-DA5894CAE6BB}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{958D06E7-559F-436A-B28B-FB9D6881F407}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3179B1F-A955-45F6-B3FA-CCF1914C781F}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{255957FF-6189-4228-9696-446EDEFDAFCB}: NameServer = 69.50.176.156,195.225.176.31
O18 - Filter: text/html - {8BA826E2-D352-43C8-AF45-6CB97EFA68F5} - C:\WINDOWS\System32\kiha.dll
O18 - Filter: text/plain - {8BA826E2-D352-43C8-AF45-6CB97EFA68F5} - C:\WINDOWS\System32\kiha.dll
O18 - Filter: tœ†5�ò{FÆR - {0876EEC7-1030-4744-A593-DD9185D68BAD} - C:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5�òÏTÆR - {38E496E7-D600-446C-8F10-5889513C0FE5} - C:\WINDOWS\System32\qwsxp.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Guest · « **Reply #1 on:** March 27, 2005, 05:11:29 PM »

Guest · « **Reply #2 on:** March 28, 2005, 02:48:58 PM »

*bump*

Just noticed also that the pop-ups and virus warnings only seem to occur after I have kicked Windows Explorer off.

Guest · « **Reply #3 on:** March 29, 2005, 07:45:38 AM »

bump

please someone reply!

guestolo · « **Reply #4 on:** March 29, 2005, 10:07:03 AM »

Thanks for your patience, I'm off to work, I will definitely look at your log later today when I get back

Guest · « **Reply #5 on:** March 29, 2005, 03:14:23 PM »

thanks very much, much appreciated

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #6 on:** March 29, 2005, 05:19:54 PM »

Download and save Remv3.zip
[attachment=98:attachment]

UNZIP the contents too desktop>>A new Remv3 folder will be placed on the desktop

======Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Install for now, don't run a scan yet

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE

Find and delete these files or folders if found
C:\WINDOWS\System32\mslki.dll <-file
C:\WINDOWS\system32\dwj.dll
C:\WINDOWS\System32\pj5nn.exe
C:\WINDOWS\System32\kiha.dll
C:\WINDOWS\System32\qwsxp.dll
C:\WINDOWS\System32\smbdins.exe
c:\nosuch.mht

Search for these next ones and remove if found
ssweeper.exe
hyandex.exe
Kargo.exe
LOPTCON.exe
jopplerg.exe

C:\Program Files\WareOut <-folder

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\PATRIC~1\LOCALS~1\Temp\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {23E7BA68-0DCF-7155-6F32-7F334934B8F1} - corrida.dll (file missing)

O2 - BHO: (no name) - {2ABB41C7-D533-4752-8D14-FFB2F05C44AF} - C:\WINDOWS\System32\kiha.dll (file missing)

O2 - BHO: Name - {836B20C7-C69C-427D-9768-9F68B6A7CBD1} - C:\WINDOWS\System32\mslki.dll
O2 - BHO: Tubby - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll (file missing)
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\dwj.dll

O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765721316} - C:\WINDOWS\System32\wer1316.dll (file missing)

O3 - Toolbar: Search Toolbar - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - C:\WINDOWS\System32\MTC.dll (file missing)
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iesp2.dll (file missing)

O4 - HKLM\..\Run: [Kargo] ssweeper.exe
O4 - HKLM\..\Run: [jopplerg] hyandex.exe

O4 - HKLM\..\RunOnce: [pj5nn.exe] C:\WINDOWS\System32\pj5nn.exe /k

O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [NukeSpan] Kargo.exe
O4 - HKCU\..\Run: [browsebar] LOPTCON.exe
O4 - HKCU\..\Run: [StatusCheck] jopplerg.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/bltd/361.chm::/file.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{255957FF-6189-4228-9696-446EDEFDAFCB}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{3ABFA85B-B623-4488-B63F-4F094F03A1D1}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D35ADFE-73F7-4D28-8C13-6DDADFAB1B1B}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C016D2B-F93C-4E71-A2C8-24E812D191B0}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CBD6123-8C3E-4D64-B00E-B37FE62A00F7}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{7781A1C2-EFDD-4912-9CD7-DA5894CAE6BB}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{958D06E7-559F-436A-B28B-FB9D6881F407}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3179B1F-A955-45F6-B3FA-CCF1914C781F}: NameServer = 69.50.176.156,195.225.176.31
O17 - HKLM\System\CS1\Services\Tcpip\..\{255957FF-6189-4228-9696-446EDEFDAFCB}: NameServer = 69.50.176.156,195.225.176.31
O18 - Filter: text/html - {8BA826E2-D352-43C8-AF45-6CB97EFA68F5} - C:\WINDOWS\System32\kiha.dll
O18 - Filter: text/plain - {8BA826E2-D352-43C8-AF45-6CB97EFA68F5} - C:\WINDOWS\System32\kiha.dll
O18 - Filter: tœ†5�ò{FÆR - {0876EEC7-1030-4744-A593-DD9185D68BAD} - C:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5�òÏTÆR - {38E496E7-D600-446C-8F10-5889513C0FE5} - C:\WINDOWS\System32\qwsxp.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Again, in safe mode
Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't log off or restart yet

Instead
Open the Remv3 folder you unzipped earlier and Double click on Remv3.bat
Let it finish, it will produce a log, we'll need this later

Restart back to Normal mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab==Reset home page

If you have trouble connecting to Internet after
This is important
With all browser windows closed
Access your Control Panel
If your in Category View>>Switch to Classic View
- Double-click the Network Connections icon.
- Right-click your connection >>>Probably Local Area Connection icon and select Properties.
- Highlight Internet Protocol (TCP/IP) and click the Properties button.
If you don't need to enter a DNS server address with your ISP
Be sure "Obtain DNS server address automatically' is selected. OK your way out.

Restart your computer again and come back here and post a fresh hijackthis log
Also the log produced from Remv3.bat>>C:\log.txt

Guest · « **Reply #7 on:** March 30, 2005, 11:30:10 AM »

Hi there.

Many thanks for the help. Fresh logs as requested:

HIJACKTHIS
.................

Logfile of HijackThis v1.99.1
Scan saved at 17:25:49, on 30/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\AVerTV DVB-T\QuickDVB-T.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAMSUNG\RF KeyboardMouse\mmkbd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.a1surf.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiny.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\0jlgbr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [QuickDVBT] C:\Program Files\AVerTV DVB-T\QuickDVB-T.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [BlueTray] C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunOnce: [6gz4vbo.exe] C:\WINDOWS\System32\6gz4vbo.exe /k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [6gz4vbo.exe] C:\WINDOWS\System32\6gz4vbo.exe /k
O4 - Global Startup: RF Keyboard&Mouse Program.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

REMV3
.........

Files Found.................
----------------------------------------
run_dos.dll
rdspclips.exe
sprestrst.exe
tsmsetup.exe
opensdl.exe
opensdl2.exe

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C is TMZ10T-4
Volume Serial Number is 4070-D69D

Directory of C:\WINDOWS\system32

06/02/2005 00:21 19,984 hdmev.dll
1 File(s) 19,984 bytes
0 Dir(s) 147,044,958,208 bytes free
msi.dll
Finished

guestolo · « **Reply #8 on:** March 30, 2005, 05:04:32 PM »

Let's try the following

Go and delete C:\WINDOWS\system32\hdmev.dll <-this file

Next:Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as Fix.reg

Code: [Select]

REGEDIT4

[-HKEY_CLASSES_ROOT\clsid\{A78860C8-EE1A-46DF-A97F-E3E6D433E80B}]

[-HKEY_CLASSES_ROOT\software\microsoft\windows\currentversion\explorer\browser helper objects\{A78860C8-EE1A-46DF-A97F-E3E6D433E80B}]

[-HKEY_CURRENT_USER\software\adtomi]

Save this file on the desktop, well need this later, don't run it yet

===Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
It may check for updates when installing but don't run a scan yet

Access your Add\Remove programs and remove if found
Adtomi

Additionally,
If you see a Red yahoo stock task bar icon
RightClick on it
choose remove-while being online!
A web page from Adtomi should appear
"-uninstall was succesful!"

--Restart computer into safe mode

Find and delete these files if found
C:\WINDOWS\System32\6gz4vbo.exe <-file
C:\WINDOWS\system32\0jlgbr.dll <-file

Stay in safe mode
Double click on Fix.reg and allow to merge to the registry

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

If either of the next 2 are not preferred, fix them also
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.a1surf.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tiny.com

Carry on
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\0jlgbr.dll

O4 - HKLM\..\RunOnce: [6gz4vbo.exe] C:\WINDOWS\System32\6gz4vbo.exe /k

O4 - HKCU\..\RunOnce: [6gz4vbo.exe] C:\WINDOWS\System32\6gz4vbo.exe /k

O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run Remv3.bat again in safe mode

Open Ad-Aware
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Restart back to Normal mode

Post back a fresh Hijackthis log afterwards and the log from Remv3.bat

Guest_pquinn140369_* · « **Reply #9 on:** April 06, 2005, 04:59:44 PM »

Hi

Sorry for the delay in replying. Thanks for your help so far.

Here are the logs as requested:

Hijackthis
-----------

Logfile of HijackThis v1.99.1
Scan saved at 22:52:45, on 06/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [QuickDVBT] C:\Program Files\AVerTV DVB-T\QuickDVB-T.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [BlueTray] C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: RF Keyboard&Mouse Program.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Remv3
--------

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C is TMZ10T-4
Volume Serial Number is 4070-D69D

Directory of C:\WINDOWS\system32

msi.dll
Finished

guestolo · « **Reply #10 on:** April 06, 2005, 07:22:51 PM »

How is everything running? Looks ok

But can you repost a new hijackthis log from a scan in Normal mode, you appeared to post the log from safe mode, thanks

Guest · « **Reply #11 on:** April 18, 2005, 04:09:20 PM »

Hi There

As requested, HijackThis log in normal mode.

Sorry for the delay again, work keeps me away from home a lot. Many thanks once more for all the help to date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Logfile of HijackThis v1.99.1
Scan saved at 22:05:08, on 18/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\AVerTV DVB-T\QuickDVB-T.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SAMSUNG\RF KeyboardMouse\mmkbd.exe
C:\Program Files\SmartM\BlueOpal\Utilities\ObexDefaultServer.exe
C:\Program Files\SmartM\BlueOpal\Utilities\ObexDefaultServer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Opera\opera.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [QuickDVBT] C:\Program Files\AVerTV DVB-T\QuickDVB-T.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [BlueTray] C:\Program Files\SmartM\BlueOpal\Utilities\BlueTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: RF Keyboard&Mouse Program.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

pquinn140369 · « **Reply #12 on:** April 23, 2005, 09:59:57 AM »

guestolo · « **Reply #13 on:** April 23, 2005, 02:21:33 PM »

Looks good

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.3 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Because some time past since your last hijackthis log
After doing the above can I see one more hijackthis log and ensure it still looks clean

TheTechGuide Forum

News:

Author Topic: Play Poker (Read 1339 times)

pquinn140369

Play Poker

Guest

Play Poker

Guest

Play Poker

Guest

Play Poker

guestolo

Play Poker

Guest

Play Poker

guestolo

Play Poker

Guest

Play Poker

guestolo

Play Poker

Guest_pquinn140369_*

Play Poker

guestolo

Play Poker

Guest

Play Poker

pquinn140369

Play Poker

guestolo

Play Poker