Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Junk [RESOLVED]


  • This topic is locked This topic is locked

#1
BRAV0872

BRAV0872

    Member

  • Member
  • PipPip
  • 30 posts
Logfile of Logfile of HijackThis v1.99.1
Scan saved at 8:47:09 PM, on 8/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common

Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\??rss.exe
C:\Program Files\hrea\rtel.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gill\Desktop\FIX\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,SearchURL =

http://www.searchman...net/search.html
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://www.searchman...net/search.html
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://www.searchman...net/search.html
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://www.searchman...net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start

Page = http://www.searchmaniacs.net/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,SearchURL =

http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =

http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =

http://www.searchmaniacs.net/
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =

http://www.searchman...net/search.html
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =

http://www.searchmaniacs.net/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: JunoBar -

{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program

Files\Juno6\Toolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck]

C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe

D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [yaemu.exe]

C:\WINDOWS\System32\yaemu.exe
O4 - HKLM\..\Run: [RegSvr32]

C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program

Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition]

"C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [spc_w] "C:\Program

Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [Dnqi] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Yahoo! Pager]

C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Bhso] C:\Program Files\hrea\rtel.exe
O8 - Extra context menu item: Display All Images with

Full Quality - res://C:\Program

Files\Juno6\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full

Quality - res://C:\Program

Files\Juno6\qsacc\appres.dll/227
O9 - Extra button: (no name) -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF:

START_PAGE_URL=http://www.cyberpowersystem.com
O15 - ProtocolDefaults: 'http' protocol is in My Computer

Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer

Zone, should be Internet Zone (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

http://software-dl.r...398119/netzip/R

dxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}

(HouseCall Control) -

http://a840.g.akamai...001/housecall.t

rendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://www.pandasoft...5free/asinst.ca

b
O16 - DPF: {FFCEABDA-C04E-7F4A-E9B6-DFA72B2F49FB} -

http://213.200.210.1...1/US732_150.exe
O17 -

HKLM\System\CCS\Services\Tcpip\..\{448F7BC7-78D4-4FD0-B65

3-97591B101F08}: NameServer = 69.50.176.198,85.255.112.12
O17 -

HKLM\System\CCS\Services\Tcpip\..\{44FB98C1-338A-4DDE-914

1-E44FDD0D76C6}: NameServer = 69.50.176.198,85.255.112.12
O17 -

HKLM\System\CS1\Services\Tcpip\..\{448F7BC7-78D4-4FD0-B65

3-97591B101F08}: NameServer = 69.50.176.198,85.255.112.12
O23 - Service: AOL Connectivity Service (AOL ACS) -

America Online, Inc. -

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido

networks - C:\Program Files\ewido\security

suite\ewidoctrl.exe
O23 - Service: WAN Miniport (ATW) Service

(WANMiniportService) - America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe

v1.99.1
Scan saved at 8:47:09 PM, on 8/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common

Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\??rss.exe
C:\Program Files\hrea\rtel.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Gill\Desktop\FIX\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,SearchURL =

http://www.searchman...net/search.html
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://www.searchman...net/search.html
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://www.searchman...net/search.html
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://www.searchman...net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start

Page = http://www.searchmaniacs.net/
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,SearchURL =

http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =

http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =

http://www.searchmaniacs.net/
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =

http://www.searchman...net/search.html
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =

http://www.searchmaniacs.net/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: JunoBar -

{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program

Files\Juno6\Toolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck]

C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe

D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [yaemu.exe]

C:\WINDOWS\System32\yaemu.exe
O4 - HKLM\..\Run: [RegSvr32]

C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program

Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition]

"C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [spc_w] "C:\Program

Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [Dnqi] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Yahoo! Pager]

C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Bhso] C:\Program Files\hrea\rtel.exe
O8 - Extra context menu item: Display All Images with

Full Quality - res://C:\Program

Files\Juno6\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full

Quality - res://C:\Program

Files\Juno6\qsacc\appres.dll/227
O9 - Extra button: (no name) -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF:

START_PAGE_URL=http://www.cyberpowersystem.com
O15 - ProtocolDefaults: 'http' protocol is in My Computer

Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer

Zone, should be Internet Zone (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

http://software-dl.r...398119/netzip/R

dxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61}

(HouseCall Control) -

http://a840.g.akamai...001/housecall.t

rendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://www.pandasoft...5free/asinst.ca

b
O16 - DPF: {FFCEABDA-C04E-7F4A-E9B6-DFA72B2F49FB} -

http://213.200.210.1...1/US732_150.exe
O17 -

HKLM\System\CCS\Services\Tcpip\..\{448F7BC7-78D4-4FD0-B65

3-97591B101F08}: NameServer = 69.50.176.198,85.255.112.12
O17 -

HKLM\System\CCS\Services\Tcpip\..\{44FB98C1-338A-4DDE-914

1-E44FDD0D76C6}: NameServer = 69.50.176.198,85.255.112.12
O17 -

HKLM\System\CS1\Services\Tcpip\..\{448F7BC7-78D4-4FD0-B65

3-97591B101F08}: NameServer = 69.50.176.198,85.255.112.12
O23 - Service: AOL Connectivity Service (AOL ACS) -

America Online, Inc. -

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido

networks - C:\Program Files\ewido\security

suite\ewidoctrl.exe
O23 - Service: WAN Miniport (ATW) Service

(WANMiniportService) - America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#2
BRAV0872

BRAV0872

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Little Help....................

Edited by BRAV0872, 21 August 2005 - 06:21 PM.

  • 0

#3
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi

We are sorry to have missed your log due to traffic on the site.

I will help you clean your PC. In order to proceed I need the latest HJT log.

Run Hijack This. Click on Scan. Once the scan is complete, click on Save log. The log will be saved and will simultaneously open in Notepad as a text file.

Click on Format in the NOtepad toolbar. Make sure that the "Wordwrap" is unchecked. If it is checked then click on it.

Now copy and paste the entire text file in your next reply.
  • 0

#4
BRAV0872

BRAV0872

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:41:26 PM, on 8/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\??rss.exe
C:\Program Files\hrea\rtel.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\Gill\Desktop\FIX\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.searchman...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchman...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchman...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchman...net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmaniacs.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmaniacs.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchman...net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmaniacs.net/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno6\Toolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\System32\yaemu.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [Dnqi] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Bhso] C:\Program Files\hrea\rtel.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/227
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.cyberpowersystem.com
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {FFCEABDA-C04E-7F4A-E9B6-DFA72B2F49FB} - http://213.200.210.1...1/US732_150.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{448F7BC7-78D4-4FD0-B653-97591B101F08}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{44FB98C1-338A-4DDE-9141-E44FDD0D76C6}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{448F7BC7-78D4-4FD0-B653-97591B101F08}: NameServer = 69.50.176.198,85.255.112.12
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


I also have yahoo messenger and quicktime that I don't use anymore but can't seem to get rid of.

Thanks
  • 0

#5
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,

You have a few infections and it will take a few iterations to clean up your PC.

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.


2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.searchman...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchman...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchman...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchman...net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmaniacs.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchman...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmaniacs.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchman...net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchmaniacs.net/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\System32\yaemu.exe
O4 - HKCU\..\Run: [Dnqi] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Bhso] C:\Program Files\hrea\rtel.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {FFCEABDA-C04E-7F4A-E9B6-DFA72B2F49FB} - http://213.200.210.1...1/US732_150.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

3. Delete Rogue files

Run CleanUp and delete all temp files including temporary internet files

Run Ewido full scan. Let it fix any items it finds.

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

Folders
C:\Program Files\hrea

Files
C:\WINDOWS\System32\yaemu.exe
C:\WINDOWS\System32\??rss.exe (make sure not to delete csrss.exe, which is a windows system file. If you find more than one csrss.exe file, then make a note of properties of each file viz. file size, date created and let me know in your next reply.

D0CE0C16B1.dll

(Search for this file using the Windows Search function)


Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch. It will open the folder Prefetch. Delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!


Reboot the PC in Normal Mode.


Run Hijack This and post a fresh HJT log along with Ewido scan report.
  • 0

#6
BRAV0872

BRAV0872

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hi,


I had Downloaded and ran the CleanUp and Ewido Security Suite Programs just prior to posting the previous Hijack This file.

Ran Hijack This.

Restarted in Safe Mode.

Ran Ewido full scan, here is the log.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:09:22 PM, 8/22/2005
+ Report-Checksum: E888DE32

+ Scan result:

C:\eied_s7.cab/eied_s7_c_33.exe -> TrojanDownloader.Mediket.ar : Error during cleaning
C:\ied_s7.cab/ied_s7_c_80.exe -> TrojanDownloader.Mediket.r : Error during cleaning
C:\WINDOWS\winr.js:fbfpz -> TrojanDownloader.Agent.cd : Cleaned with backup
C:\x.cab/explorer.exe -> TrojanDownloader.Agent.ec : Error during cleaning


::Report End


Deleted hrea.

During the fix, in the case of C:\WINDOWS\System32\yaemu.exe, I did not see the file.

Did not delete csrss.exe as it was the only ??rss.exe file found.

Search for D0CE0C16B1.dll file using the Windows Search function produced no results.

Deleted 91 Prefetch files!

Logfile of HijackThis v1.99.1
Scan saved at 8:44:22 PM, on 8/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\Gill\Desktop\FIX\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmailb.juno...sessiontimedout
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno6\Toolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/227
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.cyberpowersystem.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{448F7BC7-78D4-4FD0-B653-97591B101F08}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{44FB98C1-338A-4DDE-9141-E44FDD0D76C6}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{448F7BC7-78D4-4FD0-B653-97591B101F08}: NameServer = 69.50.176.198,85.255.112.12
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#7
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Delete the files -
C:\eied_s7.cab
C:\ied_s7.cab
C:\WINDOWS\winr.js
C:\x.cab


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log and the contents of the smitfiles.txt log.
  • 0

#8
BRAV0872

BRAV0872

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
thanks again

Downloaded smitRem.exe and saved the file to a desktop folder.

Added a shortcut to Panda ActiveScan.

Rebooted in SafeMode.

Deleted the files
eied_s7
ied_s7
winr
x

Ran smitRem tool, disk cleanup was quick.

"Security Info" not present.

Restart, full system scan with Panda ActiveScan.


Incident Status Location

Adware:adware/ncase No disinfected C:\WINDOWS\SYSTEM32\saieau.dat
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\vx.tll
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM32\winupdt.008
Adware:adware/favoriteman No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ATPartners.inf
Spyware:spyware/iehelp No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ipreg32.inf
Adware:adware/elitebar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\OSD149F.OSD
Adware:adware/sidestep No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\SbCIe02a.inf
Spyware:spyware/fstb No disinfected C:\dimitxx.chm
Adware:adware/gator No disinfected C:\WINDOWS\GatorHDPlugin.log-old.log
Adware:adware/superspider No disinfected C:\WINDOWS\mssys.com
Dialer:dialer.xd No disinfected C:\WINDOWS\switchagreement.txt
Adware:adware/ezula No disinfected C:\WINDOWS\woinstall.exe
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\GILL\FAVORITES\Forbidden Conversations.url
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Windows SyncroAd
Adware:adware/statblaster No disinfected C:\PROGRAM FILES\MEDIA\Media
Spyware:spyware/heterofind No disinfected C:\spe
Adware:adware/cws.yexe No disinfected C:\WINDOWS\inet10079
Adware:adware/mediatickets No disinfected Windows Registry
Spyware:Spyware/Fstb No disinfected C:\alexeyman.chm[htm2chm_explorer]
Dialer:Dialer.NE No disinfected C:\alexeyman.chm[d_alexeyman.exe]
Dialer:Dialer.NQ No disinfected C:\dimitxx.chm[on-line.exe]
Virus:Exploit/CodeBase.S No disinfected C:\dimitxx.chm[1.htm]
Spyware:Spyware/Fstb No disinfected C:\dimitxx.chm[htm2chm_explorer]
Virus:Trj/Downloader.ZS Disinfected C:\ied_s7m.cab
Dialer:Dialer.NG No disinfected C:\info6_s.cab
Dialer:Dialer.NG No disinfected C:\info6_s.cab[Information.exe]
Dialer:Dialer.ZE No disinfected C:\info6_s.cab[Information_s.INF]
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Virus:Trj/Multidropper.MZ Disinfected C:\WINDOWS\1b207.txt
Virus:Trj/Multidropper.MZ Disinfected C:\WINDOWS\3e8.txt
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\AdmilliServX.dll
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ActiveX.inf
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\DeskAdX.dll.tcf
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
Spyware:Spyware/ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.ocx.tcf
Spyware:Spyware/ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\istactivex.inf
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MediaTicketsInstaller.INF
Spyware:Spyware/ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\istactivex.inf
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\MediaTicketsInstaller.INF
Spyware:Spyware/ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\istactivex.inf
Spyware:Spyware/ISTBar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.5\istactivex.inf
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\DeskAdX.dll.tcf
Dialer:Dialer.PK No disinfected C:\WINDOWS\Downloaded Program Files\EPlugin.inf
Spyware:Spyware/Iehelp No disinfected C:\WINDOWS\Downloaded Program Files\ipreg32.inf
Adware:Adware/PurityScan No disinfected C:\WINDOWS\Downloaded Program Files\start.INF
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\WinAdServX.dll.tcf
Virus:Trj/Bookmark.B Disinfected C:\WINDOWS\hh.htt
Adware:Adware/Startpage.CDA No disinfected C:\WINDOWS\mssys.com
Dialer:Dialer.Gen No disinfected C:\WINDOWS\switchagreement.txt
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Possible Virus. No disinfected C:\WINDOWS\temp\ASHeuristic\ProcessViewer.exe.vir




Logfile of HijackThis v1.99.1
Scan saved at 7:40:32 PM, on 8/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Gill\Desktop\FIX\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmailb.juno...sessiontimedout
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno6\Toolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/227
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.cyberpowersystem.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{448F7BC7-78D4-4FD0-B653-97591B101F08}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{44FB98C1-338A-4DDE-9141-E44FDD0D76C6}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{448F7BC7-78D4-4FD0-B653-97591B101F08}: NameServer = 69.50.176.198,85.255.112.12
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




smitRem log file
version 2.3

by noahdfear

The current date is: Tue 08/23/2005
The current time is: 18:48:32.84

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

wp.bmp
logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

sites.ini


~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

wininet.dll INFECTED!! :( Starting replacement procedure.


~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~


~~~~ C:\WINDOWS\system32\dllcache\wininet.dll Present! ~~~~


~~~~ Checking dllcache\wininet.dll for infection ~~~~


~~~~ dllcache\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from dllcache ~~~
  • 0

#9
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,



Reboot the PC in Safe Mode.

To enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
  • Now your computer is configured to show all hidden files.

Delete the following files -

C:\WINDOWS\hh.htt
C:\WINDOWS\mssys.com
C:\WINDOWS\switchagreement.txt
C:\WINDOWS\GatorHDPlugin.log-old.log
C:\WINDOWS\mssys.com
C:\WINDOWS\switchagreement.txt
C:\WINDOWS\woinstall.exe
C:\WINDOWS\inet10079
C:\WINDOWS\1b207.txt
C:\WINDOWS\3e8.txt

C:\WINDOWS\system32\Shex.exe
C:\WINDOWS\SYSTEM32\saieau.dat
C:\WINDOWS\SYSTEM32\stlb2.xml
C:\WINDOWS\SYSTEM32\vx.tll
C:\WINDOWS\SYSTEM32\winupdt.008
C:\WINDOWS\DOWNLOADED PROGRAM FILES\ATPartners.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\ipreg32.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\OSD149F.OSD
C:\WINDOWS\DOWNLOADED PROGRAM FILES\SbCIe02a.inf
C:\WINDOWS\Downloaded Program Files\AdmilliServX.dll
C:\WINDOWS\Downloaded Program Files\ATPartners.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ActiveX.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\DeskAdX.dll.tcf
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.ocx.tcf
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\istactivex.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MediaTicketsInstaller.INF
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\istactivex.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\MediaTicketsInstaller.INF
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\istactivex.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\istactivex.inf
C:\WINDOWS\Downloaded Program Files\DeskAdX.dll.tcf
C:\WINDOWS\Downloaded Program Files\EPlugin.inf
C:\WINDOWS\Downloaded Program Files\ipreg32.inf
C:\WINDOWS\Downloaded Program Files\start.INF
C:\WINDOWS\Downloaded Program Files\WinAdServX.dll.tcf

C:\DOCUMENTS AND SETTINGS\GILL\FAVORITES\Forbidden Conversations.url
C:\PROGRAM FILES\Lycos
C:\PROGRAM FILES\Windows SyncroAd
C:\PROGRAM FILES\MEDIA\Media


C:\dimitxx.chm
C:\spe
C:\alexeyman.chm
C:\dimitxx.chm
C:\ied_s7m.cab
C:\info6_s.cab


Reboot the PC in Normal Mode.

Let me know how it goes.
  • 0

#10
BRAV0872

BRAV0872

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hi, Sorry I took a little sailing vacation.....


Enabled view Hidden files.

Deleted the following files-

C:\WINDOWS\mssys.com
C:\WINDOWS\switchagreement.txt
C:\WINDOWS\GatorHDPlugin.log-old.log
C:\WINDOWS\woinstall.exe
C:\WINDOWS\inet10079

C:\WINDOWS\system32\Shex.exe
C:\WINDOWS\SYSTEM32\saieau.dat
C:\WINDOWS\SYSTEM32\stlb2.xml
C:\WINDOWS\SYSTEM32\vx.tll
C:\WINDOWS\SYSTEM32\winupdt.008

C:\DOCUMENTS AND SETTINGS\GILL\FAVORITES\Forbidden Conversations.url
C:\PROGRAM FILES\Lycos

C:\dimitxx.chm
C:\alexeyman.chm
C:\info6_s.cab



Logfile of HijackThis v1.99.1
Scan saved at 2:02:20 PM, on 8/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Documents and Settings\Gill\Desktop\FIX\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmailb.juno...sessiontimedout
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno6\Toolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/227
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.cyberpowersystem.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{448F7BC7-78D4-4FD0-B653-97591B101F08}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{44FB98C1-338A-4DDE-9141-E44FDD0D76C6}: NameServer = 69.50.176.158,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{448F7BC7-78D4-4FD0-B653-97591B101F08}: NameServer = 69.50.176.158,85.255.112.8
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#11
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,

While you were sailing, your PC was fishing for trouble.


Run Hijack This and click on scan. The following items need to be fixed -

O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Delete the file - C:\WINDOWS\System32\hgqhp.exe

I would strongly urge you to do another online scan at Panda and post back the scan report.
  • 0

#12
BRAV0872

BRAV0872

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hi,

Removed hgqhp.exe.
  • 0

#13
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Do you have any issues with your PC ???

In any case, please post a fresh HJT log
  • 0

#14
BRAV0872

BRAV0872

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Documents and Settings\Gill\Desktop\FIX\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmailb.juno...sessiontimedout
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno6\Toolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\Juno6\qsacc\appres.dll/227
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.cyberpowersystem.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{448F7BC7-78D4-4FD0-B653-97591B101F08}: NameServer = 195.95.218.36,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{44FB98C1-338A-4DDE-9141-E44FDD0D76C6}: NameServer = 195.95.218.36,85.255.112.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{448F7BC7-78D4-4FD0-B653-97591B101F08}: NameServer = 195.95.218.36,85.255.112.15
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#15
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Do you have any issues with the PC ?? How is the PC behaving ???
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP