• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
iamthechief

Massive Problems - MERGED 2

48 posts in this topic

I left my computer for about an hour or two and came back and had programs downloaded on it...

 

WhenUSearch

ClockSync

e2g

 

...among others. I've deleted most of (I hope) these things. I do have a few problems still.

 

1)I still get pop-ups when I load up IE

2)I can't remove e2g Plugin from my add/delete Programs

3)I can't delete the folder "Clear Search" (I'm pretty sure that's one that was added), and maybe another folder "AutoUpdate"

 

I have run Spyware Search & Destroy. I've also just run Hijack This and deleted a few more things, but the problems mentioned above remain. Here is my log:

 

Logfile of HijackThis v1.97.7

Scan saved at 7:18:54 PM, on 5/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\documents and settings\matthew\local settings\temp\Obdo.exe

C:\WINDOWS\System32\IEHost.exe

C:\WINDOWS\System32\licmgr.exe

C:\Program Files\AutoUpdate\AutoUpdate.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Documents and Settings\Matthew\Application Data\urpo.exe

C:\WINDOWS\System32\wnststr.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\system32\pcs\pcsvc.exe

C:\Program Files\Common Files\Dpi\dpi.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\rpcss.exe

C:\Program Files\Computer Virus Programs\HijackThis.exe

 

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [s3nO39W] licmgr.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe

O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [rpcss] C:\WINDOWS\System32\rpcss.exe

O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Matthew\Application Data\urpo.exe

O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnststr.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: MoneySide (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8089.7588773148

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

Thanks for any help...

Share this post


Link to post
Share on other sites

C:\WINDOWS\SYSTEM32\DLLCACHE\ should have a copy of notepad.exe

Copy it into C:\WINDOWS and C:\WINDOWS\SYSTEM32

If not, I can email you a copy off my system which is Windows XP Pro SP1.

 

Lets start off by opening task manager.

 

Goto the Processes tab and [End Process] on these programs:

AutoUpdate.exe

IEHost.exe

dpi.exe

licmgr.exe

urpo.exe

wnststr.exe

 

I just want to be sure they can't put back their registry keys

 

I hope you haven't added any ignore entries into hijackthis, unless you're absolutely 100% confident beyond ABSOLUTELY ANY doubt, remove them from the ignore list. There's lots of cases where the spyware/hijacker makers have changed one letter of a legit program and made it look real. Or use the same name, but from a different directory.

 

Check these lines in hijackthis and [Fix], after you fix, reboot immediately into safe mode(see my instructions furthur down on what to do in safe mode, and how to get there)

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [s3nO39W] licmgr.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe

O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\Matthew\Application Data\urpo.exe

O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\System32\wnststr.exe

 

 

 

In Internet Explorer, right click on links and any other place, do you know what 'MoneySide' is? It should appear in your right-click list. If you don't have any idea what it is or you know its crapware, check this too:

O9 - Extra button: MoneySide (HKLM)

 

 

Reboot in safe mode, find and delete these files. Some files may mimic legitmate files critical to your computer properly starting. Only delete those in the folder I specify:

C:\WINDOWS\System32\wnststr.exe

C:\Documents and Settings\Matthew\Application Data\urpo.exe

C:\Program Files\Common Files\Dpi\dpi.exe

C:\Program Files\AutoUpdate\ <-- FOLDER / DIRECTORY

licmgr.exe (in C:\WINDOWS or C:\WINDOWS\SYSTEM32\)

C:\WINDOWS\System32\dp-him.exe

C:\WINDOWS\System32\IEHost.exe

 

 

To unhide hidden files:

1. open a random folder

2. Tools > Folder Options...

3. Tab marked "View"

4. In the list at the bottom of the window:

4a. Select Show hidden files and folders

4b. Uncheck Hide extensions for known file types

4c. Uncheck Hide protected operating system files (Recommended)

 

The above will offer you a full view of your system's files.

 

 

Reboot back to normal mode, reply to this topic with a new hijackthis log so we can check cleanliness.

Edited by Kevin_b_er

Share this post


Link to post
Share on other sites

I just posted that link and "Windows" is a link...it's warped to some Casino site courtesy of adserve...just an FYI in case it helps.

Share this post


Link to post
Share on other sites

I just deleted those in HiJackThis and immediately after closing it another ad popped up...here is what the address was:

 

C:\Documents and Settings\Matthew\Local Settings\Temp\~DlfnTmp2\index.html

 

I'm going to re-boot in safe mode and delete those you've stated.

Share this post


Link to post
Share on other sites

Just had a pop-up before posting this. Deleted everything you mentioned above.

 

Logfile of HijackThis v1.97.7

Scan saved at 9:00:59 PM, on 5/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\system32\pcs\pcsvc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\rpcss.exe

C:\Program Files\Computer Virus Programs\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [rpcss] C:\WINDOWS\System32\rpcss.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8089.7588773148

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

Anything next?

Share this post


Link to post
Share on other sites

Now I can't open anything with Windows Media Player. I was able to fix the notepad.exe. How do I fix this one? Anything else I should expect?

Share this post


Link to post
Share on other sites

Just sitting here and my computer had a few more pop-ups. One didn't have an address. The other had this address, which I had earlier:

 

C:\Documents and Settings\Matthew\Local Settings\Temp\~DlfnTmp1\index.html

 

Should I go and delete this?

Share this post


Link to post
Share on other sites

Download CWShredder from here:

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

 

Run it with IE closed.

 

Use the [Fix ->] button as opposed to the [scan] button.

 

 

 

Edit:

This may take abit, you may have partially removed other infections which will now take abit of time to root out...

Edited by Kevin_b_er

Share this post


Link to post
Share on other sites

I just ran CWShredder and it RESTORED an Internet Explorer item, but I just ran a search for ~DlfnTmp and it still found both folders.

Share this post


Link to post
Share on other sites

Ok, the ~DlfnTmp2 is no good, as something else is causing it to be opened. We have to get to the source of it.

 

Hijackthis has a startuplist function, its in Config > Misc Tools

Check "List also minor sections" and "List empty sections" then click Generate StartupList Log. Post the log too. (After you've run CWShredder and rebooted)

Share this post


Link to post
Share on other sites

Just got another...

 

C:\Documents and Settings\Matthew\Local Settings\Temp\~DlfnTmp3\index.html

 

I'm going to reboot and post the log.

Share this post


Link to post
Share on other sites

Here's the log:

 

StartupList report, 5/22/2004, 11:41:41 AM

StartupList version: 1.52

Started from : C:\Program Files\Computer Virus Programs\HijackThis.EXE

Detected: Windows XP SP1 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

* Including empty and uninteresting sections

* Showing rarely important sections

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\system32\pcs\pcsvc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINDOWS\System32\rpcss.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Computer Virus Programs\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\Matthew\Start Menu\Programs\Startup]

*No files*

 

Shell folders AltStartup:

*Folder not found*

 

User shell folders Startup:

*Folder not found*

 

User shell folders AltStartup:

*Folder not found*

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Microsoft Works Calendar Reminders.lnk = ?

 

Shell folders Common AltStartup:

*Folder not found*

 

User shell folders Common Startup:

*Folder not found*

 

User shell folders Alternate Common Startup:

*Folder not found*

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

*Registry value not found*

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

AdaptecDirectCD = C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe

Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

MoneyStartUp10.0 = "C:\Program Files\Microsoft Money\System\Activation.exe"

AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

AS00_Gear511 = C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide

QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

mmtask = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

Pcsv = C:\WINDOWS\system32\pcs\pcsvc.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

H/PC Connection Agent = "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

rpcss = C:\WINDOWS\System32\rpcss.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

[OptionalComponents]

*No values found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

File association entry for .EXE:

HKEY_CLASSES_ROOT\exefile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .COM:

HKEY_CLASSES_ROOT\comfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .BAT:

HKEY_CLASSES_ROOT\batfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .PIF:

HKEY_CLASSES_ROOT\piffile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .SCR:

HKEY_CLASSES_ROOT\scrfile\shell\open\command

 

(Default) = "%1" /S

 

--------------------------------------------------

 

File association entry for .HTA:

HKEY_CLASSES_ROOT\htafile\shell\open\command

 

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

 

--------------------------------------------------

 

Enumerating Active Setup stub paths:

HKLM\Software\Microsoft\Active Setup\Installed Components

(* = disabled by HKCU twin)

 

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

 

[>{26923b43-4d38-484f-9b9e-de460746276c}] *

StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

 

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *

StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

 

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *

StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

 

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *

StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

 

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]

StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

 

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

 

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

 

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

 

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

 

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

 

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *

StubPath = regsvr32.exe /s /n /i:U shell32.dll

 

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *

StubPath = %SystemRoot%\system32\ie4uinit.exe

 

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *

StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

 

--------------------------------------------------

 

Enumerating ICQ Agent Autostart apps:

HKCU\Software\Mirabilis\ICQ\Agent\Apps

 

*Registry key not found*

 

--------------------------------------------------

 

Load/Run keys from C:\WINDOWS\WIN.INI:

 

load=*INI section not found*

run=*INI section not found*

 

Load/Run keys from Registry:

 

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

Checking for EXPLORER.EXE instances:

 

C:\WINDOWS\Explorer.exe: PRESENT!

 

C:\Explorer.exe: not present

C:\WINDOWS\Explorer\Explorer.exe: not present

C:\WINDOWS\System\Explorer.exe: not present

C:\WINDOWS\System32\Explorer.exe: not present

C:\WINDOWS\Command\Explorer.exe: not present

C:\WINDOWS\Fonts\Explorer.exe: not present

 

--------------------------------------------------

 

Checking for superhidden extensions:

 

.lnk: HIDDEN! (arrow overlay: yes)

.pif: HIDDEN! (arrow overlay: yes)

.exe: not hidden

.com: not hidden

.bat: not hidden

.hta: not hidden

.scr: not hidden

.shs: HIDDEN!

.shb: HIDDEN!

.vbs: not hidden

.vbe: not hidden

.wsh: not hidden

.scf: HIDDEN! (arrow overlay: NO!)

.url: HIDDEN! (arrow overlay: yes)

.js: not hidden

.jse: not hidden

 

--------------------------------------------------

 

Verifying REGEDIT.EXE integrity:

 

- Regedit.exe found in C:\WINDOWS

- .reg open command is normal (regedit.exe %1)

- Company name OK: 'Microsoft Corporation'

- Original filename OK: 'REGEDIT.EXE'

- File description: 'Registry Editor'

 

Registry check passed

 

--------------------------------------------------

 

Enumerating Browser Helper Objects:

 

*No BHO's found*

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

*No jobs found*

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[Microsoft XML Parser for Java]

CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab

OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

 

[{00000161-0000-0010-8000-00AA00389B71}]

CODEBASE = http://codecs.microsoft.com/codecs/i386/msaudio.cab

 

[{00000162-9980-0010-8000-00AA00389B71}]

CODEBASE = http://codecs.microsoft.com/codecs/i386/wma9dmo.cab

 

[QuickTime Object]

InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx

CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

 

[Yahoo! Audio Conferencing]

InProcServer32 = C:\WINDOWS\DOWNLO~1\yacscom.dll

CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

 

[{33363249-0000-0010-8000-00AA00389B71}]

CODEBASE = http://codecs.microsoft.com/codecs/i386/i263_32.cab

 

[{33564D57-9980-0010-8000-00AA00389B71}]

CODEBASE = http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab

 

[{41F17733-B041-4099-A042-B518BB6A408C}]

CODEBASE = http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

 

[AvxScanOnline Control]

InProcServer32 = C:\WINDOWS\DOWNLO~1\BITDEF~1.OCX

CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab

 

[update Class]

InProcServer32 = C:\WINDOWS\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8089.7588773148

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

--------------------------------------------------

 

Enumerating Winsock LSP files:

 

NameSpace #1: C:\WINDOWS\System32\mswsock.dll

NameSpace #2: C:\WINDOWS\System32\winrnr.dll

NameSpace #3: C:\WINDOWS\System32\mswsock.dll

Protocol #1: C:\WINDOWS\system32\mswsock.dll

Protocol #2: C:\WINDOWS\system32\mswsock.dll

Protocol #3: C:\WINDOWS\system32\mswsock.dll

Protocol #4: C:\WINDOWS\system32\rsvpsp.dll

Protocol #5: C:\WINDOWS\system32\rsvpsp.dll

Protocol #6: C:\WINDOWS\system32\mswsock.dll

Protocol #7: C:\WINDOWS\system32\mswsock.dll

Protocol #8: C:\WINDOWS\system32\mswsock.dll

Protocol #9: C:\WINDOWS\system32\mswsock.dll

Protocol #10: C:\WINDOWS\system32\mswsock.dll

Protocol #11: C:\WINDOWS\system32\mswsock.dll

Protocol #12: C:\WINDOWS\system32\mswsock.dll

Protocol #13: C:\WINDOWS\system32\mswsock.dll

Protocol #14: C:\WINDOWS\system32\mswsock.dll

Protocol #15: C:\WINDOWS\system32\mswsock.dll

 

--------------------------------------------------

 

Enumerating Windows NT/2000/XP services

 

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)

Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)

Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)

Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)

Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)

ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)

RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)

Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)

ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)

Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)

AVG6 Kernel: \??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys (autostart)

AVG6 Rezident Driver: \??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys (autostart)

AVG6 Service: C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (autostart)

AWINDIS5 Protocol Driver: \??\C:\WINDOWS\System32\AWINDIS5.SYS (manual start)

Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

CD-ROM Driver: System32\Drivers\Cdromw2k.sys (system)

Indexing Service: C:\WINDOWS\System32\cisvc.exe (manual start)

ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)

Microsoft AC Adapter Driver: System32\DRIVERS\CmBatt.sys (manual start)

Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)

COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)

Compaq PA-1 Personal Audio Player USB Driver: System32\Drivers\CPQDAP01.sys (manual start)

Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Disk Driver: System32\DRIVERS\disk.sys (system)

Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)

dmboot: System32\drivers\dmboot.sys (disabled)

dmio: System32\drivers\dmio.sys (disabled)

dmload: System32\drivers\dmload.sys (disabled)

Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)

DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)

Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)

3Com 10/100 MiniPCI Ethernet Adapter Driver: System32\DRIVERS\EL556ND5.sys (manual start)

Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Event Log: %SystemRoot%\system32\services.exe (autostart)

COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)

Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)

Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)

Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)

Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)

Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)

Imapi: system32\drivers\Imapi.sys (system)

IMAPI CD-Burning COM Service: C:\WINDOWS\System32\Imapi.exe (manual start)

IntelIde: System32\DRIVERS\intelide.sys (system)

IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)

IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)

IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)

IPSEC driver: System32\DRIVERS\ipsec.sys (system)

IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)

PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)

Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)

Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)

Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

LexBce Server: C:\WINDOWS\system32\LEXBCES.EXE (autostart)

TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)

ESS Maestro Audio Driver (WDM): system32\drivers\es198xdl.sys (manual start)

Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)

Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)

WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)

MRXSMB: System32\DRIVERS\mrxsmb.sys (system)

Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)

Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)

Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)

Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)

Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)

Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)

NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)

Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)

NetBIOS Interface: System32\DRIVERS\netbios.sys (system)

NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)

Network DDE: %SystemRoot%\system32\netdde.exe (manual start)

Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)

NETGEAR WG511T Wireless Adapter Service: System32\DRIVERS\wg511nd5.sys (manual start)

Net Logon: %SystemRoot%\System32\lsass.exe (manual start)

Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)

Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)

Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

nv: System32\DRIVERS\nv4_mini.sys (manual start)

nv4: System32\DRIVERS\nv4.sys (manual start)

NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)

IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)

IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)

Texas Instruments OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)

OMCI: \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS (system)

Parallel port driver: System32\DRIVERS\parport.sys (manual start)

PCI Bus Driver: System32\DRIVERS\pci.sys (system)

Pcmcia: System32\DRIVERS\pcmcia.sys (system)

Plug and Play: %SystemRoot%\system32\services.exe (autostart)

IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)

WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)

Processor Driver: System32\DRIVERS\processr.sys (system)

Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)

QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)

Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)

Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)

Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)

Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)

Direct Parallel: System32\DRIVERS\raspti.sys (manual start)

Rdbss: System32\DRIVERS\rdbss.sys (system)

RDPCDD: System32\DRIVERS\RDPCDD.sys (system)

Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)

Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)

Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)

Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)

Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)

Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)

QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)

Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)

Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)

Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)

Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Secdrv: System32\DRIVERS\secdrv.sys (manual start)

Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)

Serial port driver: System32\DRIVERS\serial.sys (system)

Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)

Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)

System Restore Filter Driver: System32\DRIVERS\sr.sys (system)

System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Srv: System32\DRIVERS\srv.sys (manual start)

SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)

Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)

Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)

MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{E0A2A747-8B3E-440F-9F70-04C6AED9739C} (manual start)

Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)

Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)

Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)

Terminal Device Driver: System32\DRIVERS\termdd.sys (system)

Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)

Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Microcode Update Driver: System32\DRIVERS\update.sys (manual start)

Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)

USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)

Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)

Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)

VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)

Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)

Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)

Windows CE USB Serial Host Driver: System32\DRIVERS\wceusbsh.sys (manual start)

WDHAALBAMiniPCI Winmodem: System32\DRIVERS\WDHAALBA.sys (manual start)

Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)

WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)

Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)

Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)

Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

 

 

--------------------------------------------------

 

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

 

Windows NT checkdisk command:

BootExecute = autocheck autochk *

 

Windows NT 'Wininit.ini':

PendingFileRenameOperations: *Registry value not found*

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

 

--------------------------------------------------

End of report, 31,144 bytes

Report generated in 0.251 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites

Check this too and [Fix] from hijackthis.

 

O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 5:56:19 PM, on 5/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\system32\pcs\pcsvc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Kazaa Lite K++\KazaaLite.kpp

C:\Program Files\AIM95\aim.exe

C:\Program Files\Final Draft 6\Final Draft.exe

C:\WINDOWS\System32\rpcss.exe

C:\Program Files\Computer Virus Programs\HijackThis.exe

 

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [rpcss] C:\WINDOWS\System32\rpcss.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8089.7588773148

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Sorry iamthechief, it is my fault for not properly fine toothing your log, and this entry has also been consistantly overlooked and was pointed out by a wonderful expert:

 

Check this one now, and [Fix]

O4 - HKCU\..\Run: [rpcss] C:\WINDOWS\System32\rpcss.exe

 

Then reboot and reply with a new hijackthis log.

 

I'm still watching this topic, you shouldn't need to bump it up every half hour if I can help it.

Share this post


Link to post
Share on other sites

No problem. Thanks for the help. Here's my log:

 

Logfile of HijackThis v1.97.7

Scan saved at 8:35:43 PM, on 5/22/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Computer Virus Programs\HijackThis.exe

 

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8089.7588773148

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Stick with a single account on your computer. Using different accounts results in reinfection and other problems...

 

O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

O4 - HKCU\..\Run: [rpcss] C:\WINDOWS\System32\rpcss.exe

 

Make sure these have both been checked and Fixed.

 

Then restart in Safe Mode safe mode log in with the SAME account, and delete these:

C:\WINDOWS\system32\pcs\ <--- FOLDER

C:\WINDOWS\System32\rpcss.exe

 

 

What problems are you still having?

 

Still with the same account, lets see a brand new hijackthis scan's logfile.

Share this post


Link to post
Share on other sites

I have a new problem. I have a file called adupdmanager, which is an XML document, listed in several folders. In my programs folder and even in the WINDOWS\system32 folder. I deleted a bunch of crap from there that was named StartUp Pop up and a few others that were to the side of the regular folders. I'm going to reboot and delete that pcs folder in safe mode and then post my log.

Share this post


Link to post
Share on other sites

Just deleted the PCS stuf in SAFE MODE.

 

BTW, I only have one account on my computer.

 

The program I deleted from my computer earlier (It's in the Recycle Bin) is called ADUpdater and ADStart Up. AVG and SpyBot S&D missed that stuff, from what I gather.

 

Lately I had been getting some pop-ups of Trojan Horse downloaded...somethinga about a virus name small something or other. Seemed similar to the other stuff I named earlier in this thread from the lyrics web site I was going to called singit.com or something similar.

 

How can I avoid these viruses from getting on my computer again?

 

Here is my new log:

 

Logfile of HijackThis v1.97.7

Scan saved at 3:02:09 PM, on 6/9/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Computer Virus Programs\HijackThis.exe

 

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8089.7588773148

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

Thanks again

Share this post


Link to post
Share on other sites

Okay, I still get that virus pop-up from AVG. It says:

 

Virus

Trojan horse Downloader.Small.6.T

 

is found in file

C:\System Volume Infornation\_restore{lots of letters and numbers\blah\blah.exe

 

I've had AVG run before and remove what I think is this virus, but it keeps coming back. How can I get rid of it?

Share this post


Link to post
Share on other sites

Just found this popping up on my screen...

 

Virus

Virus Found JS/Psyme

 

is found in file

 

C:\Documents and Settings\...Temporary Internet Files\Content.IE5\blah\blah.js

 

It says to remove it by running AVG, which I did and AVG didn't find it. If I delete my Temporary Internet Files will it get rid of it?

Share this post


Link to post
Share on other sites

Okay, I get that virus pop-up from AVG. It says:

 

Virus

Trojan horse Downloader.Small.6.T

 

is found in file

C:\System Volume Infornation\_restore{lots of letters and numbers\blah\blah.exe

 

I've had AVG run before and remove what I think is this virus, but it keeps coming back. How can I get rid of it?

 

Also, I just found this popping up on my screen...

 

Virus

Virus Found JS/Psyme

 

is found in file

 

C:\Documents and Settings\...Temporary Internet Files\Content.IE5\blah\blah.js

 

It says to remove it by running AVG, which I did and AVG didn't find it. If I delete my Temporary Internet Files will it get rid of it?

 

Here is my Log:

 

Logfile of HijackThis v1.97.7

Scan saved at 1:01:09 PM, on 6/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Computer Virus Programs\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8089.7588773148

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hi there!

 

First thing to do is clean out the internet cache. In IE, go to Tools->Internet Options. Click on "Delete Files...". Check the "Delete all offline content" box and click OK. This will get rid of the JS/Psyme virus.

 

The system restore has been infected and will have to purged.

 

Do Start->Control Panel->System, System restore. Tick "Turn off System Restore" and reboot. That will erase all restore points. After reboot, go back in and turn System Restore back on.

 

I'll look over your log and get back to you once I've determined what needs to be done next.

 

-- LB

Share this post


Link to post
Share on other sites

Go back into HijackThis and, with all browser windows closed, delete this item:

 

O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe

 

Next, change settings to show hidden files (click here to see how to do this).

 

Next, reboot into safe mode (choose Restart in the shutdown menu and repeatedly hit F8 during reboot until you hit a menu. Choose Safe Mode from the menu).

 

Once there, delete the following file:

 

C:\WINDOWS\System32\Adstartup.exe

 

Finally, reboot and post a new log.

 

-- LB

Share this post


Link to post
Share on other sites

Hi! Thanks for the help!

 

I deleted temporary IE files. I did the system restore. I ran hijackthis and deleted the item, but then there was no file in safemode -- I assume it was gone b/c I deleted it earlier in hijackthis.

 

Here's my new log:

Logfile of HijackThis v1.97.7

Scan saved at 11:17:52 PM, on 6/24/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Computer Virus Programs\HijackThis.exe

 

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8089.7588773148

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Looks like all the bad stuff is gone :D

 

There is one item that isn't bad, but should be removed because it's a resource hog:

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

 

I recommend downloading the following programs:

 

SpywareBlaster

 

IE-Spyad

 

MVPS Hosts

 

This will prevent much of the bad stuff from getting on your computer.

 

For IE-Spyad and MVPS Hosts, check either at their respective web sites or the Software Update forum here for update announcements.

 

I also recommend changing some of the IE settings as follows:

  • From the Tools menu in IE 6, choose Internet Options.
     
  • Click on the Privacy tab and click on the Advanced button.
     
  • In the box that pops up, check both the Override automatic cookie handling and Always allow session cookies boxes. Set First party cookies to "Allow" and Third party cookies to "Block". Click OK.

Go to the Security tab & click the Custom Level button.

 

The following ActiveX section settings should be changed as follows:

  • Download signed ActiveX controls: Prompt
  • Download unsigned ActiveX controls: Prompt
  • Initialize and script ActiveX controls not marked as safe: Disable

In the Microsoft VM section, set Java Permissions to "High Safety"

 

In the Miscellaneous section, set Installations of desktop items to "Prompt"

 

Click on the Advanced tab and uncheck both Install on demand items.

 

Click Apply, then OK

 

-- LB

Share this post


Link to post
Share on other sites

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0