We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Hijack this - help please
Options
RedBern
Posts: 1,237 Forumite
in Techie Stuff
Hi, trying to help a friend clean up her laptop - whichever site she went on via IE would link to 'hot dates xxx' etc!... so I've followed the links on cleaning up, removing viruses etc. The last scan I did said 2 infected files which couldn't be removed. I've now done - hijack this.... see below.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:08:21, on 22/08/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by BT Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: BT Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 212.95.49.214 www.google.com
O1 - Hosts: 212.95.49.214 www.google.de
O1 - Hosts: 212.95.49.214 www.google.fr
O1 - Hosts: 212.95.49.214 www.google.co.uk
O1 - Hosts: 212.95.49.214 www.google.com.br
O1 - Hosts: 212.95.49.214 www.google.it
O1 - Hosts: 212.95.49.214 www.google.es
O1 - Hosts: 212.95.49.214 www.google.co.jp
O1 - Hosts: 212.95.49.214 www.google.com.mx
O1 - Hosts: 212.95.49.214 www.google.ca
O1 - Hosts: 212.95.49.214 www.google.com.au
O1 - Hosts: 212.95.49.214 www.google.nl
O1 - Hosts: 212.95.49.214 www.google.co.za
O1 - Hosts: 212.95.49.214 www.google.be
O1 - Hosts: 212.95.49.214 www.google.gr
O1 - Hosts: 212.95.49.214 www.google.at
O1 - Hosts: 212.95.49.214 www.google.se
O1 - Hosts: 212.95.49.214 www.google.ch
O1 - Hosts: 212.95.49.214 www.google.pt
O1 - Hosts: 212.95.49.214 www.google.dk
O1 - Hosts: 212.95.49.214 www.google.fi
O1 - Hosts: 212.95.49.214 www.google.ie
O1 - Hosts: 212.95.49.214 www.google.no
O1 - Hosts: 212.95.49.214 search.yahoo.com
O1 - Hosts: 212.95.49.214 us.search.yahoo.com
O1 - Hosts: 212.95.49.214 uk.search.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll (file missing)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: BT Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: update.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/uon/support/plugins/ebraryRdr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Wireless Adapter Configurator - Unknown owner - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 10878 bytes
Where do I go from here. Thanks in advance..
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:08:21, on 22/08/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by BT Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: BT Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 212.95.49.214 www.google.com
O1 - Hosts: 212.95.49.214 www.google.de
O1 - Hosts: 212.95.49.214 www.google.fr
O1 - Hosts: 212.95.49.214 www.google.co.uk
O1 - Hosts: 212.95.49.214 www.google.com.br
O1 - Hosts: 212.95.49.214 www.google.it
O1 - Hosts: 212.95.49.214 www.google.es
O1 - Hosts: 212.95.49.214 www.google.co.jp
O1 - Hosts: 212.95.49.214 www.google.com.mx
O1 - Hosts: 212.95.49.214 www.google.ca
O1 - Hosts: 212.95.49.214 www.google.com.au
O1 - Hosts: 212.95.49.214 www.google.nl
O1 - Hosts: 212.95.49.214 www.google.co.za
O1 - Hosts: 212.95.49.214 www.google.be
O1 - Hosts: 212.95.49.214 www.google.gr
O1 - Hosts: 212.95.49.214 www.google.at
O1 - Hosts: 212.95.49.214 www.google.se
O1 - Hosts: 212.95.49.214 www.google.ch
O1 - Hosts: 212.95.49.214 www.google.pt
O1 - Hosts: 212.95.49.214 www.google.dk
O1 - Hosts: 212.95.49.214 www.google.fi
O1 - Hosts: 212.95.49.214 www.google.ie
O1 - Hosts: 212.95.49.214 www.google.no
O1 - Hosts: 212.95.49.214 search.yahoo.com
O1 - Hosts: 212.95.49.214 us.search.yahoo.com
O1 - Hosts: 212.95.49.214 uk.search.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll (file missing)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: BT Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\AccelerometerSt.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ConnectionCenter] "C:\Program Files\Citrix\ICA Client\concentr.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [eyeBeam SIP Client] "C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\aro.exe -rem
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: update.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/uon/support/plugins/ebraryRdr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: Wireless Adapter Configurator - Unknown owner - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 10878 bytes
Where do I go from here. Thanks in advance..
Bern :j
0
Comments
-
Show us the Malwarebytes AntiMalware log.
Reset the HOSTS file or better still replace it.
You could also run a clean install and immediately update to SP3.0 -
I had a similar problem with my dad's PC. I used Spybot Search & Destroy. You can download it for free. Just search on Google. Hope this helps.0
-
follow donnies advice first about resetting the hosts file
what other software did you run to remove it ??
if you ran malwarebytes can you post that log file pleaseEx forum ambassador
Long term forum member0 -
thanks guys.
I've reset the hosts files as directed - and run Malware again - and it is showing all clear.
However, I can't connect to the internet now (I'm on my pc!) - the laptop can't find any networks at all .... I've tried plugging it into the hub to get it connected and that isn't working.....
So, I think the virus is clear - only need to get back onto 'net and put avira or similar on. Any suggestions?Bern :j0 -
try this
http://windowsxp.mvps.org/winsock.htm
Most of the Internet connectivity problems arise out of corrupt Winsock settings. Windows sockets settings may get corrupted due to the installation of a networking software, or perhaps due to Malware infestation. You will be able connect to the Internet, but the packets won't transfer back and forth. And errors such as Page cannot be displayed may occur when using Internet Explorer. This article lists the methods (with links to third-party websites) to reset/repair the Winsock configuration to defaults.
Tools- WinSock XP Fix - Tool which fixes XP internet connectivity
- Tutorials for Winsock XP Fix [Tutorial 1] [Tutorial 2]
can we see the malwarebytes log file that found things (will be on the Logs tab when you start it up )Ex forum ambassador
Long term forum member0 -
successfully connected again! Thanks
original log:
Malwarebytes' Anti-Malware 1.46
https://www.malwarebytes.org
Database version: 4457
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702
21/08/2010 19:07:17
mbam-log-2010-08-21 (19-07-17).txt
Scan type: Full scan (C:\|E:\|)
Objects scanned: 202583
Time elapsed: 36 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 22
Registry Values Infected: 2
Registry Data Items Infected: 7
Folders Infected: 2
Files Infected: 12
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\asert32.dll (Password.Stealer) -> Delete on reboot.
C:\Program Files\Common Files\System\sys_vd4.dat (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{17799d21-d1c8-434d-87f0-b61058497b38} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b448d946-3623-42ab-ba32-c08651e36980} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b448d946-3623-42ab-ba32-c08651e36980} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b448d946-3623-42ab-ba32-c08651e36980} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{17799d21-d1c8-434d-87f0-b61058497b38} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{17799d21-d1c8-434d-87f0-b61058497b38} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17799d21-d1c8-434d-87f0-b61058497b38} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe "C:\Program Files\Common Files\System\svchost.exe") Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\AntiVirus Plus (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
Files Infected:
C:\WINDOWS\system32\asert32.dll (Password.Stealer) -> Delete on reboot.
C:\Program Files\Common Files\System\sys_vd4.dat (Trojan.Agent) -> Delete on reboot.
C:\Program Files\AntiVirus Plus\AntiVirus Plus.70342.exe (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP195\A0028595.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Delete on reboot.
C:\Documents and Settings\Andy Peters\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idm.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Delete on reboot.
C:\Documents and Settings\Andy Peters\Local Settings\Temp\pdfupd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.Bern :j0 -
looking at what it found I would also run this
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
then post that log fileEx forum ambassador
Long term forum member0 -
ComboFix 10-08-21.06 - 22/08/2010 13:16:46.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.470 [GMT 1:00]
Running from: c:\documents and settings\Andy Peters\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\\autorun.inf
c:\windows\MailSwitch.ocx
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-07-22 to 2010-08-22 )))))))))))))))))))))))))))))))
.
2010-08-22 11:57 . 2010-03-01 09:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-08-22 11:57 . 2010-02-16 13:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-08-22 11:57 . 2009-05-11 11:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-08-22 11:57 . 2009-05-11 11:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-08-22 11:57 . 2010-08-22 11:57
d
w- c:\program files\Avira
2010-08-22 11:57 . 2010-08-22 11:57
d
w- c:\documents and settings\All Users\Application Data\Avira
2010-08-22 09:47 . 2010-08-22 11:33 114688 ----a-w- c:\windows\system32\chg.exe
2010-08-22 09:24 . 2010-08-22 09:24 0 ----a-w- c:\windows\nsreg.dat
2010-08-22 09:24 . 2010-08-22 09:24
d
w- c:\documents and settings\Andy Peters\Local Settings\Application Data\Mozilla
2010-08-22 09:07 . 2010-08-22 09:07 388096 ----a-r- c:\documents and settings\Andy Peters\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-22 09:07 . 2010-08-22 09:07
d
w- c:\program files\Trend Micro
2010-08-21 19:30 . 2009-06-30 08:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-08-21 19:30 . 2010-08-21 19:30
d
w- c:\program files\Panda Security
2010-08-21 19:08 . 2010-08-21 19:08
d
w- c:\program files\Defraggler
2010-08-21 18:59 . 2010-08-21 18:59
d
w- c:\documents and settings\Andy Peters\Application Data\Sammsoft
2010-08-21 18:59 . 2010-08-21 18:59
d
w- c:\program files\Advanced Registry Optimizer
2010-08-21 18:42 . 2010-08-21 18:42
d
w- c:\program files\CCleaner
2010-08-21 17:23 . 2010-08-21 17:23
d
w- c:\documents and settings\Andy Peters\Application Data\Malwarebytes
2010-08-21 17:22 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-21 17:22 . 2010-08-21 17:23
d
w- c:\program files\Malwarebytes' Anti-Malware
2010-08-21 17:22 . 2010-08-21 17:22
d
w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-21 17:22 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-05 23:29 . 2010-08-05 23:29
d-sh--w- c:\documents and settings\Andy Peters\IECompatCache
2010-08-05 23:28 . 2010-08-05 23:28
d-sh--w- c:\documents and settings\Andy Peters\PrivacIE
2010-08-05 23:27 . 2010-08-05 23:27
d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-08-05 23:27 . 2010-08-05 23:27
d-sh--w- c:\documents and settings\Andy Peters\IETldCache
2010-08-05 23:25 . 2010-08-05 23:25
d
w- c:\windows\ie8updates
2010-08-05 23:23 . 2010-08-05 23:23
dc-h--w- c:\windows\ie8
2010-08-05 23:23 . 2010-08-05 23:25
d--h--w- c:\windows\msdownld.tmp
2010-08-05 23:20 . 2010-05-06 10:41 12800
w- c:\windows\system32\dllcache\xpshims.dll
2010-08-05 23:20 . 2010-05-06 10:41 599040
w- c:\windows\system32\dllcache\msfeeds.dll
2010-08-05 23:20 . 2010-05-06 10:41 55296
w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-08-05 23:20 . 2010-05-06 10:41 247808
w- c:\windows\system32\dllcache\ieproxy.dll
2010-08-05 23:20 . 2010-05-06 10:41 743424
w- c:\windows\system32\dllcache\iedvtool.dll
2010-08-05 23:20 . 2010-05-06 10:41 1985536
w- c:\windows\system32\dllcache\iertutil.dll
2010-08-05 23:20 . 2010-05-06 10:41 11076096
w- c:\windows\system32\dllcache\ieframe.dll
2010-08-05 23:20 . 2010-04-16 11:43 41984
w- c:\windows\system32\dllcache\iecompat.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-21 17:20 . 2010-01-03 21:00 9061852 ----a-w- c:\windows\system32\lk.dat
2010-08-05 23:29 . 2007-03-21 19:40
d
w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-08-05 23:24 . 2007-03-21 18:57
d
w- c:\documents and settings\All Users\Application Data\yahoo!
2010-08-05 23:24 . 2007-03-21 18:56
d
w- c:\program files\Yahoo!
2010-06-14 14:30 . 2004-08-04 08:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\ypager.exe" [2005-08-31 2478080]
"AROReminder"="c:\program files\Advanced Registry Optimizer\aro.exe" [2009-10-22 2132480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2006-01-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761948]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-02-15 892928]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2005-12-29 543232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-12 103768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-2-27 581693]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AntiVirus Plus.lnk
backup=c:\windows\pss\AntiVirus Plus.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^update.exe]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\update.exe
backup=c:\windows\pss\update.exeCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Andy Peters^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
path=c:\documents and settings\Andy Peters\Start Menu\Programs\Startup\AntiVirus Plus.lnk
backup=c:\windows\pss\AntiVirus Plus.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Andy Peters^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=c:\documents and settings\Andy Peters\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=c:\windows\pss\TrueAssistant.lnkStartup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\3 Mobile Broadband\\3Connect\\Wilog.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [21/08/2010 20:30 28552]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [08/09/2009 19:13 65584]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [22/08/2010 12:57 135336]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [20/09/2006 08:24 87936]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/06/2005 14:26 35968]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [24/10/2009 09:32 102656]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ANTIVIRSCHEDULERSERVICE
*NewlyCreated* - ANTIVIRSERVICE
*NewlyCreated* - AVGIO
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - AVIPBB
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 03:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
2010-06-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
Supplementary Scan
.
uStart Page = hxxp://bt.yahoo.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: gov.uk\cra.monmouthshire
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Andy Peters\Application Data\Mozilla\Firefox\Profiles\i9lgvocl.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\Andy Peters\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.2\Plugins\npybrowserplus_2.9.2.dll
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-eyeBeam SIP Client - c:\program files\BT Broadband Talk Softphone\BTSoftphone.exe
MSConfigStartUp-AntiVirus Plus - c:\program files\AntiVirus Plus\AntiVirus Plus.70342.exe
AddRemove-BT Home Hub - c:\program files\BT Home Hub\Uninstall.exe
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????Z??????(?@???????@
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
Completion time: 2010-08-22 13:21:04
ComboFix-quarantined-files.txt 2010-08-22 12:21
Pre-Run: 50,915,733,504 bytes free
Post-Run: 50,962,841,600 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 4DD38691DE45B049EFF8EBC56251ABC9Bern :j0 -
wait for AlienRik to take a readEx forum ambassador
Long term forum member0 -
is it that bad?:eek:Bern :j0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351K Banking & Borrowing
- 253.1K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244K Work, Benefits & Business
- 598.8K Mortgages, Homes & Bills
- 176.9K Life & Family
- 257.3K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards