http://www.theguardservices.com/ Has taken over my IE.

esafarloo · 04-18-2006, 07:18 AM

Hello there, Please can one of you experts please assist me in removing many unwanted spyware and malware which is on my current computer system.

Yesturday i was happily surfing using IE then Ie and my computer started lagging and crashed for a while and i should have been wise and switched my computer off quickly because i suspected it was insalling some lovely spyware/malware on my computer.

any how, reading all the lovely clear instructions you guys written i followed them and got rid of most of it however when opening IE it opens About blank i think then goes to this website as my homepage http://www.theguardservices.com/. I try to go on IE properties and reverse this but its not having it.

Here is my Hijack this log file:

Logfile of HijackThis v1.99.1
Scan saved at 14:02:08, on 18/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\PicoZip\PicoZipTray.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis.exe

O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\system32\hp6C72.tmp
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PicoZip] C:\Program Files\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B9E3143-7CFD-4560-B341-064C6BE265B3}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINDOWS\SYSTEM32\DWRCS.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe

Here is the log file <result.txt> after using HijackThis Analyzer

===========================================================================================================================
Log was analyzed using HijackThis Analyzer - Updated on 12/17/04
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 14:02:08, on 18/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\PicoZip\PicoZipTray.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\HijackThis.exe

O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\system32\hp6C72.tmp
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b
O4 - HKCU\..\Run: [PicoZip] C:\Program Files\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B9E3143-7CFD-4560-B341-064C6BE265B3}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINDOWS\SYSTEM32\DWRCS.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe

End of HijackThis Analyzer Log.
===========================================================================================================================

Thank you very much for your time

Vikesrock8411 · 04-18-2006, 01:54 PM

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Downloads(make sure to save these in a permanent location)
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Ewido Anti-Malware

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Cleanup! (Alternate Link)- Install it. You will use this later.

*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot back into Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!

Check the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Uncheck the following :

Scan local drives for temporary files

Click OK, Press the CleanUp! button to start the program.If prompted to reboot, click No.

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

"Security Info"
"Warning Message"
"Security Desktop"
"Warning Homepage"
"Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** This scan may take over an hour, after choosing the action for the first item you do not need to stay at the PC.

Reboot your system in Normal Mode.

Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually.

At the end of the scan click on see report. Then click Save report

Please post that log in your next reply.

In your next post please include:

Rapport.txt
Ewido Log
Panda Activescan Log
A new Hijackthis! Log

esafarloo · 04-20-2006, 02:07 PM

Sup, thanks man, very kind, really appreciate it, thanks for your time!, i think its done the trick, IE goes to Msn.com as its homepage as it should now.

I was a bit sleepy when i did the fixture, a newb mistake there lol and i accidentally did the:

"Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection."

Twice and accidentally overwrote the original log produced, yes i know, im a idiot. The original log had i think a few directories in the systems 32 folder, if i remember correctly, not too sure, i dont know if that was good or bad.

Anyways, as requested:

SmitFraudFix v2.33b

Scan done at 15:07:17.85, 20/04/2006
Run from C:\Program Files\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 16:23:29, 20/04/2006
+ Report-Checksum: DB25FE24

+ Scan result:

HKLM\SOFTWARE\Microsoft\VisualStudio\Analyzer\Events\{6C736D71-BCBF-11D0-8A23-00AA00B58E10} -> Adware.CoolWebSearch : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Babgen Safarloo\Application Data\Mozilla\Firefox\Profiles\2nbp0huv.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup

::Report End

PANDA ACTIVESCAN

Incident Status Location

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MSN Messenger\RICHED20.dll
Adware:adware/securityerror Not disinfected C:\Documents and Settings\Emil Safarloo\Favorites\Antivirus Test Online.url
Adware:adware/spywarequake Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Emil Safarloo\Cookies\emil safarloo@ad.yieldmanager[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.xmts.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Date Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.date.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.winfixer.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[stats1.reliablestats.com/]
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.com.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.webpower.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[as1.falkag.de/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[sel.as-eu.falkag.net/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[www.myaffiliateprogram.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\Cache\633285D9d01[Process.exe]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Emil Safarloo\Application Data\Mozilla\Firefox\Profiles\t4sdw85n.default\cookies.txt[]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Emil Safarloo\Cookies\emil safarloo@ad.yieldmanager[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Emil Safarloo\Desktop\SmitfraudFix.zip[Process.exe]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Emil Safarloo\My Documents\Downloads from Aol and other internet\Smiley Central\Beta\SmileyCentralBetaSetup1.1.1.12-1.exe
Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\Documents and Settings\Emil Safarloo\My Documents\EMIL\susetup.exe[SERVUDAEMON.EXE]
Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\Documents and Settings\Emil Safarloo\My Documents\EMIL\susetup.exe[SERVUTRAY.EXE]
Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\Documents and Settings\Emil Safarloo\My Documents\EMIL\susetup.exe[SERVUPERFCOUNT.DLL]
Potentially unwanted tool:Application/ServUBased.N Not disinfected C:\Documents and Settings\Emil Safarloo\My Documents\EMIL\susetup.exe[SERVUADMIN.EXE]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Emil Safarloo\My Documents\Random Stuff not yet backed up - May require movin files about!\Program Files\MSN Messenger\riched20.dll
Hacktool:HackTool/EvID Not disinfected C:\Program Files\Common Files\Synacast\SynaLive\EvID4226Patch.exe
Virus:Trj/Nsis.B Disinfected C:\Program Files\Common Files\Synacast\SynaLive\uninst.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MSN Messenger\riched20.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Logfile of HijackThis v1.99.1
Scan saved at 20:47:00, on 20/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PicoZip\PicoZipTray.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PicoZip] C:\Program Files\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B9E3143-7CFD-4560-B341-064C6BE265B3}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINDOWS\SYSTEM32\DWRCS.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe

<b> I used HijackThis Analyzer as well</b> (incase it helps you!)

===========================================================================================================================
Log was analyzed using HijackThis Analyzer - Updated on 12/17/04
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 20:47:00, on 20/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\PicoZip\PicoZipTray.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b
O4 - HKCU\..\Run: [PicoZip] C:\Program Files\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B9E3143-7CFD-4560-B341-064C6BE265B3}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINDOWS\SYSTEM32\DWRCS.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe

End of HijackThis Analyzer Log.
===========================================================================================================================

thanks, i think that’s everything, lol.

O btw, <b>Yesterday i realised i was paying 50p a month to my ISP (Tesco broadband UK) for this security package witch they had send me but i hadn’t installed/used it before so i decided to install it yesterday, i was asked to reboot my computer so i did however, when Xp loaded and came to the blue login screen, the computer automatically rebooted, not allowing me to log into XP, it did this 4 times and on the 5th time, i went into safe mode and uninstalled the security software that tesco (my isp) had sent me and it did the trick, i was able to login into windows, i was really worried, so happy i managed to fix the problem though.</b>

Thanks again friend

greyknight17 · 04-20-2006, 02:15 PM

Go into Firefox->Tools->Clear Private Data.

Delete these:

C:\Documents and Settings\Emil Safarloo\Favorites\Antivirus Test Online.url
C:\Documents and Settings\Emil Safarloo\My Documents\Downloads from Aol and other internet\Smiley Central\Beta\SmileyCentralBetaSetup1.1.1.12-1.exe

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go. Post back one more time so we will close this thread.

esafarloo · 04-20-2006, 02:34 PM

Hello, Very ironic, I hadn’t been on your site for like a year greyknight17 and I was just surfing it and I came to this tab again on firefox and saw your reply (gmail notifier doesn’t seem to be off the mark today lol). Thanks man for looking to my problem, I have done exactly what you have asked.

Logfile of HijackThis v1.99.1
Scan saved at 21:28:04, on 20/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PicoZip\PicoZipTray.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PicoZip] C:\Program Files\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B9E3143-7CFD-4560-B341-064C6BE265B3}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINDOWS\SYSTEM32\DWRCS.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe

I also used HijackThis Analyzer

===========================================================================================================================
Log was analyzed using HijackThis Analyzer - Updated on 12/17/04
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 21:28:04, on 20/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\PicoZip\PicoZipTray.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\HijackThis.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b
O4 - HKCU\..\Run: [PicoZip] C:\Program Files\PicoZip\PicoZipTray.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B9E3143-7CFD-4560-B341-064C6BE265B3}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINDOWS\SYSTEM32\DWRCS.EXE (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe

End of HijackThis Analyzer Log.
===========================================================================================================================

Am I all good now? Thanks m8y, I think I will be donating some money to this web site, 100% earned, this web site really does rock and I wish there was more kind people like yourselves in this world, I honesly do appreciate it, good stuff  Many thanks!

Vikesrock8411 · 04-20-2006, 02:49 PM

That log is clean, you are all set to go.

esafarloo · 04-20-2006, 02:55 PM

Quote:

Originally Posted by Vikesrock8411

That log is clean, you are all set to go.

Woohoo!! Great news guyz, thanks a lot,

04-18-2006, 07:18 AM	#1 (permalink)
esafarloo Registered User Join Date: Dec 2004 Location: Manchester Posts: 9 OS: Xp	http://www.theguardservices.com/ Has taken over my IE. Hello there, Please can one of you experts please assist me in removing many unwanted spyware and malware which is on my current computer system. Yesturday i was happily surfing using IE then Ie and my computer started lagging and crashed for a while and i should have been wise and switched my computer off quickly because i suspected it was insalling some lovely spyware/malware on my computer. any how, reading all the lovely clear instructions you guys written i followed them and got rid of most of it however when opening IE it opens About blank i think then goes to this website as my homepage http://www.theguardservices.com/. I try to go on IE properties and reverse this but its not having it. Here is my Hijack this log file: Logfile of HijackThis v1.99.1 Scan saved at 14:02:08, on 18/04/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\mysql\bin\mysqld-nt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\WINDOWS\VM303_STI.EXE C:\Program Files\Winamp\winampa.exe C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\PicoZip\PicoZipTray.exe C:\Program Files\Spyware Doctor\spydoctor.exe C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\HijackThis.exe O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\system32\hp6C72.tmp O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH) O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [PicoZip] C:\Program Files\PicoZip\PicoZipTray.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9B9E3143-7CFD-4560-B341-064C6BE265B3}: NameServer = 194.168.4.100 194.168.8.100 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINDOWS\SYSTEM32\DWRCS.EXE (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe Here is the log file <result.txt> after using HijackThis Analyzer =========================================================================================================================== Log was analyzed using HijackThis Analyzer - Updated on 12/17/04 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 14:02:08, on 18/04/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\WINDOWS\VM303_STI.EXE C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe C:\Program Files\PicoZip\PicoZipTray.exe C:\Program Files\Spyware Doctor\spydoctor.exe C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe C:\HijackThis.exe O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\system32\hp6C72.tmp O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH) O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b O4 - HKCU\..\Run: [PicoZip] C:\Program Files\PicoZip\PicoZipTray.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9B9E3143-7CFD-4560-B341-064C6BE265B3}: NameServer = 194.168.4.100 194.168.8.100 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINDOWS\SYSTEM32\DWRCS.EXE (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe End of HijackThis Analyzer Log. =========================================================================================================================== Thank you very much for your time Last edited by esafarloo; 04-18-2006 at 07:27 AM.

04-18-2006, 01:54 PM	#2 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Downloads(make sure to save these in a permanent location) Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. Ewido Anti-Malware Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Cleanup! (Alternate Link)- Install it. You will use this later. NOTE Cleanup deletes EVERYTHING out of temporary folders and does not make backups. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot back into Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Uncheck the following : Scan local drives for temporary files Click OK, Press the CleanUp! button to start the program.If prompted to reboot, click No. Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: "Security Info" "Warning Message" "Security Desktop" "Warning Homepage" "Desktop Uninstall" Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop This scan may take over an hour, after choosing the action for the first item you do not need to stay at the PC. Reboot your system in Normal Mode. Online Scans Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Scan your PC & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually. At the end of the scan click on see report. Then click Save report Please post that log in your next reply. In your next post please include: Rapport.txt Ewido Log Panda Activescan Log A new Hijackthis! Log

04-20-2006, 02:15 PM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Go into Firefox->Tools->Clear Private Data. Delete these: C:\Documents and Settings\Emil Safarloo\Favorites\Antivirus Test Online.url C:\Documents and Settings\Emil Safarloo\My Documents\Downloads from Aol and other internet\Smiley Central\Beta\SmileyCentralBetaSetup1.1.1.12-1.exe Your log is clean. To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided. Are there any problems now? If not, you should be set to go. Post back one more time so we will close this thread. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-20-2006, 02:34 PM	#5 (permalink)
esafarloo Registered User Join Date: Dec 2004 Location: Manchester Posts: 9 OS: Xp	You Guys Are Legends! (its put a smile on my face, thanks!) Hello, Very ironic, I hadn’t been on your site for like a year greyknight17 and I was just surfing it and I came to this tab again on firefox and saw your reply (gmail notifier doesn’t seem to be off the mark today lol). Thanks man for looking to my problem, I have done exactly what you have asked. Logfile of HijackThis v1.99.1 Scan saved at 21:28:04, on 20/04/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\mysql\bin\mysqld-nt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\WINDOWS\VM303_STI.EXE C:\Program Files\Winamp\winampa.exe C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\PicoZip\PicoZipTray.exe C:\Program Files\Spyware Doctor\spydoctor.exe C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe C:\WINDOWS\System32\svchost.exe C:\HijackThis.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH) O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [PicoZip] C:\Program Files\PicoZip\PicoZipTray.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9B9E3143-7CFD-4560-B341-064C6BE265B3}: NameServer = 194.168.4.100 194.168.8.100 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINDOWS\SYSTEM32\DWRCS.EXE (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe I also used HijackThis Analyzer =========================================================================================================================== Log was analyzed using HijackThis Analyzer - Updated on 12/17/04 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 21:28:04, on 20/04/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\WINDOWS\VM303_STI.EXE C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe C:\Program Files\PicoZip\PicoZipTray.exe C:\Program Files\Spyware Doctor\spydoctor.exe C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe C:\HijackThis.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH) O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b O4 - HKCU\..\Run: [PicoZip] C:\Program Files\PicoZip\PicoZipTray.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - file://D:\aw_player52\awswaxf.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{9B9E3143-7CFD-4560-B341-064C6BE265B3}: NameServer = 194.168.4.100 194.168.8.100 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINDOWS\SYSTEM32\DWRCS.EXE (file missing) O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe End of HijackThis Analyzer Log. =========================================================================================================================== Am I all good now? Thanks m8y, I think I will be donating some money to this web site, 100% earned, this web site really does rock and I wish there was more kind people like yourselves in this world, I honesly do appreciate it, good stuff  Many thanks!

04-20-2006, 02:49 PM	#6 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	That log is clean, you are all set to go.