Tech Support Forum - Resolved HJT Threads

Tech Support Forum - Resolved HJT Threads http://www.techsupportforum.com Resolved spyware and popup issues. en Fri, 20 Nov 2009 22:38:37 GMT vBulletin 60 http://www.techsupportforum.com/cwd/images/misc/rss.jpg Tech Support Forum - Resolved HJT Threads http://www.techsupportforum.com Unkown Virus - Disabled Most Programs http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/433271-unkown-virus-disabled-most-programs.html Thu, 19 Nov 2009 10:32:37 GMT Hi, This is the first thread I have ever had to post regarding a virus but not the first virus I have ever encountered. I require much needed assistance on this one as I have hit a big stumbling block...... .....This virus will not enable me to connect to the internet, enable system restore... Hi,

This is the first thread I have ever had to post regarding a virus but not the first virus I have ever encountered. I require much needed assistance on this one as I have hit a big stumbling block......

.....This virus will not enable me to connect to the internet, enable system restore (cannot protect computer, please restart), run any anti-virus scan or firewall, load new programs such as Malwarebytes Anti-malware, allow me to copy/paste/drag or delete files and will not launch other programs. I think this virus has sunk its teeth too far into my computer for it to be saved :sigh:

I am currently runing Windows XP SP3 operating system and first encountered this problem 2 days ago. It was working fine the previous night and before shutting my computer down I had newly installed Firefox, updated Java and downloaded several windows updates.

I had attempted to follow the 8-Step Virus/Spyware/Malware Preliminary Removal Instructions but was unable to get past Step 4 due to Malware Bytes not able to launch and run a check (It keeps saying one of the file might be out of date) I have the same problem with other programes where it appears certain files are corrupt.

I would like to try and clear my computer before having to contemplate re-booting as i have files on there i can not afford to lose, so any help on this matter would be much appreciated!

Many Thanks,

Andrew. ]]> Resolved HJT Threads R.u.k.k.y http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/433271-unkown-virus-disabled-most-programs.html Virus changed my background/keeps giving me warnings. http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432490-virus-changed-my-background-keeps-giving-me-warnings.html Tue, 17 Nov 2009 00:24:08 GMT I was just online and a red circle with a white X appeared on my task bar, and my desktop background has been changed to a message saying

"YOUR SYSTEM IS INFECTED. System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use computer before all spyware removed."

in the display, where you change the desktop, it won't let me and has a file called "critical_warning" at the bottom.

I'm also getting a pop up warning every so often now.

I have no idea what to do and I would greatly appreciate anyone's help. ]]> Resolved HJT Threads cory148 http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432490-virus-changed-my-background-keeps-giving-me-warnings.html computer restarts itself, recovered from serious error message on reboot http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432487-computer-restarts-itself-recovered-serious-error-message-reboot.html Tue, 17 Nov 2009 00:09:49 GMT i hope i'm not out of line starting this thread. my computer several times a day now is turning itself off and when it comes back on it i have a 'your system has recovered from a serious error' message waiting for me. i saw in another thread i should run hijack this and copy the saved log file in a new thread, i hope someone reads this and can help. here is my log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02, on 2009-11-16
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\Program Files\Common Files\Motive\McciCMService.exe
H:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
H:\WINDOWS\system32\HPZipm12.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Systweak\Advanced System Protector\ASP.exe
H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
K:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - H:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - H:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - H:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "J:\funky crap\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Advanced System Protector] "H:\Program Files\Systweak\Advanced System Protector\ASP.exe" /autorun
O4 - HKCU\..\Run: [Startup Manager] "H:\Program Files\Advanced System Optimizer\startUp manager.exe"
O4 - HKCU\..\Run: [swg] "H:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - J:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb...LStreaming.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/tes...enXInstall.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://asp.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1173226711865
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - H:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATI Smart - Unknown owner - H:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - H:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - H:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Software Updater (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - H:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - H:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - H:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - H:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - H:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - H:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PPCtlPriv - CA, Inc. - H:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - H:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - H:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 9041 bytes

thank you for your time. ]]> Resolved HJT Threads kurtschwochow http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432487-computer-restarts-itself-recovered-serious-error-message-reboot.html CID popup virus http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432455-cid-popup-virus.html Mon, 16 Nov 2009 22:21:20 GMT Hello, i have the CID popup virus on my PC. everytime i open IE loads of popups popup on my screen. also my pc is now very slow any help would be very appreciated Cherie Hello, i have the CID popup virus on my PC. everytime i open IE loads of popups popup on my screen. also my pc is now very slow

any help would be very appreciated

Cherie ]]> Resolved HJT Threads james_b http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432455-cid-popup-virus.html Security Tools Virus - Help Needed http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432430-security-tools-virus-help-needed.html Mon, 16 Nov 2009 21:30:43 GMT Hey there TechSupportForum, I need your help. Last month I got the Security Tools virus and successfully removed it with the help of a friend, but I just turned on my laptop to find it has returned. I run Windows XP on a Dell Inspiron 1501 laptop.

Here's my HijackThis! Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:21:01, on 16/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\30989332\30989332.exe
C:\WINDOWS\Temp\_ex-08.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ie/ig/dell?hl=en&c...ie&ibd=0070616
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.ie/hws/sb/dell-row...tml?channel=ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.ie/hws/sb/dell-row...tml?channel=ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/ig/dell?hl=en&c...ie&ibd=0070616
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/de...=ie&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/de...=ie&l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.ie/hws/sb/dell-row...tml?channel=ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.ie/ig/dell?hl=en&c...ie&ibd=0070616
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Internet Explorer Plugin - {AAE725F3-298B-4FEF-82EE-FAF909639409} - swrwwfo6.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [30989332] C:\DOCUME~1\ALLUSE~1\APPLIC~1\30989332\30989332.exe
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\Temp\_ex-08.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: lyesys32.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10358 bytes

As I said, I've been through this before. I think the parts I need to remove are:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [30989332] C:\DOCUME~1\ALLUSE~1\APPLIC~1\30989332\30989332.exe
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\Temp\_ex-08.exe

Though I may be missing something, and I don't know what steps to take after I have Fixed them on HijackThis!...

Thanks for your help!
Mark. ]]> Resolved HJT Threads leechy10 http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432430-security-tools-virus-help-needed.html csrss.exe virus http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432344-csrss-exe-virus.html Mon, 16 Nov 2009 17:28:12 GMT Hi all,
I think I got a virus infecting my laptop.
I discover it when trying to install the new MSN.
When I run the application for MSN it says that the program "csrss.exe" conflicts with the installation and I can't close it.
I runned a HJ scan, but I am not able to interpret the log.

Hope you can help me solving this problem!
thank you very much! ]]> Resolved HJT Threads fabrizia http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432344-csrss-exe-virus.html About:blank http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432326-about-blank.html Mon, 16 Nov 2009 16:19:21 GMT How do I remove about_:Blank from my computer. I went online and a lot of anti-spyware companies talk about it, but they are all trying to sell me something. Which one works with this particular hijacker? How do I remove About:Blank from my computer. I went online and a lot of anti-spyware companies talk about it, but they are all trying to sell me something. Which one works with this particular hijacker? ]]> Resolved HJT Threads tutufay http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432326-about-blank.html Acer got aced http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432299-acer-got-aced.html Mon, 16 Nov 2009 14:51:00 GMT My father has this acer lappy, and it has some malware issues any help would be much apreciated. Thanks. --S DDS: DDS (Ver_09-10-26.01) - FAT32x86 Run by dbeckett at 9:22:25.72 on Mon 11/16/2009 Internet Explorer: 6.0.2900.5512 My father has this acer lappy, and it has some malware issues any help would be much apreciated. Thanks.

--S

DDS:

DDS (Ver_09-10-26.01) - FAT32x86
Run by dbeckett at 9:22:25.72 on Mon 11/16/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.494.91 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
SVCHOST.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\SysAid\IliAS.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\dbeckett.BHC\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://global.acer.com
mDefault_Page_URL = hxxp://global.acer.com
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: c:\windows\system32\n9kpnsm23.dll: {a249bc15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\n9kpnsm23.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [reader_s] c:\documents and settings\dbeckett.bhc\reader_s.exe
uRun: [asg984jgkfmgasi8ug98jgkfgfb] c:\docume~1\dbeckett.bhc\locals~1\temp\win16.exe
mRun: [LaunchApp] Alaunch
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [EPM-DM] c:\acer\epm\epm-dm.exe
mRun: [ePowerManagement] c:\acer\epm\ePM.exe boot
mRun: [LManager] c:\program files\launch manager\QtZgAcer.EXE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167339748538
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167339819510
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\n9kpnsm23.dll: {a249bc15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\n9kpnsm23.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dbeckett.bhc\applic~1\mozilla\firefox\profiles\npqqf0uq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.becketthvac.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-30 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-30 108552]
R1 SMBHC;Microsoft SM Bus Host Controller Driver;c:\windows\system32\drivers\smbhc.sys [2004-8-30 6784]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-30 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-30 297752]
R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2006-12-27 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2006-12-27 78208]
R3 SMBBATT;Microsoft Smart Battery Driver;c:\windows\system32\drivers\smbbatt.sys [2004-8-30 16000]

=============== Created Last 30 ================

2009-10-24 13:37:27 38 ----a-w- C:\10.tmp
2009-10-24 13:37:25 15000 ----a-w- c:\windows\system32\n9kpnsm23.dll
2009-10-24 13:37:23 0 d-sh--w- c:\windows\system32\wsnpoem

==================== Find3M ====================

2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-19 23:53:44 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-09 20:13:50 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-09-25 06:37:12 667136 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 06:37:12 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-09-25 06:37:12 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 06:37:10 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 06:37:10 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2009-09-25 06:37:10 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-21 16:28:10 6358383 ----a-w- C:\vu360setup.exe
2009-09-11 15:18:40 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 15:18:40 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 22:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 22:03:36 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 13:28:36 21657 ----a-w- c:\windows\syssvc.exe
2009-08-26 09:00:22 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 09:00:22 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2009-08-19 13:43:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll

============= FINISH: 9:23:19.40 ===============

Attached Files

Attach.zip (3.4 KB)

]]> Resolved HJT Threads Stingray1969vet http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432299-acer-got-aced.html Google redirected, popups, and gmer error http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432139-google-redirected-popups-gmer-error.html Sun, 15 Nov 2009 23:18:49 GMT Hi. I have Windows XP, SP 3. I do not have an XP boot disc.

Many of my google results will redirect to incorrect sites and I get a lot of random pop-ups that are clearly not from the site I am on. I've run scans with Avira, AVG, Spybot S&D, AdAware, and Malware bytes. Malware bytes always finds 2 infections in the registry data items but the problem continues.

Also, I ran the DDS program fine, but when I run gmer, I get a blue screen of death about a minute into the scan. The last time I tried, it said there was an error with pfn_list_corrupt. I'm not sure if these are related issues.

If it helps, as I was typing this message I got a pop-up. The address was:

hxxp://media2.tmlatn.com/images/prep_ctr.php?imgfile=5342_566078_7544051.html&partnerId=113232&appId=320&subId=320&advertiserId=566078&keywordId=39060784&type=10&uuid=d6b4263521b24d85939ed0cf51bc267d&keyword=ron&matchedBy=R&ct=cpv&wid=-1&size=720x300&lid=7544051&cid=222374&cc=us&rc=ma&mc=506&dc=0&vt=1258326679769&rurl=http%3A%2F%2Fjavascript&refUrl=pixel.fetchback.com

I've attached a zipped attach.txt, but no ARK.txt because of the above mentioned error.

Here is my DDS report:

DDS (Ver_09-10-26.01) - NTFSx86
Run by kerenh at 17:20:08.95 on Sun 11/15/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1307 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe
C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\VirusScan Enterprise\SCAN32.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\kerenh\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {4e27f41b-516d-4768-ae61-b2339fd0d6e9} - fasajejo.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [suScheduler] c:\program files\thinkvantage\systemupdate\UCLauncher.exe /SCHEDULER
mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [cssauth] "c:\program files\ibm thinkvantage\client security solution\cssauth.exe" silent
mRun: [PDService.exe] "c:\program files\ibm thinkvantage\safeguard privatedisk\pdservice.exe"
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mam.exe" /runcleanupscript
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1239809280687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: ACNotify - ACNotify.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: psfus - psqlpwd.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
AppInit_DLLs: E~1\GOEC62~1.DLL tezafovi.dll zehubedu.dll c:\progra~1\google\google~1\GOEC62~1.DLL fasajejo.dll hetamate.dll safevayi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = etamate.dll nazomafo.dll mavozelo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kerenh\applic~1\mozilla\firefox\profiles\4i0qh8pv.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-12 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-19 130936]
R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2009-4-14 85760]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2009-4-14 11520]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-14 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-14 360584]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2009-4-14 6016]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2009-4-14 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2009-4-14 4442]
R2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-27 108289]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-14 285392]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2005-12-21 12544]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-11-15 46142]
R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-12-21 3968]
R2 smihlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2005-12-8 3328]
S1 24928e65;24928e65;c:\windows\system32\drivers\24928e65.sys [2009-5-24 0]
S2 EvtEngsrservice;Intel(R) PROSet/Wireless Event Log EvtEngsrservice;c:\windows\system32\1031f.exe srv --> c:\windows\system32\1031f.exe srv [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-5-19 348752]

=============== Created Last 30 ================

2009-11-15 00:06:35 0 d-s---w- C:\Combo-Fix
2009-11-14 23:38:45 0 d--h--w- C:\$AVG
2009-11-14 23:38:26 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-14 23:38:26 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-14 23:38:21 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-14 23:38:13 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-14 23:37:48 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-11-13 02:26:48 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-13 01:11:10 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-13 01:10:35 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-13 01:08:52 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-13 01:08:31 0 d-----w- c:\program files\Lavasoft
2009-11-10 01:56:29 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-11-10 01:56:29 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-11-05 18:55:12 16384 ----a-w- c:\windows\system32\FileOps.exe
2009-11-05 18:55:11 0 d-----w- c:\windows\system32\Adobe
2009-11-05 18:35:39 0 d-----w- c:\windows\Adobe Illustrator CS
2009-11-05 18:33:51 0 d-----w- c:\windows\Cache
2009-10-25 22:18:03 0 d-----w- c:\program files\AVG
2009-10-20 00:47:50 0 d-----w- c:\windows\IBM
2009-10-19 19:16:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-10-19 19:16:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-19 19:08:01 38224 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 19:07:58 19160 ------w- c:\windows\system32\drivers\mbam.sys
2009-10-18 23:11:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 18:57:12 12160 ------w- c:\windows\system32\drivers\mouhid.sys
2009-10-18 18:57:12 12160 ------w- c:\windows\system32\dllcache\mouhid.sys
2009-10-18 18:56:49 10368 ------w- c:\windows\system32\drivers\hidusb.sys
2009-10-18 18:56:49 10368 ------w- c:\windows\system32\dllcache\hidusb.sys

==================== Find3M ====================

2009-11-15 15:09:21 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS

============= FINISH: 17:22:28.26 ===============

Attached Files

Attach.zip (4.5 KB)

]]> Resolved HJT Threads zujwa http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432139-google-redirected-popups-gmer-error.html PC has been comprimised http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432123-pc-has-been-comprimised.html Sun, 15 Nov 2009 21:56:26 GMT Hi there first Id like to thank you for doing this on a voluntary basis 2 days ago my computer was comprimised, I found out about it, since I was about to play World of Warcraft and when I tried logging in, it was asking me for an authenticator code, something I did not associate it with... Hi there

first Id like to thank you for doing this on a voluntary basis

2 days ago my computer was comprimised, I found out about it, since I was about to play World of Warcraft and when I tried logging in, it was asking me for an authenticator code, something I did not associate it with myself. So I got hold of blizzard support and told them about it, and they gave me a link containing information for cleaning my pc.

The things I went through after I got comprimised is this:

-Downloaded ATF cleaner and ran it
-Downloaded Adaware and ran it
-Downloaded Spybot search and destroy and ran it two times, one after installation and one after I rebooted my pc.
-Downloaded MalwareBytes' Anti-Malware and ran a complete scan
-Did a complete scan with Avast antivirus program
-Downloaded Hijackthis and now im here

The above steps was done, due do the above mentioned guide I got from Blizzard.

I got the log from Hijackthis , so im gonna post it here, and if someone would be so kind as to help me out, I would be very very glad

My Hijack log looks like this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:44:18, on 15-11-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmer\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmer\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Programmer\Windows Defender\MSASCui.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\Pd71HiFiPan.Exe
C:\Programmer\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Windows Live\Messenger\msnmsgr.exe
C:\Programmer\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\Curse\CurseClient.exe
C:\Programmer\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Lavasoft\Ad-Aware\AAWTray.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe
C:\Programmer\Java\jre6\bin\jucheck.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programmer\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programmer\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmer\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmer\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programmer\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Programmer\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Windows Defender] "C:\Programmer\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmer\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Pd71HiFiPan] Pd71HiFiPan.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Programmer\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Programmer\Fælles filer\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [CurseClient] C:\Programmer\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programmer\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Hawking Wireless Utility.lnk = C:\Programmer\Hawking\Common\RaUI.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programmer\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programmer\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O9 - Extra button: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - http://www.intercasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino $$$ - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - http://www.intercasino.com (file missing) (HKCU)
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite....x/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.4.8.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://support.f-secure.com/enu/home...fshc/fscax.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk...dccsp-0506.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/a.../e-Safekey.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Control) - https://plugins.valueactive.eu/flashax/iefax.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programmer\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Programmer\Bonjour\mDNSResponder.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmer\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programmer\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Marvell Yukon Service (yksvc) - Unknown owner - RUNDLL32.EXE (file missing)
--
End of file - 11046 bytes

Thanks in advance guys :) ]]> Resolved HJT Threads Cedrihar http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432123-pc-has-been-comprimised.html Task manager and search on start menu disabled http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432065-task-manager-search-start-menu-disabled.html Sun, 15 Nov 2009 18:18:28 GMT The task manager on my computer has been disabled and the Search facility has disappeared from my Start Menu. I think this is linked with a virus my computer picked up a few months ago - generic atr. The virus infected my McAfee antivirus program at the time. The generic atr seems to often come... The task manager on my computer has been disabled and the Search facility has disappeared from my Start Menu. I think this is linked with a virus my computer picked up a few months ago - generic atr. The virus infected my McAfee antivirus program at the time. The generic atr seems to often come back onto my computer. Once I had a Win32 virus aswell. I am using Windows XP Pro.

Is there a program to restore my ability to search as well as use the task manager? ]]> Resolved HJT Threads 3920ghpp http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/432065-task-manager-search-start-menu-disabled.html Google Redirect Please help! http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/431974-google-redirect-please-help.html Sun, 15 Nov 2009 12:49:52 GMT Hi I have been infected with something and everytime I click on a link in Google it redirects me to other sites. Can someone please help me? Thanks Hi

I have been infected with something and everytime I click on a link in Google it redirects me to other sites. Can someone please help me?

Thanks ]]> Resolved HJT Threads qasimuk http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/431974-google-redirect-please-help.html Please Help 34 viruses http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/431923-please-help-34-viruses.html Sun, 15 Nov 2009 05:25:55 GMT My windows vista has 34 viruses, or at least what my antivirus system pro says. My computer reads that my firewall and antivirus are out of date. Looked everywhere online how to get rid of them, random pop ups, windows security alert, win32/nuqel.e ???, spyware alert, won't let me execute any programs. I've tried to download anti virus programs to get rid of them but either a message pops up saying won't execute because infected or i have to activate the program and i don't have 50 dollars. Is there any way to fix this problem free and safe. Please help me, it would be very appreciated. ]]> Resolved HJT Threads viruses suck http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/431923-please-help-34-viruses.html Virus/Trojan/Malware Issue, Please help! http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/431858-virus-trojan-malware-issue-please-help.html Sat, 14 Nov 2009 23:35:15 GMT Hi all, I am a complete novice when it comes to computers etc so please take this into account when replying. I am having problems on my PC with windows XP installed. At start up and from then onwards, I keep gettin messages from some bogus program that is mimicin windows security alerts... Hi all, I am a complete novice when it comes to computers etc so please take this into account when replying.

I am having problems on my PC with windows XP installed. At start up and from then onwards, I keep gettin messages from some bogus program that is mimicin windows security alerts mentioning things such as:

1)
To help protect your computer, Windows Firewall has blocked some features of this program.

Name: Email-Worm.Win32.NetSky.q
Risk: High Risk
Description: This worm spreads via the internet as an attachment to infected messages. It is also able to propagate via P2P networks and accessible http and ftp directories. The worm's main component is a PE EXE files of approximately 29KB. The worm is packed using FSG; the unpacked file is approximately 40KB in size.

Name: Trojan.Win32.Agent.dcc
Risk: High Risk
Description: This Trojan has a malicious payload. It is a Windows PE EXE file. It is 20480 bytes in size.

Name: Virus.Win32.Gpcode.ak
Risk: High Risk
Description: This malicious program encrypts files on the victim machine. It is Windows PE EXE file 8030, bytes in size.

Name: Virus.Win32.Hala.a
Risk: Middle Risk
Description: This malicious program infects executable files on the victim machine. It is a Windows DLL file. This malicious file is 20480 bytes in size. It is not packed in any way. It is written in Visual C++

The buttons below this i.e "Keep Blocking" and "Unblock" buttons are faded out on all of these so called security center alert windows. There is an "Enable Protection" button which can be clicked on.

2) The yellow speach bubbles from the taskbar:

System Alert Virus.Win32.Gpcode.ak
Defenseless OS: Windows2000/XP/Vista
Description Spyware: Blocks access to computer. Attacks porn site visitors.
Protection: Click the balloon to install antivirus software.
I have not knowingly install any additional antivirus software.

System Alert Virus Chin09.win
Defenseless OS : Windows2000/XP/Vista
Description Spyware: Try to damage your documents and bust file system

"Danger!
There are some serious security threats detected on your computer. Please remove them ASAP"

In addition to more messages in the yellow speach bubbles which im too tired to type!!

3) There is also a small window that keeps popping up ever so often offering me a download to a free scanner for AntiMalware.

I have McAfee Antivirus which works with my internet and I tried downloadin AVG antivirus on anuther system and installing it to act upon and remove these threats - unfortunately neither has done much.

Please could someone help me :( I really need to use my PC and the internet!!
Thank-you very much in advance for any assistance, it is greatly appreciated :D. Also I apologise for any spelling mistakes etc as I am extremely tired and have been trying to resolve this issue for hours!

J ]]> Resolved HJT Threads jas4u2nv http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/431858-virus-trojan-malware-issue-please-help.html AhnRpta.exe and lcw.exe http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/431845-ahnrpta-exe-lcw-exe.html Sat, 14 Nov 2009 23:03:36 GMT Hi,

I have a couple of malwares screwing my hdds.
Kaspersky detected AhnRpta.exe but I couldn't manage to get rid of it.
Recently I've downloaded Ad-aware and did a full scan which found lcw.exe (and more others) on both C and D drives, then quarantined the files. I'm not sure if quarantining helps any. I want to remove them completely.

Also I have this lcw.exe on an external drive as well. I was trying to back-up data and it probably spread over external too. Yet I couldn't do a scan on external cause whenever I try to do so, it loses connection with the pc.

I'm using Windows XP SP2.

What do I need to do? Please help.

I can provide more information about the system, or maybe scan logs. Just tell me what you need to know to help me.

Thanks in advance! ]]> Resolved HJT Threads kucukkurbaa http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/431845-ahnrpta-exe-lcw-exe.html