Jump to content
Sign in to follow this  
gary

Trojan Advice

Recommended Posts

Hi all.

Put this in wrong forum, hope someone can help while I've still got hair left :pullhair:

Go easy with me I'm not that advanced !!!! :geezer:

 

I have unfortunatly been infected with a couple of trojans. One was trojanspy:\win32/VBStat.E. The other appears to have been Trojan Juan or Vundo !!! Even though at the time I was running Windows One Care ( I have now deleted and gone back to AVG). I have run various spyware programs and they have found various malware etc. But none have got rid of it. Ad aware seems to have got rid of the trojans but I still get rogue web pages opening up whilst I'm on line and Ad aware seems to always pick up 10 critical objects and removes them. I now have windows defender running permenantly and a spyware program called Counterspy running but still rogue sites load up. AVG dosnt detect any threats. I've load Hijack This and attached log file as people seem to do. Am I missing a trick somewhere?????

I hope someone can help. I also appear to have lost my Windows firewall so I've got zonealarm on at moment!

Thanks hopefully Gary

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 7:05:42 PM, on 15/04/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\GtDetectSc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=0

O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [spywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"

O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN

O4 - HKCU\..\Run: [spywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZNxmk846LDAU

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gazaroogaryyoungman.spaces.live.com...ad/MsnPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174984518416

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159359276984

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{32345A5B-5197-4FAA-BD68-3A241230F360}: Domain = qld.bigpond.net.au

O17 - HKLM\System\CCS\Services\Tcpip\..\{326C13FD-7C1A-4855-9113-F8DA51F5F93B}: Domain = qld.bigpond.net.au

O17 - HKLM\System\CCS\Services\Tcpip\..\{53D0FB29-9332-4F6B-A28C-9B7BA03554CC}: Domain = qld.bigpond.net.au

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe

O23 - Service: GT Detect (GtDetectSc) - OptionNV - C:\WINDOWS\system32\GtDetectSc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Share this post


Link to post
Share on other sites

Hi and welcome

 

 

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

 

Open Windows Defender.

Click on Tools, General Settings.

Scroll down and uncheck Turn on real-time protection (recommended).

After you uncheck this, click on the Save button and close Windows Defender.

 

After all of the fixes are complete it is very important that you enable Real-time Protection again

 

 

Please disable CounterSpy, as it may hinder in fixing of some HijackThis entries. You can re-enable it after you're clean.

To disable CounterSpy:

  • Right Click on the CounterSpy Icon located in your system tray.
  • With your mouse, hover over Active Protection Status (This should be enabled)
  • A menu will slide out, then right click on Disable Active Protection
Once your log is clean please re-enable CounterSpy

 

 

 

Go to your Add/Remove programs list in the Control panel, Look for and uninstall these Programs

 

MySearch....

MyTotalSearch

MyWay

MyWay Search Assistant

MyWay Speed Bar

MyWebSearch

MyWebSearch Bar

Outlook Tools by Hotbar

Search Assistant – MySearch

Search Assistant – MyWebSearch

SpywareBot <--is a so called antispywarescanner with a bad reputation, present on this blacklist: I recommend you uninstall it.

http://www.spywarewarrior.com/rogue_anti-s...re.htm#products

Anything you don't recognize or ask me.

 

 

Using windows explorer search for and delete these files/folders in bold

C:\Program Files\SpywareBot <--folder

C:\PROGRAM FILES\MYWEBS~1\bar\2.bin\m3SrchMn.exe <--file

===================================================

 

 

We need to rename HJT to something else, the infection is hiding.

 

Right click on HJT and select rename....rename it to gary.exe or Juliet.exe or ABC123.exe anything will work.

 

 

 

Please download VundoFix.exe

to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above

instructions starting from "Click the Scan for Vundo button." when

VundoFix appears at reboot.

 

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE)6u1 1.6.0_01-b06 (Vista Compatible Java)
  • Scroll to Java Runtime Environment (JRE) 6u1 and click on the download button
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

    Go to Start > Control Panel double-click on the Software icon > add/remove programs.

    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have this icon next to it: Posted Image

    Select it and click Remove.

  • Close any programs you may have running - especially your web browser.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

 

In your next reply I need:

C:\vundofix.txt

New HJT log

Comments on how things are running now

Share this post


Link to post
Share on other sites

Hi Juiet, I bet everyone says this but your an Angel.

Have done all you asked. The programs you asked me to uninstall were not there in list. SpywareBot was. I,ve deleted all that it will let me delete but one will not delete. There's also a mention of SpywareBot in my security center when I open that up. If you click on it, it says open but when you try it opens a list of programs to open it with so I've left it for now. Maybe needs looking for in registry !!!??? Windows firewall is still nowhere to be seen !? I've installed the latest Java update as requested. Here are the two logs you asked for. Once again thanks for time and help. You people need rewarding. Everything is stable at the moment.

Cheers Gary

 

Logfile of HijackThis v1.99.1

Scan saved at 3:45:53 PM, on 16/04/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\GtDetectSc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Garythis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\hycfhiok.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: (no name) - {87CE5283-63F0-4752-A8EB-9825826A4EF1} - C:\WINDOWS\system32\sstqn.dll (file missing)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: (no name) - {D15EFFBE-61EE-480B-9507-25264732DE0F} - C:\WINDOWS\system32\urqnmlk.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=0

O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [spywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"

O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN

O4 - HKCU\..\Run: [spywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZNxmk846LDAU

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gazaroogaryyoungman.spaces.live.com...ad/MsnPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174984518416

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159359276984

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{32345A5B-5197-4FAA-BD68-3A241230F360}: Domain = qld.bigpond.net.au

O17 - HKLM\System\CCS\Services\Tcpip\..\{326C13FD-7C1A-4855-9113-F8DA51F5F93B}: Domain = qld.bigpond.net.au

O17 - HKLM\System\CCS\Services\Tcpip\..\{53D0FB29-9332-4F6B-A28C-9B7BA03554CC}: Domain = qld.bigpond.net.au

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

O20 - Winlogon Notify: gebcc - C:\WINDOWS\system32\gebcc.dll (file missing)

O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe

O23 - Service: GT Detect (GtDetectSc) - OptionNV - C:\WINDOWS\system32\GtDetectSc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

 

VundoFix V6.3.19

 

Checking Java version...

 

Java version is 1.4.2.3

Old versions of java are exploitable and should be removed.

 

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

 

Java version is 1.5.0.9

Old versions of java are exploitable and should be removed.

 

Java version is 1.5.0.10

 

Java version is 1.5.0.11

 

Scan started at 3:25:44 PM 16/04/2007

 

Listing files found while scanning....

 

C:\WINDOWS\system32\byxutrq.dll

C:\WINDOWS\system32\hycfhiok.dll

C:\WINDOWS\system32\iiffcdc.dll

C:\WINDOWS\system32\kacrtwai.dll

C:\WINDOWS\system32\nnnlklk.dll

C:\WINDOWS\system32\nqtss.bak1

C:\WINDOWS\system32\nqtss.bak2

C:\WINDOWS\system32\nqtss.ini

C:\WINDOWS\system32\rnearljj.dll

C:\WINDOWS\system32\sstqn.dll

C:\WINDOWS\system32\udrmkxho.dll

C:\WINDOWS\system32\urqnmlk.dll

C:\WINDOWS\system32\vtutsrp.dll

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\byxutrq.dll

C:\WINDOWS\system32\byxutrq.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\hycfhiok.dll

C:\WINDOWS\system32\hycfhiok.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\iiffcdc.dll

C:\WINDOWS\system32\iiffcdc.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\kacrtwai.dll

C:\WINDOWS\system32\kacrtwai.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\nnnlklk.dll

C:\WINDOWS\system32\nnnlklk.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\nqtss.bak1

C:\WINDOWS\system32\nqtss.bak1 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\nqtss.bak2

C:\WINDOWS\system32\nqtss.bak2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\nqtss.ini

C:\WINDOWS\system32\nqtss.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\rnearljj.dll

C:\WINDOWS\system32\rnearljj.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\sstqn.dll

C:\WINDOWS\system32\sstqn.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\udrmkxho.dll

C:\WINDOWS\system32\udrmkxho.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\urqnmlk.dll

C:\WINDOWS\system32\urqnmlk.dll Could not be deleted.

 

Attempting to delete C:\WINDOWS\system32\vtutsrp.dll

C:\WINDOWS\system32\vtutsrp.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\urqnmlk.dll

C:\WINDOWS\system32\urqnmlk.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

Edited by gary

Share this post


Link to post
Share on other sites

Welcome back

 

I'm not familiar with this program PC Tools AntiVirus?

 

Was this a trial offer?,,,or is Counter Spy connected to this?

Reason being you have Grisoft\AVG7 installed, and if your running two Antivirus programs your actually decreasing your protection.

Let me know.

 

 

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

 

Open Windows Defender.

Click on Tools, General Settings.

Scroll down and uncheck Turn on real-time protection (recommended).

After you uncheck this, click on the Save button and close Windows Defender.

 

After all of the fixes are complete it is very important that you enable Real-time Protection again

 

 

Please disable CounterSpy, as it may hinder in fixing of some HijackThis entries. You can re-enable it after you're clean.

To disable CounterSpy:

Right Click on the CounterSpy Icon located in your system tray.

With your mouse, hover over Active Protection Status (This should be enabled)

A menu will slide out, then right click on Disable Active Protection

Once your log is clean please re-enable CounterSpy

 

 

You need to remove these older versions of Java from your Add/Remove programs in the control panel

 

Java version is 1.4.2.3

Java version is 1.5.0.6

Java version is 1.5.0.9

Java version is 1.5.0.10

Java version is 1.5.0.11

 

Reboot when done

 

 

 

Start the computer in Safe Mode:

-Restart your computer.

-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.

-Select the option for Safe Mode using the arrow keys

-Press Enter to boot into Safe Mode.

 

 

Open HJT and click scan only, place a check by these entries

 

O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\hycfhiok.dll (file missing)

O2 - BHO: (no name) - {87CE5283-63F0-4752-A8EB-9825826A4EF1} - C:\WINDOWS\system32\sstqn.dll (file missing)

O2 - BHO: (no name) - {D15EFFBE-61EE-480B-9507-25264732DE0F} - C:\WINDOWS\system32\urqnmlk.dll (file missing)

O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=0

O4 - HKLM\..\Run: [spywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKCU\..\Run: [spywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZNxmk846LDAU

O20 - Winlogon Notify: gebcc - C:\WINDOWS\system32\gebcc.dll (file missing)

O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll (file missing)

 

Close all windows and browsers except HJT and click fix checked

 

 

Configure Windows Explorer to show hidden files and folders and go after them again.(Remember to Hide files and folders once done.

 

To enable viewing of hidden files as follows:

1) Go to My Computer, and click on the "Tools" menu

2) Click "Folder options"

3) Select the "View" tab

4) Make sure "Show hidden files and folders" is selected

5) Make sure "Hide extensions for known file types" is unchecked

6) Make sure "Hide protected operating system files (recommended)" is unchecked.

 

 

Using windows explorer search for and delete these files/folders in bold

 

C:\Program Files\SpywareBot <-folder

C:\Program Files\MY Web Search Scope Monitor <-folder

 

 

Reboot back to normal mode.

 

 

Please download ATF Cleaner by Atribune and save it to your desktop.

 

 

 

Download AVG Anti-Spyware 7.5 from Here

And save that file to your desktop.

[*]Once you have downloaded AVG anti-spyware, locate the icon on the your desk top and double-click it to launch the set up program.

[*]Once the setup is complete you will need run AVG Anti-Spyware 7.5 and definition files.

[*]On the main screen select the icon "Update then select the"Update Now" link.

  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
*Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.

*Once in the Settings screen click on "Recommended Actions" and then select "Quarantine". <--VERY IMPORTANT"

*Under "Reports"

Select "Automatically generate report after every scan"

Un-Select "Only if threats were found"

 

Close AVG Anti-Spyware 7.5, Do not run a scan yet.

 

 

Reboot your computer into Safe Mode. Tap the F8 key just before Windows starts to load and select Safe Mode from the menu.

 

 

 

Double-click ATF-Cleaner.exe to run the program.

  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

 

 

 

Important.. Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning proccess:

  • Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan"tab then click on "Complete Scan".
  • AVG will now begin the scanning process, be patient this may take a little time to complete.
Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system, (Make sure to remember where you have saved the file, this is important.
  • Close AVG Anti-Spyware 7.5 and reboot your system back into Normal Mode
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

 

 

 

 

You should not rely on just the Windows XP firewall when there are firewalls that are free for personal use that are better, the Windows XP firewall only checks incoming data.

If you decide to download and install another Firewall....please disable Windows Firewall.

Start menu->>Control Panel->>Security Center->>Windows Firewall and disable Windows Firewall.

Sygate free firewall

ZoneAlarm free firewall

Outpost free Firewall

Comodo

Kerio Personal Firewall

Jetico Personal Firewall

 

The above are known good free Firewalls available for personal use. If one conflicts with your system, try another.

For a tutorial on Firewalls and a listing of some available ones see the link below

http://www.bleepingcomputer.com/tutorials/tutorial60.html

 

 

 

 

In your next reply I need:

AVG A/S log

New HJT log

Comments on how things are running now

Share this post


Link to post
Share on other sites

Hi Juliet,

All things done as asked. PC Tools Antivirus was a trial scanner I downloaded when I was first having problems with One Care. I thought I'd deleted it all !! Counterspy is also now uninstalled or is supposed to be ! So I should have only AVG anti virus and Windows Defender running as protection. I have Ad Aware for scans when needed. Which Firewall do you recommend? I tried Zonealarm but I ended up with some wireless connection problems. Dont know if this was related to my problems though.

On the AVG front I already have it downloaded but couldnt seem to find the automatically print logs thing ? I did the scan in safe mode and it came up with Error on boot sector of disk C - reading error and C:\WINDOWS\System32\ntoskrnl.exe - Status Changed and Result Changed. Hope that helps. I had already removed all Java entries apart from last update. HJT recent log below. All seems to be running quicker than usual and the screen definition seems sharper to me, dont know if this is my tired eyes or your much appreciated help. Anyway thanks and heres last log.

Cheers Gary.

 

Logfile of HijackThis v1.99.1

Scan saved at 4:20:45 PM, on 17/04/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\GtDetectSc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Garythis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"

O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gazaroogaryyoungman.spaces.live.com...ad/MsnPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174984518416

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159359276984

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{32345A5B-5197-4FAA-BD68-3A241230F360}: Domain = qld.bigpond.net.au

O17 - HKLM\System\CCS\Services\Tcpip\..\{326C13FD-7C1A-4855-9113-F8DA51F5F93B}: Domain = qld.bigpond.net.au

O17 - HKLM\System\CCS\Services\Tcpip\..\{53D0FB29-9332-4F6B-A28C-9B7BA03554CC}: Domain = qld.bigpond.net.au

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe

O23 - Service: GT Detect (GtDetectSc) - OptionNV - C:\WINDOWS\system32\GtDetectSc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Share this post


Link to post
Share on other sites

Welcome back Gary

 

Glad the computer is doing better.

C - reading error and C:\WINDOWS\System32\ntoskrnl.exe - Status Changed and Result Changed

AVG is one of those Antivirus scanners that highlights those system files being changes, especially after you have possibly just done some Windows Updates.

On the AVG front I already have it downloaded but couldnt seem to find the automatically print logs thing

There is confusion over the scan I requested.

AVG Anti-Spyware is a different program, it carries the name AVG but it is not an Antivirus, but a spyware scanner and, compatible with most other Antivirus programs as well. It is used in conjunction with an Antivirus scan.

 

 

Please read the information I supplied for Firewall protection.

 

 

Using windows explorer search for and delete this folder in bold

C:\vundofix\backups

 

 

So let's try this again.

 

Please download ATF Cleaner by Atribune and save it to your desktop.

 

 

 

Download AVG Anti-Spyware 7.5 from Here

And save that file to your desktop.

[*]Once you have downloaded AVG anti-spyware, locate the icon on the your desk top and double-click it to launch the set up program.

[*]Once the setup is complete you will need run AVG Anti-Spyware 7.5 and definition files.

[*]On the main screen select the icon "Update then select the"Update Now" link.

  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
*Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.

*Once in the Settings screen click on "Recommended Actions" and then select "Quarantine". <--VERY IMPORTANT"

*Under "Reports"

Select "Automatically generate report after every scan"

Un-Select "Only if threats were found"

 

Close AVG Anti-Spyware 7.5, Do not run a scan yet.

 

 

Reboot your computer into Safe Mode. Tap the F8 key just before Windows starts to load and select Safe Mode from the menu.

 

 

 

Double-click ATF-Cleaner.exe to run the program.

  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

 

 

 

Important.. Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning proccess:

  • Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan"tab then click on "Complete Scan".
  • AVG will now begin the scanning process, be patient this may take a little time to complete.
Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system, (Make sure to remember where you have saved the file, this is important.
  • Close AVG Anti-Spyware 7.5 and reboot your system back into Normal Mode
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

 

 

In your next reply I need:

AVG A/S log

New HJT log

Comments on how things are running now

Share this post


Link to post
Share on other sites

Hi Juliet, back again.

Sorry bout the confusion on the AVG. Comp still running well. Had a blip on shut down yesterday. Came up with a blue screen and : An Error Has Been Detected - IRQ_NOT_LESS_OR_EQUAL. tech info stop: 0x0000000A ( 0x000000C4, 0x00000002, 0x00000001, 0x80541ACD). Dont know what this was about. Did a reset with power button and loaded up and shut down ok. Hasnt done it since ?? Explorer didnt find c:\vundofix\backups. I noticed when it scans it seems to go through all the files twice and theres a thing called pchealth on there that I havnt put on. Unless it was done by Dell when I bought comp!!! Theres no program file for it.

Anyway here are the logs required, once again your help is very much appreciated.

Cheers Gary.

 

Logfile of HijackThis v1.99.1

Scan saved at 3:49:15 PM, on 18/04/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\GtDetectSc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\WINDOWS\ehome\ehtray.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\eHome\ehRecvr.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Garythis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU"

O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O4 - Global Startup: Digital Line Detect.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gazaroogaryyoungman.spaces.live.com...ad/MsnPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1174984518416

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159359276984

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay102.hotmail.msn.com/activex/HMAtchmt.ocx

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15026/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{32345A5B-5197-4FAA-BD68-3A241230F360}: Domain = qld.bigpond.net.au

O17 - HKLM\System\CCS\Services\Tcpip\..\{326C13FD-7C1A-4855-9113-F8DA51F5F93B}: Domain = qld.bigpond.net.au

O17 - HKLM\System\CCS\Services\Tcpip\..\{53D0FB29-9332-4F6B-A28C-9B7BA03554CC}: Domain = qld.bigpond.net.au

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe

O23 - Service: GT Detect (GtDetectSc) - OptionNV - C:\WINDOWS\system32\GtDetectSc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 3:44:03 PM 18/04/2007

 

+ Scan result:

 

 

 

C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned with backup (quarantined).

 

 

::Report end

 

Thought this would be longer !!!

Share this post


Link to post
Share on other sites

Welcome back

 

Your logs are clean, good job.

 

Open HJT and click scan only, place a check by this entry

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

 

Close all windows and browsers except HJT and click fix checked

Reboot to set the registry

 

pchealth on there that I havnt put on. Unless it was done by Dell when I bought comp

Sure was but, it's not malicious.

 

I didn't detect any active process of a firewall on your system. I provided information earlier in this thread with choices of free Firewalls, please consider downloading and installing one to secure your PC.

 

Stop 0x0000000A or IRQL_NOT_LESS_OR_EQUAL messages are generally due to faulty or incompatible hardware or software.

Generally the blue screen references a file or driver which is causing the problem, Take a look in Event Viewer (right click My Computer icon > Manage > Event Viewer) and look in System and Application for error messages flagged with a yellow or red exclamation mark. Double click on the Error message to open and see if any information is provided with troubleshooting links.

 

I can supply you with a few Troubleshooting links, you can read over and check to see if they apply here.

 

Troubleshooting a Stop 0x0000000A error in Windows XP

http://www.updatexp.com/stop-messages.html

http://support.microsoft.com/default.aspx?...b;en-us;Q314063

 

I do see several items loading at startup that could be set to disabled to free up resourcces and boost performance. If you would like information as to which ones let me know.

 

We can disable AVG A/S shield to free up resources.

Disabling AVG AS Shield:

By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.

When the PC has been cleaned you can activate the shield again, if you wish.

Click the Shield icon at the top and under "Resident shield is" click active. This should now change to inactive.

 

 

Other then that your good to go.

 

 

Below I have included a number of recommendations to protect your computer in order to prevent future malware infections.

 

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

 

 

Install and Update SpywareBlaster protects against bad ActiveX, browser hijackers, and dialers that are some of the fastest-growing threats on the Internet today.

Tutorial

 

IE-SPYAD puts over 5000 sites in your restricted zone so you will be protected when you visit innocent-looking sites that aren't actually innocent at all.

Tutorial

 

Install and Update SpyBot Search&Destroy Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.

Tutorial

Run on a regular basis

 

Install and Update Ad-Aware SE Personal

You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.

Tutorial

Run on a regular basis

 

Update all these programs regularly . Without regular updates you will not be protected when new malicious programs are released.

And to run them regularly as this can prevent a great deal of spyware hassle.

 

Please take the time to read this article with suggestions and information on 'Safe Computing Practices.'

So how did I get infected in the first place.

Another valueable article to read Dealing with Unwanted Spyware and Parasites

 

 

Read through the information found here, to help you prevent any possible future infections.

How to prevent Malware' by miekiemoes:

http://users.telenet.be/bluepatchy/miekiem...prevention.html

 

And if you want to improve speed/system performance after malware removal, take a look

http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

Share this post


Link to post
Share on other sites

Once again Juliet many thanks for your time and patience.

 

Will do final fix, and will download a firewall now.

If theres some programs I can disable all help would be gratefully recieved.

 

Thanks again my guardian angel.

 

PS Comodo firewall now installed.

Edited by gary

Share this post


Link to post
Share on other sites

Welcome back Gary

Glad all is going well and you downloaded a Firewall.

 

Here's the final step.

 

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

 

Open Windows Defender.

Click on Tools, General Settings.

Scroll down and uncheck Turn on real-time protection (recommended).

After you uncheck this, click on the Save button and close Windows Defender.

 

After all of the fixes are complete it is very important that you enable Real-time Protection again

 

 

Open HJT and click scan only, place a check by these entries

 

The following are not malware, but fixing them with HijackThis will improve your system's speed. None are necessary at startup, and may be started manually at any time. This is up to you.

 

 

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe

(This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources. Dell taskbar icon allowing you to quickly change settings.)

 

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

(Related to Digital camera and can be run on demand)

 

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

(Camera Monitor from Sonix belonging to PC Camera Monitor Application, a non essential item can be disabled to free up resources)

 

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

(Not dangerous, but unnecessary. Part of the USB driver for your Fuji digital cameras - used when uninstalling the USB drivers, erasing all entries from the registry. Only required BEFORE attempting to uninstall the Fuji software or the uninstall may not work correctly.)

 

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

(This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources.)

 

O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot

(performance improvement program that runs while executing optimizations. Not required at startup)

 

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

(If you don't use Windows Messenger, this can be annoying. Available via Start -> Programs. Go to Windows Messenger > Tools > Options > Preferences and uncheck "Run this program when Windows starts")

 

O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R

(This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources.)

 

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

(This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources.)

 

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

(This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources.)

 

O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN

(Related to PC TOOLS Antivirus software---Your log shows your also running and using Grisoft\AVG7, either disable this program or uninstall it)

 

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

(CTFMon is involved with the language/alternative input services in Office XP. CTFMON.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features.)

 

O4 - Global Startup: Bluetooth Manager.lnk = ?

(The entry is unnecessary and can be fixed.)

 

O4 - Global Startup: Digital Line Detect.lnk = ?

(The entry is an unnecessary Dell program and can be fixed.)

 

Close all windows and browsers except HJT and click fix checked

 

Reboot to set the registry

 

Using windows explorer search for and delete this folder in bold

C:\Program Files\PC Tools AntiVirus <-if also uninstalled from Add/Remove programs

 

This should do it!

Safe Surfing

Share this post


Link to post
Share on other sites

Hi Juliet,

Tried to remove the suggested links but got an error message

 

Unexpected error occurred!

Error #52 (Bad file name or number) in Sub GetLongPath(?.exe).

 

Please send a report to [email protected], mentioning what you were doing, and what version of Windows you have.

 

Tried to send to merijn but my email wont send it !!!?

 

Thanks for all your help, with a bit of luck I wont need it again !!! :rofl2::cr@sh:

Share this post


Link to post
Share on other sites

Welcome back

Appears to be a little glitch, nothing to worry about.

Safe Surfing

Share this post


Link to post
Share on other sites

Since this topic appears resolved, this thread is closed.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...