Jump to content


Photo

advmon32.exe at startup


  • This topic is locked This topic is locked
11 replies to this topic

#1 Need a friend

Need a friend

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 24 May 2007 - 12:49 PM

I'm charged with helping an aged friend rescue his striken PC.
After removing a gamult of viruses and trojans I now get two boxes at startup referring to advmon32.exe

One reads as follows:

Windows cannot find C:\windows\system32\advmon32.exe
Make sure you typed the name correctly then try again.

The second screen reads:


Could not load or run C:\windows\system32\advmon32.exe specified in the registry.
Make sure the file exists on your computer or remove the reference to it in your registry


HJT and AVG Spyware logs below.

Thanks for any help.


Note:

I've just replaced the original HJT log with a current one as I've removed a load of software and replaced Ewido with AVG Anti-spyware etc. As well as upgrading it to ie7


Also:

I actually posted this last October as a different member ID (http://forums.spywar...ndex.php/t86329) but the friend whose PC it is has since been very ill and and not interested in his PC so I apologise to Nasdaq for not following through.

As I have now upgraded it to SP2 and ie7 I'm not sure if I should still implement Nasdaq's advice so I posted a completely new thread.

Below the current scans is the advice received from Nasdaq, which has not yet been done. I feel if this is still valid it would save an expert reassessing my HJT and AVG logs.

Many thanks.



Logfile of HijackThis v1.99.1
Scan saved at 20:32:41, on 24/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
F3 - REG:win.ini: run=c:\windows\system32\advmon32.exe
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {30A56549-9D5B-4D34-AFA7-440A7F0538A9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {76454359-B46E-48D6-9EFF-98B66B247CC6} - C:\WINDOWS\System32\fna.dll (file missing)
O2 - BHO: (no name) - {FFFFDA2C-A0D5-4D60-8EE1-1B7F8929E24D} - C:\Program Files\Lycos\sst.dll (file missing)
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [TempLoader] C:\DOCUME~1\Anyone\LOCALS~1\Temp\Loader.EXE
O4 - HKLM\..\Run: [sp2ctr] c:\windows\system32\sp2ctr.exe /nocomm
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [NGVLYNGN] c:\windows\system32\ngvlyngn.exe /install
O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE
O4 - HKLM\..\Run: [Microsoft Netview] gesfm32.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
O4 - HKLM\..\Run: [CTFMON.EXE] C:\WINDOWS\ctfmon.exe .
O4 - HKLM\..\Run: [CSV7P91] C:\Program Files\CSBB\CSV7P91.exe
O4 - HKLM\..\Run: [bsz] c:\windows\bsz.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [Microsoft Netview] gesfm32.exe
O4 - HKCU\..\Run: [Unldr16] c:\windows\system32\unldr16.exe
O4 - HKCU\..\Run: [TonkaMonsterTrucks.exe] C:\DOCUME~1\Anyone\MYDOCU~1\TONKAM~1.EXE /r
O4 - HKCU\..\Run: [Sysdpt] c:\windows\system32\sysdpt.exe
O4 - HKCU\..\Run: [Super1Karting.exe] C:\DOCUME~1\Anyone\MYDOCU~1\SUPER1~1.EXE /r
O4 - HKCU\..\Run: [OutlawRacers.exe] C:\DOCUME~1\Anyone\MYDOCU~1\OUTLAW~1.EXE /r
O4 - HKCU\..\Run: [Operation.exe] C:\DOCUME~1\Anyone\MYDOCU~1\OPERAT~1.EXE /r
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DTR2.exe] C:\DOCUME~1\Anyone\MYDOCU~1\DTR2-dm.exe /r
O4 - HKCU\..\Run: [AddictionPinball.exe] C:\DOCUME~1\Anyone\MYDOCU~1\ADDICT~1.EXE /r
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm016
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} - http://198.143.27.18...r_loader/UK.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://205.177.28.16...oad/1014660.exe
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\wdmnk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe










---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:52:33 24/05/2007

+ Scan result:



C:\System Volume Information\_restore{C6D9E0D0-A330-4C15-85B5-1D13EFCAAABC}\RP39\A0025829.dll -> Dropper.Small.abd : Cleaned.
C:\Documents and Settings\Anyone\Cookies\anyone@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Anyone\Cookies\anyone@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Anyone\Cookies\anyone@counter.cnw[2].txt -> TrackingCookie.Cnw : Cleaned.
C:\Documents and Settings\Anyone\Cookies\anyone@toplist[1].txt -> TrackingCookie.Toplist : Cleaned.
C:\Documents and Settings\Anyone\Cookies\anyone@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.


::Report end



THE ADVICE BELOW FROM Nasdaq IS 6 MONTHS OLD AND MAY LONGER BE VALID - ADVICE REQUESTED.


Hi,

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

You have BearShare running.
The bought version is clean of adware but not the free version.
The free version is adware loaded and can stealth install other programs.
If you wish to remove it then do it through add/remove programs.
Additional information
http://www.pestpatro...b/bearshare.asp

Disable Microsoft AntiSpyware:

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.
Open Microsoft AntiSpyware
Click on Tools, Settings.
In the left pane, click on Real-time Protection
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.


After all of the fixes are complete it is very important that you enable Real-time Protection again. Better yet, uninstall it and replace it with Microsoft Windows Defender. Microsoft Antispyware has been updated and renamed Microsoft Windows Defender. You can download the new version from http://www.microsoft...re/default.mspx

Close all open Explorer windows and browsers
Run HijackThis
Click on the Scan button and when complete
Put a check beside all of the items listed below
Click on the "Fix Checked" button
When complete and all files removed, close the application.

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
F3 - REG:win.ini: run=c:\windows\system32\advmon32.exe
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {30A56549-9D5B-4D34-AFA7-440A7F0538A9} - (no file)
O2 - BHO: (no name) - {76454359-B46E-48D6-9EFF-98B66B247CC6} - C:\WINDOWS\System32\fna.dll (file missing)
O2 - BHO: (no name) - {FFFFDA2C-A0D5-4D60-8EE1-1B7F8929E24D} - C:\Program Files\Lycos\sst.dll (file missing)
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [TempLoader] C:\DOCUME~1\Anyone\LOCALS~1\Temp\Loader.EXE
O4 - HKLM\..\Run: [sp2ctr] c:\windows\system32\sp2ctr.exe /nocomm
O4 - HKLM\..\Run: [sncntr] c:\windows\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [NGVLYNGN] c:\windows\system32\ngvlyngn.exe /install
O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\System32\MSZTCE.EXE
O4 - HKLM\..\Run: [MoreResults] C:\Program Files\MoreResults\MoreResults.exe
O4 - HKLM\..\Run: [Microsoft Netview] gesfm32.exe
O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
O4 - HKLM\..\Run: [CSV7P91] C:\Program Files\CSBB\CSV7P91.exe

O4 - HKLM\..\Run: [bsz] c:\windows\bsz.exe <- bsz.exe may be part of Bearshare. Check the properties of the file.
If not from Bearshare fix the item.

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause <- optional see my note.

O4 - HKLM\..\RunServices: [Microsoft Netview] gesfm32.exe
O4 - HKCU\..\Run: [Unldr16] c:\windows\system32\unldr16.exe
O4 - HKCU\..\Run: [Sysdpt] c:\windows\system32\sysdpt.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm016
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} - http://198.143.27.18...r_loader/UK.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://205.177.28.16...oad/1014660.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\wdmnk.dll

Open Windows explorer and delete these folders/files in bold if found.

Folders
C:\Program Files\MoreResults\
C:\Program Files\Internet Explorer\Iesearch.exe
C:\Program Files\CSBB\
C:\Program Files\BearShare\ <- optional see my note.

Files
C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
C:\DOCUME~1\Anyone\LOCALS~1\Temp\ <- delete all the files from this temporary folder. Not the folder.

c:\windows\system32\sp2ctr.exe
c:\windows\system32\sncntr.exe
c:\windows\system32\ngvlyngn.exe
C:\WINDOWS\System32\MSZTCE.EXE
c:\windows\system32\unldr16.exe
c:\windows\system32\sysdpt.exe
C:\WINDOWS\System32\wdmnk.dll
gesfm32.exe

Restart the computer to reset the registry.

Download the program Hoster to restore the default hosts file back onto your machine.
To do so, download the Hoster program and run it.
http://www.funkytoad...load/hoster.zip
When it opens, click on the Restore Original Hosts button and then exit Hoster.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

Include a fresh HijackThis log for review. Let me know what problem persist.

Edited by Need a friend, 26 May 2007 - 12:21 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 27 May 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 27 May 2007 - 11:44 AM

Hi,

As you've made some changes it's best we start again, I think.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Next:

1. Download this file - ComboFix
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#4 Need a friend

Need a friend

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 May 2007 - 03:26 PM

Hi Jedi,

Thanks for helping.

Please see Dr Web, Combo Fix and (if any use) a new HJT report below.

I hope I was correct in disabling AVG Antispyware first.

Also, all references to games can be deleted apart from Quicksnooker as this is the only game my 80 year old friend wants. The PC is stripped back to basic software now and as I say, apart from Quicksnooker everything can go if necessary.

The diallers would have been "caught" by his son whose PC it used to be. I believe it never had ANY antivirus or firewall when online.

Thanks again.





Dr Web

Wet_Me!.exe;C:\WINDOWS;Dialer.Premium;Incurable.Moved.;
1on1.exe;C:\WINDOWS;Dialer.AsianRaw;Incurable.Moved.;
Loader.EX_;C:\Documents and Settings\Anyone\Local Settings\Temp;BackDoor.Ruler;Incurable.Moved.;
wmplayer.exe.tmp;C:\Program Files\Windows Media Player;Trojan.StartPage.177;Deleted.;
FILE0005.CHK;C:\FOUND.022;Probably BACKDOOR.Trojan;Incurable.Moved.;





Combofix

"Anyone" - 2007-05-27 20:51:37 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Anyone\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-27 to 2007-05-27 ))))))))))))))))))))))))))))))))))


2007-05-27 20:01 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-27 18:50 <DIR> d-------- C:\Documents and Settings\Anyone\DoctorWeb
2007-05-27 18:50 <DIR> d-------- C:\DOCUME~1\Anyone\DoctorWeb
2007-05-24 20:08 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-05-24 19:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-05-24 19:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-05-24 16:53 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-24 16:49 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-05-24 03:16 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2007-05-24 03:16 <DIR> d-------- C:\Program Files\Belarc
2007-05-24 02:43 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-05-24 02:43 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-05-24 02:20 <DIR> d-------- C:\WINDOWS\Prefetch
2007-05-24 00:35 95,424 --------- C:\WINDOWS\system32\drivers\slnthal.sys
2007-05-24 00:35 9,728 --------- C:\WINDOWS\system32\comsdupd.exe
2007-05-24 00:35 896,512 --------- C:\WINDOWS\system32\wmspdmoe.dll
2007-05-24 00:35 88,064 --------- C:\WINDOWS\system32\p2pnetsh.dll
2007-05-24 00:35 86,016 --------- C:\WINDOWS\system32\p2pgasvc.dll
2007-05-24 00:35 86,016 --------- C:\WINDOWS\system32\mdmxsdk.dll
2007-05-24 00:35 81,408 --------- C:\WINDOWS\system32\wscsvc.dll
2007-05-24 00:35 8,192 --------- C:\WINDOWS\system32\smbinst.exe
2007-05-24 00:35 78,464 --------- C:\WINDOWS\system32\drivers\usbvideo.sys
2007-05-24 00:35 78,336 --a------ C:\WINDOWS\system32\ieencode.dll
2007-05-24 00:35 755,200 --------- C:\WINDOWS\system32\ir50_32.dll
2007-05-24 00:35 75,776 --------- C:\WINDOWS\system32\strmfilt.dll
2007-05-24 00:35 73,832 --------- C:\WINDOWS\system32\slcoinst.dll
2007-05-24 00:35 73,796 --------- C:\WINDOWS\system32\slserv.exe
2007-05-24 00:35 71,680 --------- C:\WINDOWS\system32\blastcln.exe
2007-05-24 00:35 7,680 --------- C:\WINDOWS\system32\kbdsmsno.dll
2007-05-24 00:35 7,680 --------- C:\WINDOWS\system32\kbdsmsfi.dll
2007-05-24 00:35 7,168 --------- C:\WINDOWS\system32\kbdukx.dll
2007-05-24 00:35 7,168 --------- C:\WINDOWS\system32\kbdno1.dll
2007-05-24 00:35 7,168 --------- C:\WINDOWS\system32\kbdfi1.dll
2007-05-24 00:35 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2007-05-24 00:35 67,584 --------- C:\WINDOWS\system32\drivers\sdbus.sys
2007-05-24 00:35 63,663 --------- C:\WINDOWS\system32\drivers\ati1rvxx.sys
2007-05-24 00:35 60,416 --------- C:\WINDOWS\system32\fwcfg.dll
2007-05-24 00:35 6,656 --------- C:\WINDOWS\system32\kbdinmal.dll
2007-05-24 00:35 6,656 --------- C:\WINDOWS\system32\kbdinben.dll
2007-05-24 00:35 6,144 --------- C:\WINDOWS\system32\kbdmlt48.dll
2007-05-24 00:35 6,144 --------- C:\WINDOWS\system32\kbdmlt47.dll
2007-05-24 00:35 6,144 --------- C:\WINDOWS\system32\kbdinbe1.dll
2007-05-24 00:35 59,648 --------- C:\WINDOWS\system32\drivers\rfcomm.sys
2007-05-24 00:35 56,623 --------- C:\WINDOWS\system32\drivers\ati1btxx.sys
2007-05-24 00:35 526,848 --------- C:\WINDOWS\system32\p2psvc.dll
2007-05-24 00:35 52,224 --------- C:\WINDOWS\system32\mspmsnsv.dll
2007-05-24 00:35 516,768 --------- C:\WINDOWS\system32\ativvaxx.dll
2007-05-24 00:35 50,688 --------- C:\WINDOWS\system32\btpanui.dll
2007-05-24 00:35 50,176 --------- C:\WINDOWS\system32\xmlprovi.dll
2007-05-24 00:35 5,632 --------- C:\WINDOWS\system32\kbdmaori.dll
2007-05-24 00:35 49,152 --------- C:\WINDOWS\system32\powercfg.exe
2007-05-24 00:35 484,864 --------- C:\WINDOWS\system32\wmspdmod.dll
2007-05-24 00:35 48,640 --------- C:\WINDOWS\system32\pnrpnsp.dll
2007-05-24 00:35 46,464 --------- C:\WINDOWS\system32\drivers\gagp30kx.sys
2007-05-24 00:35 452,736 --------- C:\WINDOWS\system32\drivers\mtxparhm.sys
2007-05-24 00:35 44,928 --------- C:\WINDOWS\system32\drivers\agpcpq.sys
2007-05-24 00:35 44,672 --------- C:\WINDOWS\system32\drivers\uagp35.sys
2007-05-24 00:35 44,032 --------- C:\WINDOWS\system32\twext.dll
2007-05-24 00:35 43,008 --------- C:\WINDOWS\system32\drivers\amdagp.sys
2007-05-24 00:35 42,752 --------- C:\WINDOWS\system32\drivers\alim1541.sys
2007-05-24 00:35 42,368 --------- C:\WINDOWS\system32\drivers\agp440.sys
2007-05-24 00:35 42,240 --------- C:\WINDOWS\system32\drivers\viaagp.sys
2007-05-24 00:35 41,088 --------- C:\WINDOWS\system32\drivers\sisagp.sys
2007-05-24 00:35 404,990 --------- C:\WINDOWS\system32\drivers\slntamr.sys
2007-05-24 00:35 4,255 --------- C:\WINDOWS\system32\drivers\adv01nt5.dll
2007-05-24 00:35 397,056 --------- C:\WINDOWS\system32\s3gnb.dll
2007-05-24 00:35 384,512 --------- C:\WINDOWS\system32\mp4sdmod.dll
2007-05-24 00:35 38,016 --------- C:\WINDOWS\system32\drivers\bthmodem.sys
2007-05-24 00:35 36,463 --------- C:\WINDOWS\system32\drivers\ati1tuxx.sys
2007-05-24 00:35 36,096 --------- C:\WINDOWS\system32\drivers\intelppm.sys
2007-05-24 00:35 35,456 --------- C:\WINDOWS\system32\drivers\bthprint.sys
2007-05-24 00:35 34,735 --------- C:\WINDOWS\system32\drivers\ati1xsxx.sys
2007-05-24 00:35 32,866 --------- C:\WINDOWS\system32\slrundll.exe
2007-05-24 00:35 32,866 --------- C:\WINDOWS\slrundll.exe
2007-05-24 00:35 32,768 --------- C:\WINDOWS\system32\ativtmxx.dll
2007-05-24 00:35 32,285 --------- C:\WINDOWS\system32\hsfcisp2.dll
2007-05-24 00:35 312,320 --------- C:\WINDOWS\system32\p2pgraph.dll
2007-05-24 00:35 310,272 --------- C:\WINDOWS\system32\mp43dmod.dll
2007-05-24 00:35 30,671 --------- C:\WINDOWS\system32\drivers\ati1raxx.sys
2007-05-24 00:35 30,208 --------- C:\WINDOWS\system32\bthserv.dll
2007-05-24 00:35 30,080 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2007-05-24 00:35 3,967 --------- C:\WINDOWS\system32\drivers\adv02nt5.dll
2007-05-24 00:35 3,901 --------- C:\WINDOWS\system32\drivers\siint5.dll
2007-05-24 00:35 3,775 --------- C:\WINDOWS\system32\drivers\adv11nt5.dll
2007-05-24 00:35 3,711 --------- C:\WINDOWS\system32\drivers\adv09nt5.dll
2007-05-24 00:35 3,647 --------- C:\WINDOWS\system32\drivers\adv07nt5.dll
2007-05-24 00:35 3,615 --------- C:\WINDOWS\system32\drivers\adv05nt5.dll
2007-05-24 00:35 3,135 --------- C:\WINDOWS\system32\drivers\adv08nt5.dll
2007-05-24 00:35 29,455 --------- C:\WINDOWS\system32\drivers\ati1xbxx.sys
2007-05-24 00:35 29,184 --------- C:\WINDOWS\system32\sdhcinst.dll
2007-05-24 00:35 29,056 --------- C:\WINDOWS\system32\drivers\ip6fw.sys
2007-05-24 00:35 286,792 --------- C:\WINDOWS\system32\slextspk.dll
2007-05-24 00:35 274,304 --------- C:\WINDOWS\system32\drivers\bthport.sys
2007-05-24 00:35 262,784 --------- C:\WINDOWS\system32\drivers\http.sys
2007-05-24 00:35 26,367 --------- C:\WINDOWS\system32\drivers\ati1snxx.sys
2007-05-24 00:35 25,600 --------- C:\WINDOWS\system32\drivers\hidbth.sys
2007-05-24 00:35 25,471 --------- C:\WINDOWS\system32\drivers\watv10nt.sys
2007-05-24 00:35 25,471 --------- C:\WINDOWS\system32\drivers\atv04nt5.dll
2007-05-24 00:35 24,576 --------- C:\WINDOWS\system32\httpapi.dll
2007-05-24 00:35 233,472 --------- C:\WINDOWS\system32\wmpdxm.dll
2007-05-24 00:35 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2007-05-24 00:35 229,376 --------- C:\WINDOWS\system32\ati2cqag.dll
2007-05-24 00:35 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2007-05-24 00:35 22,271 --------- C:\WINDOWS\system32\drivers\watv06nt.sys
2007-05-24 00:35 21,343 --------- C:\WINDOWS\system32\drivers\ati1ttxx.sys
2007-05-24 00:35 21,183 --------- C:\WINDOWS\system32\drivers\atv01nt5.dll
2007-05-24 00:35 20,992 --------- C:\WINDOWS\system32\bthci.dll
2007-05-24 00:35 2,113,536 --------- C:\WINDOWS\system32\dxdiagn.dll
2007-05-24 00:35 193,024 --------- C:\WINDOWS\system32\fsquirt.exe
2007-05-24 00:35 188,508 --------- C:\WINDOWS\system32\slgen.dll
2007-05-24 00:35 180,360 --------- C:\WINDOWS\system32\drivers\ntmtlfax.sys
2007-05-24 00:35 18,944 --------- C:\WINDOWS\system32\drivers\bthusb.sys
2007-05-24 00:35 17,408 --------- C:\WINDOWS\system32\winshfhc.dll
2007-05-24 00:35 17,279 --------- C:\WINDOWS\system32\drivers\atv10nt5.dll
2007-05-24 00:35 17,024 --------- C:\WINDOWS\system32\drivers\bthenum.sys
2007-05-24 00:35 168,448 --------- C:\WINDOWS\system32\wmerror.dll
2007-05-24 00:35 166,912 --------- C:\WINDOWS\system32\drivers\s3gnbm.sys
2007-05-24 00:35 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2007-05-24 00:35 151,552 --------- C:\WINDOWS\system32\wmidx.dll
2007-05-24 00:35 15,872 --------- C:\WINDOWS\system32\w3ssl.dll
2007-05-24 00:35 15,488 --------- C:\WINDOWS\system32\drivers\mssmbios.sys
2007-05-24 00:35 15,423 --------- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2007-05-24 00:35 14,336 --------- C:\WINDOWS\system32\auditusr.exe
2007-05-24 00:35 14,143 --------- C:\WINDOWS\system32\drivers\atv06nt5.dll
2007-05-24 00:35 13,824 --------- C:\WINDOWS\system32\wscntfy.exe
2007-05-24 00:35 13,824 --------- C:\WINDOWS\system32\cmsetacl.dll
2007-05-24 00:35 13,776 --------- C:\WINDOWS\system32\drivers\recagent.sys
2007-05-24 00:35 13,240 --------- C:\WINDOWS\system32\drivers\slwdmsup.sys
2007-05-24 00:35 129,536 --------- C:\WINDOWS\system32\xmlprov.dll
2007-05-24 00:35 129,535 --------- C:\WINDOWS\system32\drivers\slnt7554.sys
2007-05-24 00:35 128,896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2007-05-24 00:35 126,686 --------- C:\WINDOWS\system32\drivers\mtlmnt5.sys
2007-05-24 00:35 12,672 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2007-05-24 00:35 12,047 --------- C:\WINDOWS\system32\drivers\ati1pdxx.sys
2007-05-24 00:35 118,784 --------- C:\WINDOWS\system32\msdadiag.dll
2007-05-24 00:35 116,224 --------- C:\WINDOWS\system32\p2p.dll
2007-05-24 00:35 114,688 --------- C:\WINDOWS\system32\wmpasf.dll
2007-05-24 00:35 11,935 --------- C:\WINDOWS\system32\drivers\wadv11nt.sys
2007-05-24 00:35 11,871 --------- C:\WINDOWS\system32\drivers\wadv09nt.sys
2007-05-24 00:35 11,868 --------- C:\WINDOWS\system32\drivers\mdmxsdk.sys
2007-05-24 00:35 11,807 --------- C:\WINDOWS\system32\drivers\wadv07nt.sys
2007-05-24 00:35 11,615 --------- C:\WINDOWS\system32\drivers\ati1mdxx.sys
2007-05-24 00:35 11,359 --------- C:\WINDOWS\system32\drivers\atv02nt5.dll
2007-05-24 00:35 11,325 --------- C:\WINDOWS\system32\drivers\vchnt5.dll
2007-05-24 00:35 11,295 --------- C:\WINDOWS\system32\drivers\wadv08nt.sys
2007-05-24 00:35 11,136 --------- C:\WINDOWS\system32\drivers\sffdisk.sys
2007-05-24 00:35 108,032 --------- C:\WINDOWS\system32\wshbth.dll
2007-05-24 00:35 100,992 --------- C:\WINDOWS\system32\drivers\bthpan.sys
2007-05-24 00:35 10,240 --------- C:\WINDOWS\system32\drivers\sffp_sd.sys
2007-05-24 00:35 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2007-05-24 00:35 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2007-05-24 00:35 1,689,088 --------- C:\WINDOWS\system32\d3d9.dll
2007-05-24 00:35 1,309,184 --------- C:\WINDOWS\system32\drivers\mtlstrm.sys
2007-05-24 00:35 1,119,744 --------- C:\WINDOWS\system32\wmsdmoe2.dll
2007-05-24 00:35 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2007-05-24 00:35 1,001,472 --------- C:\WINDOWS\system32\wmvdmoe2.dll
2007-05-24 00:35 <DIR> d-------- C:\WINDOWS\provisioning
2007-05-24 00:35 <DIR> d-------- C:\WINDOWS\peernet
2007-05-24 00:26 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-05-06 12:57 <DIR> d-------- C:\DOCUME~1\Anyone\APPLIC~1\U3


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-18 16:12:24 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-17 13:43:02 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{76454359-B46E-48D6-9EFF-98B66B247CC6}=C:\WINDOWS\System32\fna.dll []
{FFFFDA2C-A0D5-4D60-8EE1-1B7F8929E24D}=C:\Program Files\Lycos\sst.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"navapp"="C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe" []
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2003-09-04 18:21]
"nwiz"="nwiz.exe" [2002-05-24 05:42 C:\WINDOWS\system32\nwiz.exe]
"NVIDIA nForce APU1 Utilities"="NVATray.exe" [2002-06-18 07:25 C:\WINDOWS\system32\NVATray.exe]
"Microsoft Netview"="gesfm32.exe" []
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE" [2002-09-20 15:16]
"Iesearch.exe"="C:\Program Files\Internet Explorer\Iesearch.exe" []
"CSV7P91"="C:\Program Files\CSBB\CSV7P91.exe" []
"BearShare"="C:\Program Files\BearShare\BearShare.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-24 02:40]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 13:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Unldr16"="c:\windows\system32\unldr16.exe" []
"TonkaMonsterTrucks.exe"="C:\DOCUME~1\Anyone\MYDOCU~1\TONKAM~1.exe" []
"Sysdpt"="c:\windows\system32\sysdpt.exe" []
"Super1Karting.exe"="C:\DOCUME~1\Anyone\MYDOCU~1\SUPER1~1.exe" []
"OutlawRacers.exe"="C:\DOCUME~1\Anyone\MYDOCU~1\OUTLAW~1.exe" []
"Operation.exe"="C:\DOCUME~1\Anyone\MYDOCU~1\OPERAT~1.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"DTR2.exe"="C:\DOCUME~1\Anyone\MYDOCU~1\DTR2-dm.exe" []
"AddictionPinball.exe"="C:\DOCUME~1\Anyone\MYDOCU~1\ADDICT~1.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Netview"=gesfm32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 15:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\wdmnk.dll


********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-27 20:54:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Microsoft Netview = gesfm32.exe?

scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

********************************************************************

Completion time: 2007-05-27 20:56:16 - machine was rebooted
C:\ComboFix3.txt ... 2007-05-27 20:01
C:\ComboFix-quarantined-files.txt ... 2007-05-27 20:55
C:\ComboFix2.txt ... 2007-05-27 20:09

--- E O F ---





HJT


Logfile of HijackThis v1.99.1
Scan saved at 21:12:02, on 27/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {30A56549-9D5B-4D34-AFA7-440A7F0538A9} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {76454359-B46E-48D6-9EFF-98B66B247CC6} - C:\WINDOWS\System32\fna.dll (file missing)
O2 - BHO: (no name) - {FFFFDA2C-A0D5-4D60-8EE1-1B7F8929E24D} - C:\Program Files\Lycos\sst.dll (file missing)
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [Microsoft Netview] gesfm32.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
O4 - HKLM\..\Run: [CSV7P91] C:\Program Files\CSBB\CSV7P91.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [Microsoft Netview] gesfm32.exe
O4 - HKCU\..\Run: [Unldr16] c:\windows\system32\unldr16.exe
O4 - HKCU\..\Run: [TonkaMonsterTrucks.exe] C:\DOCUME~1\Anyone\MYDOCU~1\TONKAM~1.EXE /r
O4 - HKCU\..\Run: [Sysdpt] c:\windows\system32\sysdpt.exe
O4 - HKCU\..\Run: [Super1Karting.exe] C:\DOCUME~1\Anyone\MYDOCU~1\SUPER1~1.EXE /r
O4 - HKCU\..\Run: [OutlawRacers.exe] C:\DOCUME~1\Anyone\MYDOCU~1\OUTLAW~1.EXE /r
O4 - HKCU\..\Run: [Operation.exe] C:\DOCUME~1\Anyone\MYDOCU~1\OPERAT~1.EXE /r
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DTR2.exe] C:\DOCUME~1\Anyone\MYDOCU~1\DTR2-dm.exe /r
O4 - HKCU\..\Run: [AddictionPinball.exe] C:\DOCUME~1\Anyone\MYDOCU~1\ADDICT~1.EXE /r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm016
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} - http://198.143.27.18...r_loader/UK.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://205.177.28.16...oad/1014660.exe
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\wdmnk.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#5 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 27 May 2007 - 04:11 PM

Hi again,

Please run Notepad and paste the following text into a new file, do not include the word ‘quote’:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Netview"=-
"Iesearch.exe"=-
"CSV7P91"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Unldr16"=-
"Sysdpt"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Microsoft Netview"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-



Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Scan with HiJackThis and put a check in the box next to the following items;

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {30A56549-9D5B-4D34-AFA7-440A7F0538A9} - (no file)
O2 - BHO: (no name) - {76454359-B46E-48D6-9EFF-98B66B247CC6} - C:\WINDOWS\System32\fna.dll (file missing)
O2 - BHO: (no name) - {FFFFDA2C-A0D5-4D60-8EE1-1B7F8929E24D} - C:\Program Files\Lycos\sst.dll (file missing)
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [Microsoft Netview] gesfm32.ex
O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
O4 - HKLM\..\Run: [CSV7P91] C:\Program Files\CSBB\CSV7P91.exe
O4 - HKLM\..\RunServices: [Microsoft Netview] gesfm32.exe
O4 - HKCU\..\Run: [Unldr16] c:\windows\system32\unldr16.exe
O4 - HKCU\..\Run: [TonkaMonsterTrucks.exe] C:\DOCUME~1\Anyone\MYDOCU~1\TONKAM~1.EXE /r
O4 - HKCU\..\Run: [Sysdpt] c:\windows\system32\sysdpt.exe
O4 - HKCU\..\Run: [Super1Karting.exe] C:\DOCUME~1\Anyone\MYDOCU~1\SUPER1~1.EXE /r
O4 - HKCU\..\Run: [OutlawRacers.exe] C:\DOCUME~1\Anyone\MYDOCU~1\OUTLAW~1.EXE /r
O4 - HKCU\..\Run: [Operation.exe] C:\DOCUME~1\Anyone\MYDOCU~1\OPERAT~1.EXE /r
O8 - Extra context menu item: &Search - http://bar.mywebsear...html?p=ZNxdm016
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} - http://198.143.27.18...r_loader/UK.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://205.177.28.16...oad/1014660.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\wdmnk.dll


Close all browsers and windows, click on ‘fix selected’ and allow HJT to fix these entries.

Restart.

Next:

Please do the following:
Run a BitDefender Online scan Here and post the results.

Next:

Please download AVG Antirootkit Beta from here: http://www.majorgeek...tkit_d5249.html
  • Install it, and follow the prompts to restart your computer.
  • Run the program and select Perform in-depth search.
  • When it has finished, click Save result to file
  • Post the contents of the results in your reply.
Also,

Scan again with HJT, (with all browsers and windows closed) and post the new log in this thread.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#6 Need a friend

Need a friend

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 28 May 2007 - 03:57 AM

Hi Jedi,

PC is now starting without Advmon32.exe error screens.

The following lines did not appear in my HJT scan so could not be removed as per your instructions.


O4 - HKLM\..\Run: [Microsoft Netview] gesfm32.ex
O4 - HKLM\..\Run: [Iesearch.exe] C:\Program Files\Internet Explorer\Iesearch.exe
O4 - HKLM\..\Run: [CSV7P91] C:\Program Files\CSBB\CSV7P91.exe
O4 - HKLM\..\RunServices: [Microsoft Netview] gesfm32.exe
O4 - HKCU\..\Run: [Unldr16] c:\windows\system32\unldr16.exe
O4 - HKCU\..\Run: [Sysdpt] c:\windows\system32\sysdpt.exe
O4 - HKCU\..\Run: [Operation.exe] C:\DOCUME~1\Anyone\MYDOCU~1\OPERAT~1.EXE /r
O20 - AppInit_DLLs: C:\WINDOWS\System32\wdmnk.dll


Do you think it's a good idea to get rid of Bearshare too or isn't that a problem?


I ran bitdefender and it found about 5 objects but crashed at the end and said internet explorer had to restart. The next scan didn't show any issues.

AVG Rootkit found no issues.


HJT below:

Logfile of HijackThis v1.99.1
Scan saved at 09:44:33, on 28/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DTR2.exe] C:\DOCUME~1\Anyone\MYDOCU~1\DTR2-dm.exe /r
O4 - HKCU\..\Run: [AddictionPinball.exe] C:\DOCUME~1\Anyone\MYDOCU~1\ADDICT~1.EXE /r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by Need a friend, 28 May 2007 - 04:08 AM.


#7 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 28 May 2007 - 05:00 AM

Hi again,

That's looking a lot better.

Do you think it's a good idea to get rid of Bearshare too or isn't that a problem?

Potentially any file-sharing program is a problem, insofar as you never know what you're getting. Bearshare hasn't got a good reputation, so unless your friend is determined to use file-sharing, I would remove it. It should have an uninstaller listed in Control Panel > Add/Remove Programs. After you've run the uninstaller, delete this folder:
C:\Program Files\BearShare.

Looks like I missed a couple of games entries:

Scan with HiJackThis and put a check in the box next to the following items;

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [DTR2.exe] C:\DOCUME~1\Anyone\MYDOCU~1\DTR2-dm.exe /r
O4 - HKCU\..\Run: [AddictionPinball.exe] C:\DOCUME~1\Anyone\MYDOCU~1\ADDICT~1.EXE /r


Close all browsers and windows, click on ‘fix selected’ and allow HJT to fix these entries.

Restart.

Scan again with HJT, (with all browsers and windows closed) and post the new log in this thread.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#8 Need a friend

Need a friend

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 28 May 2007 - 08:50 AM

Hi Jedi,

Yes, loads better thanks.

Is it also worth taking out the other "file missing" entries in HJT?
Not being anywhere near brave enough I obviously left these for advice.

Thanks again.


Logfile of HijackThis v1.99.1
Scan saved at 14:47:07, on 28/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\NVATray.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by Need a friend, 28 May 2007 - 08:52 AM.


#9 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 29 May 2007 - 01:00 PM

Hi again,

Ok, your log looks clean.

Is it also worth taking out the other "file missing" entries in HJT?

They're harmless, so it's up to you, it won't hurt to remove them, or to leave them. But you need to get a firewall onto this PC. . This article has a selection of free firewalls and how to install them.
http://www.pcworld.c...d,112920,00.asp

I also recommend using Firefox as a default browser, it is much less vulnerable than IE.
Get Firefox

I also recommend the following programs:

SpywareBlaster protects against bad ActiveX.
http://www.javacools...areblaster.html

SpywareGuard stops Spyware from being installed.
http://www.javacools...ywareguard.html

Also install the MVPS hosts file:
http://www.mvps.org/...p2002/hosts.htm
which blocks innocent looking sites that are not so innocent.

All three are very small free programs that you run once, and then just occasionally to check for updates.

Also see
How did I get Infected?

Finally, it is best to update your system regularly, to ensure you have the latest security patches from Microsoft. Update by clicking
here http://v4.windowsupdate.microsoft.com/
and following the prompts.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#10 Need a friend

Need a friend

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 29 May 2007 - 03:38 PM

OK Jedi,

I'll leave the rest of the log as is and get Zonelarm on there.

Thanks for all the help, you're a star.

Hadn't heard of Spywareguard or MVPS although I did used to run Spywareblaster myself but seemingly wrongly thought Spybot S&D had a similar application integrated. Anyway, I'll get these three apps on his PC and mine too.

Speaking of Mozilla do you go with Thunderbird instead of OE?

Thanks so much again :D :thumbsup:

#11 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 29 May 2007 - 05:19 PM

Hi again,

seemingly wrongly thought Spybot S&D had a similar application integrated.

No, you're not wrong, I was just being lazy and using a 'one size fits all' speech there. :D

Speaking of Mozilla do you go with Thunderbird instead of OE?

I use M$ Office at work and home, so I'm kind of tied into Outlook. AVG's e-mail checker works well with it, and I use Agnitum Spam Terrier too.
http://www.agnitum.c...rrier/index.php
Having used both, I'd say Thunderbird is the better product.

Take care.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#12 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 08 June 2007 - 07:46 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button