Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help getting rid of some viruses


  • Please log in to reply

#1
Narut.Haruno

Narut.Haruno

    New Member

  • Member
  • Pip
  • 6 posts
Hello, well i seem to be getting capped on my internet very quickly when i dont download the amount i am allouded.
i have alot of viruses, but are hard to remove.

i have 6 svchost.exe in my task manger processes list, and 1 of them named: Windows Management Instrumentation is Mem Usage: 21,xxx K sometimes, but always more Mem Usage than explorer.exe.
when i try to end proccess it with task manager, it says access denied, so i use Security Task Manager to end process it, and it works, but ir re-opens after sometime.

when i turn my computer on, and go to task manager, there is a update.exe opening/closing, re-opening/re- closing.
when i end proccess it with task manager, it says access denied, so i use Security Task Manager to end process it, and it works, but when i restart/shutdown n turn it back on, its back again. (also when trying to close this, i have to end process explorer.exe for it to stay off, but then i can re-open explorer.exe).

i have many viruses, some are:
WIN32_TROJANDOWNLOADER_CONHOOK
PRORAT
BookedSpace
and many many more.
could anyone be able to help me to get rid of some/all?

Edited by Narut.Haruno, 21 December 2006 - 05:41 AM.

  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

  • 0

#3
Narut.Haruno

Narut.Haruno

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
WOW, that was fast. :whistling:
Heres Log:


Logfile of HijackThis v1.99.1
Scan saved at 10:47:57 PM, on 21/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :whistling:

The Svchost are normal, I have six running right now. :blink:

The hijack log looks fine, although I don't see an antivirus running. Lets take a deeper look at the computer

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#5
Narut.Haruno

Narut.Haruno

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hey :whistling:
Note:// Once Combofix started and i press y and enter, my desktop items dissapeared, and it just shown my taskbar, combofix, and background.
Well heres the results:


Administrator - 06-12-21 23:01:42.28 Service Pack 2
ComboFix 06.12.01W - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\qoobox\purity\WINDOWS\MCROSO~1
C:\qoobox\purity\WINDOWS\MCROSO~1\MCROSO~1


((((((((((((((((((((((((((((((( Files Created from 2006-11-21 to 2006-12-21 ))))))))))))))))))))))))))))))))))


2006-12-21 20:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ahead
2006-12-21 19:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2006-12-20 22:51 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-12-20 19:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\FFSJ
2006-12-19 18:09 884,736 --a------ C:\WINDOWS\system32\msimsg.dll
2006-12-19 18:09 77,312 --a------ C:\WINDOWS\system32\msiexec.exe
2006-12-19 18:09 44,032 --a------ C:\WINDOWS\system32\msisip.dll
2006-12-19 18:09 331,264 --a------ C:\WINDOWS\system32\msihnd.dll
2006-12-19 18:09 2,804,224 --a------ C:\WINDOWS\system32\msi.dll
2006-12-19 18:08 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-12-19 18:08 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2006-12-19 18:08 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-12-18 17:19 <DIR> d-------- C:\Program Files\kesus
2006-12-18 17:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2006-12-18 09:04 <DIR> d-------- C:\Program Files\Telstra
2006-12-18 09:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-12-17 10:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2006-12-16 22:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\gtk-2.0
2006-12-16 22:19 <DIR> d-------- C:\Documents and Settings\Administrator\.thumbnails
2006-12-16 22:10 <DIR> d-------- C:\Documents and Settings\Administrator\.gimp-2.2
2006-12-16 22:09 <DIR> d-------- C:\Program Files\GIMP-2.0
2006-12-16 22:07 <DIR> d-------- C:\Program Files\Common Files\GTK
2006-12-16 21:13 <DIR> d-------- C:\Program Files\MSN Messenger
2006-12-16 20:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Help
2006-12-16 20:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2006-12-16 15:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-12-16 13:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Real
2006-12-16 13:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft
2006-12-16 00:53 <DIR> d-------- C:\Program Files\Common Files\xing shared
2006-12-09 14:21 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2006-12-09 14:21 5,632 --a------ C:\WINDOWS\system32\write.exe
2006-12-09 14:21 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2006-12-09 14:21 35,328 --a------ C:\WINDOWS\system32\winchat.exe
2006-12-09 14:21 227,840 --a------ C:\WINDOWS\system32\avtapi.dll
2006-12-09 14:21 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2006-12-09 14:21 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2006-12-09 14:20 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2006-12-09 14:20 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2006-12-09 14:20 56,832 --a------ C:\WINDOWS\system32\sol.exe
2006-12-09 14:20 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2006-12-09 14:20 538,624 --a------ C:\WINDOWS\system32\spider.exe
2006-12-09 14:20 345,088 --a------ C:\WINDOWS\system32\hypertrm.dll
2006-12-09 14:20 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2006-12-09 14:20 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2006-12-09 14:20 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-12-09 14:20 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2006-12-09 14:20 123,392 --a------ C:\WINDOWS\system32\mplay32.exe
2006-12-09 14:20 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2006-12-09 14:20 114,688 --a------ C:\WINDOWS\system32\calc.exe
2006-12-09 14:20 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-12-07 21:43 <DIR> d-------- C:\Documents and Settings\All Users\Desktop
2006-12-05 17:22 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2006-12-05 17:22 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-12-05 17:22 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2006-12-05 17:22 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-12-05 17:22 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-12-05 17:22 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-12-03 18:44 <DIR> d-------- C:\Program Files\themexp
2006-12-03 18:32 441 --a------ C:\bootbak.bat
2006-12-03 17:51 <DIR> d-------- C:\Program Files\Stardock
2006-12-03 03:22 699,674 --a------ C:\WINDOWS\unins000.exe
2006-12-03 03:22 <DIR> d-------- C:\WINDOWS\system32\FFSJ
2006-12-02 17:06 <DIR> d-------- C:\Downloads
2006-12-02 16:37 15,440 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2006-12-02 15:51 <DIR> d-------- C:\Program Files\Common Files\Thraex Software
2006-12-02 03:15 514,560 --a------ C:\WINDOWS\system32\logonui22.exe
2006-12-02 02:42 3,569,664 --a------ C:\WINDOWS\system32\kakashi.exe
2006-12-02 02:36 514,560 --a------ C:\WINDOWS\system32\logonui2.exe
2006-12-02 02:36 514,560 --a------ C:\WINDOWS\system32\logonui.exe
2006-12-02 01:40 3,734,016 --a------ C:\WINDOWS\system32\1logonui.exe
2006-12-01 08:44 <DIR> d-------- C:\Program Files\SpeedOptimizer
2006-11-27 19:20 205,312 --a------ C:\WINDOWS\system\Patchw32.dll
2006-11-27 19:04 184,320 --a------ C:\WINDOWS\system\COMDLG32.DLL
2006-11-26 21:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NFS Underground
2006-11-26 20:36 <DIR> d-------- C:\Program Files\Common Files\DirectX
2006-11-26 20:29 <DIR> d-------- C:\Program Files\EA GAMES
2006-11-26 17:48 <DIR> d-------- C:\Program Files\mslovr
2006-11-25 15:51 <DIR> d-------- C:\Program Files\UZUMAKI
2006-11-25 15:21 <DIR> d--h----- C:\Documents and Settings\All Users\Templates
2006-11-25 15:21 <DIR> d-------- C:\Program Files\Symantec
2006-11-24 20:21 <DIR> d-------- C:\Program Files\Audacity


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-21 22:47 -------- d-------- C:\Program Files\Hijackthis
2006-12-21 22:42 -------- d-------- C:\Program Files\INAC
2006-12-21 20:41 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-12-21 20:23 -------- d-------- C:\Program Files\Mozilla Firefox
2006-12-20 22:59 -------- dr------- C:\Program Files\Windows Media Player
2006-12-19 10:13 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll
2006-12-19 10:13 -------- d-------- C:\Program Files\BitComet
2006-12-18 09:04 -------- dr------- C:\Program Files\Common Files
2006-12-17 21:01 -------- d-------- C:\Program Files\Java
2006-12-16 12:54 -------- d-------- C:\Program Files\Online Services
2006-12-16 00:53 -------- d-------- C:\Program Files\Common Files\Real
2006-12-15 23:27 -------- dr------- C:\Program Files\Common Files\Microsoft Shared
2006-12-12 21:28 -------- d-------- C:\Program Files\Nexon
2006-12-12 18:21 -------- d-------- C:\Program Files\MAIET
2006-12-09 14:21 -------- d-------- C:\Program Files\Windows NT
2006-12-06 20:54 -------- d-------- C:\Program Files\FlashGet
2006-12-02 15:36 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-02 15:36 -------- d-------- C:\Program Files\QuickTime
2006-11-26 20:36 12400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-11-26 17:58 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-11-21 09:16 -------- d-------- C:\Program Files\Grisoft
2006-11-19 11:49 -------- d-------- C:\Program Files\DAEMON Tools
2006-11-19 10:57 -------- d-------- C:\Program Files\Security Task Manager
2006-11-18 10:10 -------- d-------- C:\Program Files\Real
2006-11-18 10:09 -------- d-------- C:\Program Files\Creative
2006-11-18 10:08 -------- d-------- C:\Program Files\Common Files\Adobe
2006-11-18 10:06 -------- d-------- C:\Program Files\Adobe
2006-11-18 10:05 -------- d-------- C:\Program Files\Yahoo!
2006-11-18 10:05 -------- d-------- C:\Program Files\InterActual
2006-11-18 10:05 -------- d-------- C:\Program Files\Easy DVD Maker
2006-11-18 10:05 -------- d-------- C:\Program Files\DVD Burning Xpress
2006-11-18 10:05 -------- d-------- C:\Program Files\DivX
2006-11-18 10:05 -------- d-------- C:\Program Files\AIM95
2006-11-18 10:04 -------- d-------- C:\Program Files\WinAVIVideoConverter
2006-11-18 10:04 -------- d-------- C:\Program Files\BearFlix
2006-11-18 10:03 -------- d-------- C:\Program Files\NO
2006-11-18 10:03 -------- d-------- C:\Program Files\FLVPlayer
2006-11-18 10:03 -------- d-------- C:\Program Files\Common Files\Java
2006-11-18 10:02 -------- d-------- C:\Program Files\gHEYIPOD
2006-11-18 10:02 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-18 10:01 -------- d-------- C:\Program Files\Nokia
2006-11-18 10:01 -------- d-------- C:\Program Files\Dachshund Software
2006-11-18 10:01 -------- d-------- C:\Program Files\Common Files\Ahead
2006-11-18 10:00 -------- d-------- C:\Program Files\WIZET
2006-11-18 10:00 -------- d-------- C:\Program Files\Seaaa
2006-11-18 10:00 -------- d-------- C:\Program Files\Internet Explorer
2006-11-18 09:58 -------- d-------- C:\Program Files\DVD Shrink
2006-11-18 09:58 -------- d-------- C:\Program Files\Analog Devices
2006-11-18 09:57 -------- d-------- C:\Program Files\iPodsdsds
2006-11-18 01:07 -------- d-------- C:\Program Files\Ahead
2006-10-27 18:53 18610 --a------ C:\WINDOWS\system32\ddes361.dll
2006-10-27 18:34 18610 --a------ C:\WINDOWS\system32\kbdrdu.dll
2006-10-27 18:28 25600 --a------ C:\WINDOWS\system32\NeroCheck.exe
2006-10-27 18:28 25600 --a------ C:\WINDOWS\system32\igfxtray.exe
2006-10-24 15:10 3082 --a------ C:\WINDOWS\system32\affv9869p2now.sys
2006-10-23 20:42 397312 --a------ C:\WINDOWS\NGLFunc.dll
2006-10-21 00:58 -------- d-------- C:\Program Files\BearShare Applications
2006-10-19 12:04 823296 --a------ C:\WINDOWS\nmconew.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BigPondCable"="\"C:\\Program Files\\Telstra\\Cable Login\\bpcable.exe\" /r"
"WMC_AutoUpdate"=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,3e,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Uret"="\"C:\\WINDOWS\\MCROSO~1\\arpa.exe\" -vt yazr"
"ctfmon.exe"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Uret"="\"C:\\WINDOWS\\MCROSO~1\\arpa.exe\" -vt yazr"
"ctfmon.exe"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"DisableRegistryTools"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
"DisableRegistryTools"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\LimeWire On Startup.lnk"
"backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\LIMEWI~1\\LimeWire.exe -startup"
"item"="LimeWire On Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLLaunch"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BearShare"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigPondCable]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bpcable"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Telstra\\Cable Login\\bpcable.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DAP"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DAP\\DAP.EXE\" /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1154745383\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\igfxtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IPHSend"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxHome]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SAGUI"
"hkey"="HKLM"
"command"="C:\\Program Files\\Prevx Home2\\SAGUI.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="smax4pnp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zlclient"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Zone Labs\\ZoneAlarmPa\\zlclient.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ewido anti-spyware 4.0 guard"=dword:00000002
"AVGEMS"=dword:00000002
"Avg7UpdSvc"=dword:00000002
"Avg7Alrt"=dword:00000002
"MDM"=dword:00000002
"SVCHOST"=dword:00000002
"NBService"=dword:00000003
"iPodService"=dword:00000003
"Adobe LM Service"=dword:00000003

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

Completion time: 06-12-21 23:05:29.67
C:\ComboFix.txt ... 06-12-21 23:05
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi Narut.Haruno :whistling:

Is there another account on this computer? I dont see much wrong other than a few registry entries we can correct. What is telling you that you have all these viruses and is there a report available that you can post?
  • 0

#7
Narut.Haruno

Narut.Haruno

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I have a Account called All Users, but so does everyone else.
Well, there is another account called Blake Thomas, and when i was on it, i tried to go on admin, but it said access denied, but one day i was on Blake Thomas, i restarted and then, i was on Administrator and i tried to go back on Blake Thomas, and now that is access denied.


And for the results containing the viruses posted in my first post, i scanned them today with Ad-Aware SE Personal, also i downloaded this anti-virus called Spyware Nuker XT or something, Ad-Aware SE Personal says its a virus, what do you think?
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :blink:

Unfortunately Spywaredoctor wont save a report. Dont get spywarenuker.

I'm going to edit your last post to get rid of the pictures just to clean our thread up a bit and save us some scrolling, not because I didn't appreciate them :whistling:

Try this for me, it takes an hour but is very good

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

  • 0

#9
Narut.Haruno

Narut.Haruno

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ohh, well i checked in User Accounts and there isnt a Blake Thomas, only admin and guest.
Posted Image
delete this pic once looked.
Also, i dont have iexplorer installed, and i cant download from microsoft.com cause mine isnt genuine, so where should i go? because firefox cant be used at http://www.pandasoft.../activescan.htm
Well, this my disk, but i've let my friends use the cd key, so can i delete them off, and make me genuine again?

Edited by Narut.Haruno, 21 December 2006 - 08:00 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP