Various Problems; HJT log (Analyzed)

nothing_more · 07-13-2005, 11:25 AM

69sexsearch opens on every startup.
540filehost opens most startups.
Just removed 'Critical Warning! Spyware....' message from desktop using Ad-Aware.
Computer just isn't quite right.

Any help much appreciated

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 18:18:34, on 13/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\svchost.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe
C:\WINDOWS\NeroCheck.exe
C:\WINDOWS\nrchk.exe
C:\WINDOWS\msexploren.exe
C:\WINDOWS\gaSrve.exe
C:\WINDOWS\fw_304.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Documents and Settings\Peter\Desktop\Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
O2 - BHO: (no name) - {453FDA5C-FE1F-4B6A-B935-1037EF424368} - C:\WINDOWS\System32\omkc.dll (file missing)
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\system32\ztoolb004.dll
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [1F220CD6] C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe
O4 - HKLM\..\Run: [514088FE] C:\DOCUME~1\Peter\LOCALS~1\Temp\mfhj.exe
O4 - HKLM\..\Run: [ccApp] C:\WINDOWS\NeroCheck.exe /i
O4 - HKLM\..\Run: [Nero] C:\WINDOWS\nrchk.exe /i
O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\msexploren.exe /i
O4 - HKLM\..\Run: [gaSrve] C:\WINDOWS\gaSrve.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Communicator] C:\WINDOWS\fw_304.exe /i
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [1F220CD6] C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe
O4 - HKCU\..\Run: [514088FE] C:\DOCUME~1\Peter\LOCALS~1\Temp\mfhj.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\system32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O15 - Trusted Zone: http://*.69sexsearch.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106072202191
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCX...lientNoMFC.cab
O21 - SSODL: systemp - {B2FEAA7D-DCD2-4D7A-9092-04EF2105DDD3} - systemp.dll (file missing)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O21 - SSODL: System - {89E1BD04-BBBC-4E05-9064-E8537192BD0D} - vr_sys.dll (file missing)
O23 - Service: svchost.exe - Unknown - C:\WINDOWS\svchost.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Thanks in advance
Matt

alba · 07-13-2005, 11:42 AM

Hi there and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

alba

nothing_more · 07-13-2005, 01:19 PM

Look forward to hearing from you
Thanks

alba · 07-13-2005, 02:01 PM

Various Problems; HJT log (Analyzed)

69sexsearch opens on every startup.
540filehost opens most startups.
Just removed 'Critical Warning! Spyware....' message from desktop using Ad-Aware.
Computer just isn't quite right.

Any help much appreciated

================================================== ==================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 18:18:34, on 13/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\svchost.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe
C:\WINDOWS\NeroCheck.exe
C:\WINDOWS\nrchk.exe
C:\WINDOWS\msexploren.exe
C:\WINDOWS\gaSrve.exe
C:\WINDOWS\fw_304.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Documents and Settings\Peter\Desktop\Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
O2 - BHO: (no name) - {453FDA5C-FE1F-4B6A-B935-1037EF424368} - C:\WINDOWS\System32\omkc.dll (file missing)
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\system32\ztoolb004.dll
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [1F220CD6] C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe
O4 - HKLM\..\Run: [514088FE] C:\DOCUME~1\Peter\LOCALS~1\Temp\mfhj.exe
O4 - HKLM\..\Run: [ccApp] C:\WINDOWS\NeroCheck.exe /i
O4 - HKLM\..\Run: [Nero] C:\WINDOWS\nrchk.exe /i
O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\msexploren.exe /i
O4 - HKLM\..\Run: [gaSrve] C:\WINDOWS\gaSrve.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [Communicator] C:\WINDOWS\fw_304.exe /i
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [1F220CD6] C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe
O4 - HKCU\..\Run: [514088FE] C:\DOCUME~1\Peter\LOCALS~1\Temp\mfhj.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\system32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O15 - Trusted Zone: http://*.69sexsearch.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1106072202191
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OC...ClientNoMFC.cab
O21 - SSODL: systemp - {B2FEAA7D-DCD2-4D7A-9092-04EF2105DDD3} - systemp.dll (file missing)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O21 - SSODL: System - {89E1BD04-BBBC-4E05-9064-E8537192BD0D} - vr_sys.dll (file missing)
O23 - Service: svchost.exe - Unknown - C:\WINDOWS\svchost.exe

End of KRC HijackThis Analyzer Log.
================================================== ==================

Thanks in advance
Matt

Hello and welcome to TSF

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.
Download CleanUp! (Alternate Link if main link don't work – and install it. You will need this later.

Download DelDomains and select Save Link As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Reboot your system in Safe Mode (By continually tapping the F8 key, until the menu appears).
Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe
C:\WINDOWS\msexploren.exe
C:\WINDOWS\gaSrve.exe
C:\WINDOWS\fw_304.exe
C:\Program Files\Spyware Cleaner

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

BazookaBar
Spyware Cleaner

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O2 - BHO: (no name) - {453FDA5C-FE1F-4B6A-B935-1037EF424368} - C:\WINDOWS\System32\omkc.dll (file missing)
O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\system32\ztoolb004.dll
O4 - HKLM\..\Run: [1F220CD6] C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe
O4 - HKLM\..\Run: [514088FE] C:\DOCUME~1\Peter\LOCALS~1\Temp\mfhj.exe
O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\msexploren.exe /i
O4 - HKLM\..\Run: [gaSrve] C:\WINDOWS\gaSrve.exe
O4 - HKLM\..\Run: [Communicator] C:\WINDOWS\fw_304.exe /i
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [1F220CD6] C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe
O4 - HKCU\..\Run: [514088FE] C:\DOCUME~1\Peter\LOCALS~1\Temp\mfhj.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\system32\symcsvc.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O15 - Trusted Zone: http://*.69sexsearch.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: (HKLM)
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O21 - SSODL: systemp - {B2FEAA7D-DCD2-4D7A-9092-04EF2105DDD3} - systemp.dll (file missing)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O21 - SSODL: System - {89E1BD04-BBBC-4E05-9064-E8537192BD0D} - vr_sys.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\System32\omkc.dll
C:\WINDOWS\system32\ztoolb004.dll
C:\WINDOWS\msexploren.exe /i
C:\WINDOWS\gaSrve.exe
C:\WINDOWS\fw_304.exe /i
C:\Program Files\Spyware Cleaner
C:\WINDOWS\system32\symcsvc.exe
C:\winstall.exe
c:\eied_s7.cab
c:\ex.cab
C:\WINDOWS\System32\vbsys2.dll

Do a search for the following files and delete them.
systemp.dll
vr_sys.dll

Run DelDomains.inf file, right click on it and select Install.
Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot your System in normal mode.

Run an online scan at Trend Micro or RAV Antivirus.
Please select the “autoclean” option when using Trend Micro.

Please post a fresh Hijack This log so that we can check if your system is clean.

nothing_more · 07-13-2005, 03:47 PM

Thank you so much for your time and advice.
After following your instructions, this is the new analysed log;

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 22:42:42, on 13/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\svchost.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\nrchk.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\WINDOWS\timer.exe
C:\WINDOWS\timer.exe
C:\Documents and Settings\Peter\Desktop\Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [ccApp] C:\WINDOWS\NeroCheck.exe /i
O4 - HKLM\..\Run: [Nero] C:\WINDOWS\nrchk.exe /i
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [antivirus] C:\WINDOWS\timer.exe /i
O4 - HKLM\..\Run: [antivirus] C:\WINDOWS\timer.exe /i
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106072202191
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCX...lientNoMFC.cab
O23 - Service: svchost.exe - Unknown - C:\WINDOWS\svchost.exe

End of KRC HijackThis Analyzer Log.
====================================================================

The 69sexsearch has gone, which is excellent.
I'm concerned about the svchost.exe, as it is not in SYSTEM32.

Thanks again
Matt

nothing_more · 07-14-2005, 07:34 AM

New Problems!!

TopNetSearch is now my homepage; after resetting the homepage (to google) it always comes back!
I now have a TopNetSearch toolbar.
My desktop reguarly acquires about 20 icons for various porn, gambling and pharmacy sites.
My favourites are full of new folders for porn, gambling etc.
I reguarly get pop-ups that have no option for closing!

This all happens after a message about spyware detected. It claims to be a Microsoft message.

Any further help greatly appreciated!

**POADB** · 07-14-2005, 11:11 AM

Please provide an uptodate HJT log.

nothing_more · 07-14-2005, 11:30 AM

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 18:29:22, on 14/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\svchost.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\timer.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\WINDOWS\timer.exe
C:\Documents and Settings\Peter\Desktop\Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [antivirus] C:\WINDOWS\timer.exe /i
O4 - HKLM\..\Run: [antivirus] C:\WINDOWS\timer.exe /i
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106072202191
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCX...lientNoMFC.cab
O21 - SSODL: Adobe Photoshop Elements 2.0 - {24EDEFF8-175E-9025-35C3-E880097D7965} - c:\program files\adobe\photoshop elements 2\winrtwu32.dll
O23 - Service: svchost.exe - Unknown - C:\WINDOWS\svchost.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Thanks,
Matt

**POADB** · 07-14-2005, 11:37 AM

This log is the same as the previous log.

Alba is working on your log. If you have subscribed to this thread you will be contacted via email when a response has been made. Please be patient during this time. Alba will be with you as soon as he can.

Thanks

alba · 07-14-2005, 12:37 PM

http://techsupportforum.com/showthread.php?t=61037

Quote:

Thank you so much for your time and advice.
After following your instructions, this is the new analysed log;

================================================== ==================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 22:42:42, on 13/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\svchost.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINDOWS\nrchk.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\WINDOWS\timer.exe
C:\WINDOWS\timer.exe
C:\Documents and Settings\Peter\Desktop\Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [ccApp] C:\WINDOWS\NeroCheck.exe /i
O4 - HKLM\..\Run: [Nero] C:\WINDOWS\nrchk.exe /i
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [antivirus] C:\WINDOWS\timer.exe /i
O4 - HKLM\..\Run: [antivirus] C:\WINDOWS\timer.exe /i
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1106072202191
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OC...ClientNoMFC.cab
O23 - Service: svchost.exe - Unknown - C:\WINDOWS\svchost.exe

End of KRC HijackThis Analyzer Log.
================================================== ==================

The 69sexsearch has gone, which is excellent.
I'm concerned about the svchost.exe, as it is not in SYSTEM32.

Thanks again
Matt

Hello Matt

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Remove a Malware Service
a. Click Start>Run - type services.msc.
b. Locate the svchost.exe service and double-click on it to open the Properties dialog.
c. Click the Stop button.
d. In the Startup type dropdown select Disabled.
e. Click the Apply button and then the Ok button.
f. Close the Services window
g. Then start HiJackThis & go to Config>Misc.Tools...>Delete an NT service...
In the popup box that appears, type in svchost.exe & click the OK button.

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\WINDOWS\svchost.exe ---Make sure you delete
C:\WINDOWS\nrchk.exe
C:\WINDOWS\timer.exe
C:\WINDOWS\timer.exe

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O4 - HKLM\..\Run: [Nero] C:\WINDOWS\nrchk.exe/i
O4 - HKLM\..\Run: [antivirus] C:\WINDOWS\timer.exe/i
O4 - HKLM\..\Run: [antivirus] C:\WINDOWS\timer.exe/i
O23 - Service: svchost.exe - Unknown - C:\WINDOWS\svchost.exe

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED

C:\WINDOWS\nrchk.exe
C:\WINDOWS\timer.exe
C:\WINDOWS\svchost.exe---Make sure you delete this file from this location

Run an online scan at Kaspersky
and post the results here.

Please post a fresh Hijack This log so that we can check if your system is clean.

nothing_more · 07-15-2005, 07:22 AM

I've attached the results from KASPERSKY.

And here's the HJT analysed log;

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 14:18:58, on 15/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Documents and Settings\Peter\Desktop\Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106072202191
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCX...lientNoMFC.cab
O21 - SSODL: Adobe Photoshop Elements 2.0 - {24EDEFF8-175E-9025-35C3-E880097D7965} - c:\program files\adobe\photoshop elements 2\winrtwu32.dll

End of KRC HijackThis Analyzer Log.
====================================================================

Many thanks for your time

alba · 07-15-2005, 01:07 PM

http://techsupportforum.com/showthread.php?t=61037

Quote:

I've attached the results from KASPERSKY.

And here's the HJT analysed log;

================================================== ==================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 14:18:58, on 15/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Documents and Settings\Peter\Desktop\Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1106072202191
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OC...ClientNoMFC.cab
O21 - SSODL: Adobe Photoshop Elements 2.0 - {24EDEFF8-175E-9025-35C3-E880097D7965} - c:\program files\adobe\photoshop elements 2\winrtwu32.dll

End of KRC HijackThis Analyzer Log.
================================================== ==================

Many thanks for your time

Hello Matt

Here we go round two

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

==========================================================

Download KillBox.exe.

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.
C:\WINDOWS\dd.exe
C:\WINDOWS\Downloaded Program Files\server.exe
C:\WINDOWS\dvpd.dll
C:\WINDOWS\fw_304.exe
C:\WINDOWS\gaSrve.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\ncat201.exe
C:\WINDOWS\prntsvra.dll
C:\WINDOWS\sp2yjohn3.exe
C:\WINDOWS\system\svchosthook.dll
C:\WINDOWS\system32\4262078.exe
C:\WINDOWS\system32\abc.exe
C:\WINDOWS\system32\abirvalg32.dll
C:\WINDOWS\system32\cssrs.exe
C:\WINDOWS\system32\dktibs.exe
C:\WINDOWS\system32\maxd1.exe
C:\WINDOWS\system32\ShellExt\a3F5rxLHuoI.EXE
C:\WINDOWS\system32\ShellExt\a62.EXE
C:\WINDOWS\system32\ShellExt\aaJMlnKx.EXE
C:\WINDOWS\system32\ShellExt\abnFYS.EXE
C:\WINDOWS\system32\ShellExt\aBp.EXE
C:\WINDOWS\system32\ShellExt\aF9APiK.EXE
C:\WINDOWS\system32\ShellExt\aKl.EXE
C:\WINDOWS\system32\ShellExt\aMuSASHjg.EXE
C:\WINDOWS\system32\ShellExt\atQyiBqwDF.EXE
C:\WINDOWS\system32\ShellExt\aX5oli.EXE
C:\WINDOWS\system32\ShellExt\ay0gin.EXE
C:\WINDOWS\system32\ShellExt\az1.EXE
C:\WINDOWS\system32\sp.dat
C:\WINDOWS\system32\sysp.dll
C:\WINDOWS\system32\systemp.dll
C:\WINDOWS\system32\vxgame1.exe
C:\WINDOWS\system32\vxgamet1.exe
C:\WINDOWS\system32\vxh8jkdq1.exe
C:\WINDOWS\system32\vxh8jkdq2.exe
C:\WINDOWS\system32\vxh8jkdq8.exe
C:\WINDOWS\system32\winldra.exe
C:\WINDOWS\yjohn7.exe
C:\Program Files\Adobe\Photoshop Elements 2\winrtwu32.dll
C:\Program Files\BitTorrent\lihxd32.dll

Start KillBox.
Go to the File menu, and choose Paste from Clipboard * this feature does not work on older versons of Killbox

Click the dropdown-arrow next to the "Full Path of File to Delete" field.
Verify that the filenames you pasted are found in there.
Select/tick the following:
* Replace on Reboot
* Use Dummy
* End Explorer Shell While Killing File
* "Unregister.dll Before Deleting" * if it's not grayed out
Click the RED X button.
Click "Yes" at the 'Delete on Reboot' prompt.
Click "Yes" at the 'Pending Operations' prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here and run missingfilesetup.exe. Then try Killbox again.

======================================================================

Kaspersky's online scan has detected malware in Microsoft Antispyware Qurantine folder. You may clear the quarantine cache by doing so..
• Double click on the Microsoft Antispyware icon in system tray
• Go to Tools>Spyware Scan>Manage Spyware Quarantine
• Select all items listed under "Quarantine Threats" & Click "Permanently remove all checked threats"

======================================================================

Run CleanUp!.
Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

======================================================================

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
• Save it to your desktop.
• Double-click the new icon on your desktop (tmas-web-scan.exe)
• It will say "Loading TrendMicro definitions".
• Once the definitions are loaded, the program will appear to close then re-open.
• Click "Start Scan"
• After it's done scanning, click "Scan Results"
• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

=====================================================================

we will deal with System Volume Information\_restore once your system is clean

Please post a fresh Hijack This log so that we can check if your system is clean.

nothing_more · 07-15-2005, 04:12 PM

I really cannot thank you enough for your patience, alba.

I couldn't find server.exe

Also, there were no items in the Spyware Quarantine.

Here's the latest, analysed, HJT file.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 23

45, on 15/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE
C:\Documents and Settings\Peter\Desktop\Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 205 ADSL Router\Adsl\dslagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106072202191
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCX...lientNoMFC.cab
O21 - SSODL: Adobe Photoshop Elements 2.0 - {24EDEFF8-175E-9025-35C3-E880097D7965} - c:\program files\adobe\photoshop elements 2\winrtwu32.dll

End of KRC HijackThis Analyzer Log.
====================================================================

And here's the antispyware.log

Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\LimeWire'
Found '' in 'SOFTWARE\Magnet'
Found '' in 'SOFTWARE\Classes\magnet'
Found '' in 'SOFTWARE\Classes\magnet\shell\open\command'
Found 'URL Protocol' in 'SOFTWARE\Classes\magnet'
Found 'http' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2'
Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0\HELPDIR'
Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0\0'
Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}'
Found '' in 'SOFTWARE\Classes\Interface\{F4394F24-163D-430B-B5AF-B68B56031B99}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{F4394F24-163D-430B-B5AF-B68B56031B99}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{F4394F24-163D-430B-B5AF-B68B56031B99}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{F4394F24-163D-430B-B5AF-B68B56031B99}'
Found '' in 'SOFTWARE\Classes\Interface\{DCFAB192-4A0E-4720-8E24-70D5F0CB8C39}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{DCFAB192-4A0E-4720-8E24-70D5F0CB8C39}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{DCFAB192-4A0E-4720-8E24-70D5F0CB8C39}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{DCFAB192-4A0E-4720-8E24-70D5F0CB8C39}'
Found '' in 'SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}'
Internet URL Shortcuts
Files and Directories
Found 'winmx353.exe' in 'C:\Documents and Settings\Peter\Desktop\Stuff'
Found 'LimeWire20.dll' in 'C:\Program Files\LimeWire'
Found '' in 'C:\Program Files\WinMX'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Documents and Settings\Peter\Desktop\Stuff\winmx353.exe' in shortcut areas.
Checking for 'C:\Documents and Settings\Peter\Desktop\Stuff\winmx353.exe' in startup areas.
Cleaning 'C:\Documents and Settings\Peter\Desktop\Stuff\winmx353.exe'
Checking for 'C:\Program Files\WinMX' in shortcut areas.
Checking for 'C:\Program Files\WinMX' in startup areas.
Cleaning 'C:\Program Files\WinMX'
Checking for 'C:\Program Files\WinMX\wpnpchannelcmds.txt' in shortcut areas.
Checking for 'C:\Program Files\WinMX\wpnpchannelcmds.txt' in startup areas.
Cleaning 'C:\Program Files\WinMX\wpnpchannelcmds.txt'
Finished Cleaning

Thankyou
Matt

alba · 07-16-2005, 09:24 AM

Hi Matt Your log is clean.

First I would like you to flush out your system restore points.

Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Reboot your System.

To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

Next Delete any previous backUps that you have made. You can now do a fresh back up.

================================================== ======

I would to at this time advise you to remove Microsoft Antispyware. It is entirely your choice please read this thread on General Security Microsoft Antispyware “Ignores” Claria adware

Also to help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

More information and downloads are available at the following links:

Spyware Blaster
Spyware Guard
IE-Spyad

Are there any problems now? If not, Please respond to this final post so that I can mark it as resolved.

Congratulations and Good luck
Alba
_____________

nothing_more · 07-17-2005, 01:44 PM

Alba, everything seems fine now.
I honestly can't thank you enough. You're a hero!

Just one small problem; after doing all of this, the appearance of the taskbar and start menu has changed; they now look more like Classic Windows rather than XP.
I cannot rectify this even after going through all display options and taskbar/start menu options.
Any ideas?

Many, many thanks
Matt

nothing_more · 07-17-2005, 01:59 PM

All sorted, just downloaded the 'luna' theme.
Resolved.

Huge thanks, Alba

Matt

07-13-2005, 11:25 AM	#1 (permalink)
nothing_more Member Join Date: Jul 2005 Location: Cumbria, UK Posts: 20 OS: XP	Various Problems; HJT log (Analyzed) 69sexsearch opens on every startup. 540filehost opens most startups. Just removed 'Critical Warning! Spyware....' message from desktop using Ad-Aware. Computer just isn't quite right. Any help much appreciated ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 18:18:34, on 13/07/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\svchost.exe C:\PROGRA~1\DATACA~1\FLashKsk.exe C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe C:\WINDOWS\NeroCheck.exe C:\WINDOWS\nrchk.exe C:\WINDOWS\msexploren.exe C:\WINDOWS\gaSrve.exe C:\WINDOWS\fw_304.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE C:\Documents and Settings\Peter\Desktop\Stuff\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk O2 - BHO: (no name) - {453FDA5C-FE1F-4B6A-B935-1037EF424368} - C:\WINDOWS\System32\omkc.dll (file missing) O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\system32\ztoolb004.dll O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM\..\Run: [1F220CD6] C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe O4 - HKLM\..\Run: [514088FE] C:\DOCUME~1\Peter\LOCALS~1\Temp\mfhj.exe O4 - HKLM\..\Run: [ccApp] C:\WINDOWS\NeroCheck.exe /i O4 - HKLM\..\Run: [Nero] C:\WINDOWS\nrchk.exe /i O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\msexploren.exe /i O4 - HKLM\..\Run: [gaSrve] C:\WINDOWS\gaSrve.exe O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 205 ADSL Router\Adsl\dslagent.exe O4 - HKLM\..\Run: [Communicator] C:\WINDOWS\fw_304.exe /i O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot O4 - HKCU\..\Run: [1F220CD6] C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe O4 - HKCU\..\Run: [514088FE] C:\DOCUME~1\Peter\LOCALS~1\Temp\mfhj.exe O4 - HKCU\..\Run: [wupd] C:\WINDOWS\system32\symcsvc.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O15 - Trusted Zone: http://.69sexsearch.com O15 - Trusted Zone: .skoobidoo.com O15 - Trusted Zone: .slotchbar.com O15 - Trusted Zone: .windupdates.com O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O15 - Trusted Zone: .skoobidoo.com (HKLM) O15 - Trusted Zone: .slotchbar.com (HKLM) O15 - Trusted Zone: *.windupdates.com (HKLM) O15 - Trusted IP range: 67.19.178.84 O15 - Trusted IP range: (HKLM) O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106072202191 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCX...lientNoMFC.cab O21 - SSODL: systemp - {B2FEAA7D-DCD2-4D7A-9092-04EF2105DDD3} - systemp.dll (file missing) O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll O21 - SSODL: System - {89E1BD04-BBBC-4E05-9064-E8537192BD0D} - vr_sys.dll (file missing) O23 - Service: svchost.exe - Unknown - C:\WINDOWS\svchost.exe End of KRC HijackThis Analyzer Log. ==================================================================== Thanks in advance Matt

07-13-2005, 11:42 AM	#2 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Hi there and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time. We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". alba __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat

07-13-2005, 02:01 PM	#4 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Various Problems; HJT log (Analyzed) 69sexsearch opens on every startup. 540filehost opens most startups. Just removed 'Critical Warning! Spyware....' message from desktop using Ad-Aware. Computer just isn't quite right. Any help much appreciated ================================================== ================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 18:18:34, on 13/07/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\svchost.exe C:\PROGRA~1\DATACA~1\FLashKsk.exe C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe C:\WINDOWS\NeroCheck.exe C:\WINDOWS\nrchk.exe C:\WINDOWS\msexploren.exe C:\WINDOWS\gaSrve.exe C:\WINDOWS\fw_304.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE C:\Documents and Settings\Peter\Desktop\Stuff\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk O2 - BHO: (no name) - {453FDA5C-FE1F-4B6A-B935-1037EF424368} - C:\WINDOWS\System32\omkc.dll (file missing) O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\system32\ztoolb004.dll O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM\..\Run: [1F220CD6] C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe O4 - HKLM\..\Run: [514088FE] C:\DOCUME~1\Peter\LOCALS~1\Temp\mfhj.exe O4 - HKLM\..\Run: [ccApp] C:\WINDOWS\NeroCheck.exe /i O4 - HKLM\..\Run: [Nero] C:\WINDOWS\nrchk.exe /i O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\msexploren.exe /i O4 - HKLM\..\Run: [gaSrve] C:\WINDOWS\gaSrve.exe O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 205 ADSL Router\Adsl\dslagent.exe O4 - HKLM\..\Run: [Communicator] C:\WINDOWS\fw_304.exe /i O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot O4 - HKCU\..\Run: [1F220CD6] C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe O4 - HKCU\..\Run: [514088FE] C:\DOCUME~1\Peter\LOCALS~1\Temp\mfhj.exe O4 - HKCU\..\Run: [wupd] C:\WINDOWS\system32\symcsvc.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O15 - Trusted Zone: http://.69sexsearch.com O15 - Trusted Zone: .skoobidoo.com O15 - Trusted Zone: .slotchbar.com O15 - Trusted Zone: .windupdates.com O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O15 - Trusted Zone: .skoobidoo.com (HKLM) O15 - Trusted Zone: .slotchbar.com (HKLM) O15 - Trusted Zone: .windupdates.com (HKLM) O15 - Trusted IP range: 67.19.178.84 O15 - Trusted IP range: (HKLM) O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1106072202191 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OC...ClientNoMFC.cab O21 - SSODL: systemp - {B2FEAA7D-DCD2-4D7A-9092-04EF2105DDD3} - systemp.dll (file missing) O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll O21 - SSODL: System - {89E1BD04-BBBC-4E05-9064-E8537192BD0D} - vr_sys.dll (file missing) O23 - Service: svchost.exe - Unknown - C:\WINDOWS\svchost.exe End of KRC HijackThis Analyzer Log. ================================================== ================== Thanks in advance Matt Hello and welcome to TSF Please print out or copy this page to Notepad* in order to assist you when carrying out the following instructions. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work – and install it. You will need this later. Download DelDomains and select Save Link As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Reboot your system in Safe Mode (By continually tapping the F8 key, until the menu appears). Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time). C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe C:\WINDOWS\msexploren.exe C:\WINDOWS\gaSrve.exe C:\WINDOWS\fw_304.exe C:\Program Files\Spyware Cleaner Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: BazookaBar Spyware Cleaner Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) O2 - BHO: (no name) - {453FDA5C-FE1F-4B6A-B935-1037EF424368} - C:\WINDOWS\System32\omkc.dll (file missing) O2 - BHO: ZToolbar Activator Class - {FFF5092F-7172-4018-827B-FA5868FB0478} - C:\WINDOWS\system32\ztoolb004.dll O4 - HKLM\..\Run: [1F220CD6] C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe O4 - HKLM\..\Run: [514088FE] C:\DOCUME~1\Peter\LOCALS~1\Temp\mfhj.exe O4 - HKLM\..\Run: [SheduIer] C:\WINDOWS\msexploren.exe /i O4 - HKLM\..\Run: [gaSrve] C:\WINDOWS\gaSrve.exe O4 - HKLM\..\Run: [Communicator] C:\WINDOWS\fw_304.exe /i O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot O4 - HKCU\..\Run: [1F220CD6] C:\DOCUME~1\Peter\LOCALS~1\Temp\hibg.exe O4 - HKCU\..\Run: [514088FE] C:\DOCUME~1\Peter\LOCALS~1\Temp\mfhj.exe O4 - HKCU\..\Run: [wupd] C:\WINDOWS\system32\symcsvc.exe O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O15 - Trusted Zone: http://.69sexsearch.com O15 - Trusted Zone: .skoobidoo.com O15 - Trusted Zone: .slotchbar.com O15 - Trusted Zone: .windupdates.com O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM) O15 - Trusted Zone: .skoobidoo.com (HKLM) O15 - Trusted Zone: .slotchbar.com (HKLM) O15 - Trusted Zone: .windupdates.com (HKLM) O15 - Trusted IP range: 67.19.178.84 O15 - Trusted IP range: (HKLM) O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab O21 - SSODL: systemp - {B2FEAA7D-DCD2-4D7A-9092-04EF2105DDD3} - systemp.dll (file missing) O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll O21 - SSODL: System - {89E1BD04-BBBC-4E05-9064-E8537192BD0D} - vr_sys.dll (file missing) Please remember to close all other windows, including browsers then click Fix checked.* Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\System32\omkc.dll C:\WINDOWS\system32\ztoolb004.dll C:\WINDOWS\msexploren.exe /i C:\WINDOWS\gaSrve.exe C:\WINDOWS\fw_304.exe /i C:\Program Files\Spyware Cleaner C:\WINDOWS\system32\symcsvc.exe C:\winstall.exe c:\eied_s7.cab c:\ex.cab C:\WINDOWS\System32\vbsys2.dll Do a search for the following files and delete them. systemp.dll vr_sys.dll Run DelDomains.inf file, right click on it and select Install. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot your System in normal mode. Run an online scan at Trend Micro or RAV Antivirus. Please select the “autoclean” option when using Trend Micro. Please post a fresh Hijack This log so that we can check if your system is clean. __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat Last edited by alba; 07-13-2005 at 02:30 PM.

07-14-2005, 11:11 AM	#7 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,481 OS: XP SP2	Please provide an uptodate HJT log. __________________

07-14-2005, 11:37 AM	#9 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,481 OS: XP SP2	This log is the same as the previous log. Alba is working on your log. If you have subscribed to this thread you will be contacted via email when a response has been made. Please be patient during this time. Alba will be with you as soon as he can. Thanks __________________

07-13-2005, 01:19 PM	#3 (permalink)
nothing_more Member Join Date: Jul 2005 Location: Cumbria, UK Posts: 20 OS: XP	Look forward to hearing from you Thanks

07-13-2005, 03:47 PM	#5 (permalink)
nothing_more Member Join Date: Jul 2005 Location: Cumbria, UK Posts: 20 OS: XP	Thank you so much for your time and advice. After following your instructions, this is the new analysed log; ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 22:42:42, on 13/07/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\svchost.exe C:\PROGRA~1\DATACA~1\FLashKsk.exe C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\WINDOWS\nrchk.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE C:\WINDOWS\timer.exe C:\WINDOWS\timer.exe C:\Documents and Settings\Peter\Desktop\Stuff\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM\..\Run: [ccApp] C:\WINDOWS\NeroCheck.exe /i O4 - HKLM\..\Run: [Nero] C:\WINDOWS\nrchk.exe /i O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 205 ADSL Router\Adsl\dslagent.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [antivirus] C:\WINDOWS\timer.exe /i O4 - HKLM\..\Run: [antivirus] C:\WINDOWS\timer.exe /i O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106072202191 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCX...lientNoMFC.cab O23 - Service: svchost.exe - Unknown - C:\WINDOWS\svchost.exe End of KRC HijackThis Analyzer Log. ==================================================================== The 69sexsearch has gone, which is excellent. I'm concerned about the svchost.exe, as it is not in SYSTEM32. Thanks again Matt

07-14-2005, 07:34 AM	#6 (permalink)
nothing_more Member Join Date: Jul 2005 Location: Cumbria, UK Posts: 20 OS: XP	New Problems!! TopNetSearch is now my homepage; after resetting the homepage (to google) it always comes back! I now have a TopNetSearch toolbar. My desktop reguarly acquires about 20 icons for various porn, gambling and pharmacy sites. My favourites are full of new folders for porn, gambling etc. I reguarly get pop-ups that have no option for closing! This all happens after a message about spyware detected. It claims to be a Microsoft message. Any further help greatly appreciated!

07-14-2005, 11:30 AM	#8 (permalink)
nothing_more Member Join Date: Jul 2005 Location: Cumbria, UK Posts: 20 OS: XP	==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 18:29:22, on 14/07/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\svchost.exe C:\PROGRA~1\DATACA~1\FLashKsk.exe C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\WINDOWS\timer.exe C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE C:\WINDOWS\timer.exe C:\Documents and Settings\Peter\Desktop\Stuff\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 205 ADSL Router\Adsl\dslagent.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [antivirus] C:\WINDOWS\timer.exe /i O4 - HKLM\..\Run: [antivirus] C:\WINDOWS\timer.exe /i O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106072202191 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCX...lientNoMFC.cab O21 - SSODL: Adobe Photoshop Elements 2.0 - {24EDEFF8-175E-9025-35C3-E880097D7965} - c:\program files\adobe\photoshop elements 2\winrtwu32.dll O23 - Service: svchost.exe - Unknown - C:\WINDOWS\svchost.exe End of KRC HijackThis Analyzer Log. ==================================================================== Thanks, Matt

07-15-2005, 07:22 AM	#11 (permalink)
nothing_more Member Join Date: Jul 2005 Location: Cumbria, UK Posts: 20 OS: XP	I've attached the results from KASPERSKY. And here's the HJT analysed log; ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 14:18:58, on 15/07/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\PROGRA~1\DATACA~1\FLashKsk.exe C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE C:\Documents and Settings\Peter\Desktop\Stuff\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 205 ADSL Router\Adsl\dslagent.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106072202191 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCX...lientNoMFC.cab O21 - SSODL: Adobe Photoshop Elements 2.0 - {24EDEFF8-175E-9025-35C3-E880097D7965} - c:\program files\adobe\photoshop elements 2\winrtwu32.dll End of KRC HijackThis Analyzer Log. ==================================================================== Many thanks for your time

07-15-2005, 04:12 PM	#13 (permalink)
nothing_more Member Join Date: Jul 2005 Location: Cumbria, UK Posts: 20 OS: XP	I really cannot thank you enough for your patience, alba. I couldn't find server.exe Also, there were no items in the Spyware Quarantine. Here's the latest, analysed, HJT file. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 2345, on 15/07/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\PROGRA~1\DATACA~1\FLashKsk.exe C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE C:\Documents and Settings\Peter\Desktop\Stuff\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 205 ADSL Router\Adsl\dslagent.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU\..\Run: [MtdAcq] C:\Program Files\Creative\Shared Files\Media Sniffer\MtdAcq.EXE /s O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106072202191 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {E56347B0-6C2B-4C2E-939F-EE513EAC80BC} (Creative Product Registration ActiveX Control Module) - http://www.creative.com/register/OCX...lientNoMFC.cab O21 - SSODL: Adobe Photoshop Elements 2.0 - {24EDEFF8-175E-9025-35C3-E880097D7965} - c:\program files\adobe\photoshop elements 2\winrtwu32.dll End of KRC HijackThis Analyzer Log. ==================================================================== And here's the antispyware.log Started Scanning Internet Cookies Programs in Memory Windows Registry Found '' in 'SOFTWARE\LimeWire' Found '' in 'SOFTWARE\Magnet' Found '' in 'SOFTWARE\Classes\magnet' Found '' in 'SOFTWARE\Classes\magnet\shell\open\command' Found 'URL Protocol' in 'SOFTWARE\Classes\magnet' Found 'http' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2' Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0\HELPDIR' Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0\FLAGS' Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0\0\win32' Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0\0' Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0' Found '' in 'SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}' Found '' in 'SOFTWARE\Classes\Interface\{F4394F24-163D-430B-B5AF-B68B56031B99}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{F4394F24-163D-430B-B5AF-B68B56031B99}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{F4394F24-163D-430B-B5AF-B68B56031B99}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{F4394F24-163D-430B-B5AF-B68B56031B99}' Found '' in 'SOFTWARE\Classes\Interface\{DCFAB192-4A0E-4720-8E24-70D5F0CB8C39}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{DCFAB192-4A0E-4720-8E24-70D5F0CB8C39}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{DCFAB192-4A0E-4720-8E24-70D5F0CB8C39}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{DCFAB192-4A0E-4720-8E24-70D5F0CB8C39}' Found '' in 'SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\TypeLib' Found '' in 'SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\ProxyStubClsid32' Found '' in 'SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\ProxyStubClsid' Found '' in 'SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}' Internet URL Shortcuts Files and Directories Found 'winmx353.exe' in 'C:\Documents and Settings\Peter\Desktop\Stuff' Found 'LimeWire20.dll' in 'C:\Program Files\LimeWire' Found '' in 'C:\Program Files\WinMX' Finished Scanning Started Backup Finished Backup Started Cleaning Checking for 'C:\Documents and Settings\Peter\Desktop\Stuff\winmx353.exe' in shortcut areas. Checking for 'C:\Documents and Settings\Peter\Desktop\Stuff\winmx353.exe' in startup areas. Cleaning 'C:\Documents and Settings\Peter\Desktop\Stuff\winmx353.exe' Checking for 'C:\Program Files\WinMX' in shortcut areas. Checking for 'C:\Program Files\WinMX' in startup areas. Cleaning 'C:\Program Files\WinMX' Checking for 'C:\Program Files\WinMX\wpnpchannelcmds.txt' in shortcut areas. Checking for 'C:\Program Files\WinMX\wpnpchannelcmds.txt' in startup areas. Cleaning 'C:\Program Files\WinMX\wpnpchannelcmds.txt' Finished Cleaning Thankyou Matt

07-16-2005, 09:24 AM	#14 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Hi Matt Your log is clean. First I would like you to flush out your system restore points. Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK. Reboot your System. To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. Next Delete any previous backUps that you have made. You can now do a fresh back up. ================================================== ====== I would to at this time advise you to remove Microsoft Antispyware. It is entirely your choice please read this thread on General Security Microsoft Antispyware “Ignores” Claria adware Also to help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided. More information and downloads are available at the following links: Spyware Blaster Spyware Guard IE-Spyad Are there any problems now? If not, Please respond to this final post so that I can mark it as resolved. Congratulations and Good luck Alba _____________ __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat

07-17-2005, 01:44 PM	#15 (permalink)
nothing_more Member Join Date: Jul 2005 Location: Cumbria, UK Posts: 20 OS: XP	Alba, everything seems fine now. I honestly can't thank you enough. You're a hero! Just one small problem; after doing all of this, the appearance of the taskbar and start menu has changed; they now look more like Classic Windows rather than XP. I cannot rectify this even after going through all display options and taskbar/start menu options. Any ideas? Many, many thanks Matt

07-17-2005, 01:59 PM	#16 (permalink)
nothing_more Member Join Date: Jul 2005 Location: Cumbria, UK Posts: 20 OS: XP	All sorted, just downloaded the 'luna' theme. Resolved. Huge thanks, Alba Matt