PDA

View Full Version : Trojan invasion! Help!!


joyarjun
02-03-2010, 09:53 AM
Hello folks:

right at boot up, my pc showing around 2 dozen alarm msgs. from my anti-virus Avira Personal (free), all perfectly standardised, i.e. the same, over and over again. It says "TR/Bldr.Tracur.B.48 Trojan" has been detected. Action choices: (default checked: deny access, quanrantine, delete. Rename is also there, I think. Repair is greyed out. I tried all of the choices open, but the msgs. are persistent even after booting is finished. Though a provision is there asking Avira to remember the decision (and act accordingly in future), it does not remember.They keep appearing, with less frequency once in a while during a single prolonged session.
Is it Avira Personal's false positive?
What to do, please?

MikeN.
02-03-2010, 10:03 AM
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?cdlPid=10997763
* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version if one is available. There are always new updates to the definitions.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer.

http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html?tag=mncol

Right click on the desktop. Choose New Folder,then name it HiJackThis Folder
Then download HiJackThis to that new folder.
Do a full system scan with HJT and save the log.
Post back here with both the MBA-M log and the HJT log.

jholland1964
02-03-2010, 10:35 AM
Is it Avira Personal's false positive? As an added bit of information, it is likely NOT a false positive. This same trojan is flagged by many other av programs of late....many given a different name by each av program but all the same thing.
TrojanDownloader:Win32/Tracur.B (http://forums.cnet.com/5208-6132_102-0.html?threadID=375734&start=60) is a trojan component installed by TrojanDownloader:Win32/Tracur.A. This trojan component downloads and executes arbitrary files.
Aliases
Win32/Nugg.worm.143360 (AhnLab)
Trojan.Tracur.A (BitDefender)
P2P-Worm.Win32.nugg.bd (Kaspersky)
Generic Downloader.x!cg (McAfee)
W32/Agent.MPDD (Norman)
W32/P2PWorm.AK.worm (Panda)
Troj/Agent-INP (Sophos)
Worm.P2P.Nugg.BV (VirusBuster)

joyarjun
02-05-2010, 11:10 AM
Hello friends:

malwarebyte has worked miracles!
I programmed it to scan all my drives, C-G, but ran out of patience since I had to use certain programmes for some work, so m-byte ran for about 60-70 per cent, when I aborted the run, intending to start again next day. However, I opted for removing the threats, about 2-3 it said could only be removed upon rebooting. I allowed that and rebooted.
This was yesterday.
Today evening (now!) I started my computer as usual. After some time I was struck that not a single virus warning msg. with that 'Tracur...something' had appeared, or appeared so far (am at the pc for around one hour!).
I checked the log created in Notepad, as was suggested. Here it is:

Malwarebytes' Anti-Malware 1.44
Database version: 3689
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

04/02/2010 22:21:31
mbam-log-2010-02-04 (22-21-31).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 56953
Time elapsed: 33 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\cnvfat32.dll (Trojan.Tracur) -> Delete on reboot.
C:\WINDOWS\system32\3D.tmp (Trojan.Tracur) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\b4836b91720 (Trojan.Tracur) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: c:\windows\system32\cnvfat32.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: system32\cnvfat32.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cnvfat32.dll (Trojan.Tracur) -> Delete on reboot.
C:\WINDOWS\system32\3D.tmp (Trojan.Tracur) -> Delete on reboot.
C:\Documents and Settings\welcome\My Documents\repair-pro-setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\welcome\My Documents\zipfopen.repair-pro-setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Should I run malwarebyte again and fully scan all my drives? About 30% of the job remains! And also run HJT?

Also thank you for warning me to take the virus warnings seriously, not a false positive!
I sincerely thank both of you, my friends, for that helping hand! If only nations could do this at the international level, the world could have been a far better place to live in.
Hats off to Worldstart.com

mom25kids
02-05-2010, 11:19 AM
Should I run malwarebyte again and fully scan all my drives? About 30% of the job remains! And also run HJT?

Definitely YES

jholland1964
02-05-2010, 11:51 AM
Should I run malwarebyte again and fully scan all my drives? About 30% of the job remains! And also run HJT?
100% yes. Because in all likelyhood there may be more infected files. Though some were removed I have to say joyarjun, what you did and how you ran the program is positively the wrong way to clean your system. By stopping and starting the program you did not give it a chance to fully clean the system. It only cleaned part of it. You absolutely MUST allow it to run, without stopping, 100% all the way through this is the ONLY way to guarantee that it will find everything and in the proper order. MBA-M is set to run a specific way, in a specific order and by stopping the scans part way through it was not allowed to do this.

Look at the elapsed time...33 minutes...you say you believe it ran 60 to 70%, well I very much doubt that it ran that far. On a small computer like mine, with it's one 40GB hard drive, a Full Scan takes slightly over one hour and will scan about 180000+ objects.

A Quick Scan on my computer, takes around 10 minutes, max and scans slightly more than 90000 files. I have no idea of the size of your computer or the size of the drives on your computer but look at what was scanned and how long...33 minutes and 56953 objects (slightly over half of what a quick scan scans on my system) and all the infections were found on "C" drive. This tells me no other drives were scanned. So believing that 60 to 70% of the scan completed is very likely wishful thinking, unless all the drives on the computer are very small and no other drive on the computer contained any infections.

Yes, you need to UPDATE MBA-M and run a Full System scan allow it to Remove All found and the absolute rule now with every MBA-M scan that finds something that needs to be removed is to always REBOOT. The reason for this is that some parts of an infection found cannot be removed if it is running and in order to remove before it begins to run is to reboot and remove it before the computer gets to start up of the infected file. That is always the rule today with this program.

So yes, update, run a full scan (no stopping it let it run fully) remove, reboot and then run a system scan with HiJackThis (http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10781312.html). Post both logs.
You also should not be using the computer for other things until the scan is run and complete.

This particular Trojan which sits on the system and waits for instructions from an attacker. The trojan may be instructed to download and execute arbitrary files, redirect the web browser to a URL of the attacker's choice and worst of all...creates a pipe named that can allow an attacker access to steal personal data from your machine.

joyarjun
02-05-2010, 02:54 PM
Hello 'Mama' and Mr.Holland:

I was paranoid enough to run a full, uninterrupted scan and--you were right! A whole bunch of invaders were detected on this second scan (of C, D and E drives). I must have messed up the statistics--the earlier scan must have covered far less than 60 p.cent, don't know why I got that impression of 60-70 p.c.! Here's malwarebyte's 2nd. full scan result:

Malwarebytes' Anti-Malware 1.44
Database version: 3689
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

06/02/2010 00:45:01
mbam-log-2010-02-06 (00-45-01).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 249765
Time elapsed: 1 hour(s), 47 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\SysWoW32 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\SysWoW32\@u1859727819v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v4 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v4.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v6 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v6.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v7 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v7.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1859727819v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1859727819v5.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v0.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v1.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v2.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> Quarantined and deleted successfully.

I did the needful, upon rebooting that's the log I got.
Tomorrow, or rather today-- shall run HJT and let you know.

One thing more. Malwarebyte's 'quarantine' shows the list of malwares, presumably quarantined only, while its log states '"quarantined and deleted successfully". Shall I still go ahead and hit the 'remove all' key in malwarebyte?
Thank you for your patience and advice!

jholland1964
02-05-2010, 02:59 PM
No, for now leave all in Quarantine. They cannot hurt anything in there so leave them for now. Do that HJT ASAP. Also do this:
Please Run the ESET Online Scanner (http://www.eset.com/onlinescan/)
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Reboot.

By the way, that ESET will also take possibly and hour, cannot say for sure but it also is a MUST!

Then run HiJackThis (http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10781312.html) system scan and save the log. Post back here with the ESET log and the HiJackThis log.
Judy (not a mister...lol)

MikeN.
02-05-2010, 03:00 PM
Hello 'Mama' and Mr.Holland:

I was paranoid enough to run a full, uninterrupted scan and--you were right! A whole bunch of invaders were detected on this second scan (of C, D and E drives). I must have messed up the statistics--the earlier scan must have covered far less than 60 p.cent, don't know why I got that impression of 60-70 p.c.! Here's malwarebyte's 2nd. full scan result:

Malwarebytes' Anti-Malware 1.44
Database version: 3689
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

06/02/2010 00:45:01
mbam-log-2010-02-06 (00-45-01).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 249765
Time elapsed: 1 hour(s), 47 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\SysWoW32 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\SysWoW32\@u1859727819v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v4 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v4.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v6 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v6.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v7 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v7.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1859727819v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1859727819v5.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v0.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v1.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v2.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> Quarantined and deleted successfully.

I did the needful, upon rebooting that's the log I got.
Tomorrow, or rather today-- shall run HJT and let you know.

One thing more. Malwarebyte's 'quarantine' shows the list of malwares, presumably quarantined only, while its log states '"quarantined and deleted successfully". Shall I still go ahead and hit the 'remove all' key in malwarebyte?
Thank you for your patience and advice!

Remove Selected at the end of a scan or Remove All from Quarantine? By your log you did remove all into the quarantine folder. Next cleaning steps after providing a HJT log please.

Next do this:
Please Run the ESET Online Scanner
http://www.eset.com/onlinescan/

* You will need to use Internet Explorer to complete this scan and you will need to allow an Active X to be installed or you may use Firefox if you have the IE tab addon.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us.

mom25kids
02-05-2010, 03:25 PM
Glad you ran a full Malwarebytes scan, now follow exactly what Judy and Mike tell you. Why? Because Mama said so.....lol

It will take some time & work but they won't lead you wrong in helping get that computer squeaky clean :)

joyarjun
02-07-2010, 03:08 AM
I have now generated HJT v.2.0.3 Beta log--a whole list of itmes but the noitce on top says these are not necessarily malicious.
I have problem with copy/paste, the list is not amenable to copying!
How to overcome this particular hurdle, please?

mom25kids
02-07-2010, 05:29 AM
When you ran HJT did you select "Do a system scan and save a log file" ? After HJT scans your log file should open up in note pad and it's very easy to copy for pasting.

Have you ran the Eset online scanner? Judy would like for you to run both the Eset scanner and HJT and post both logs for her to review.

No, for now leave all in Quarantine. They cannot hurt anything in there so leave them for now. Do that HJT ASAP. Also do this:
Please Run the ESET Online Scanner
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Reboot.

By the way, that ESET will also take possibly and hour, cannot say for sure but it also is a MUST!

Then run HiJackThis system scan and save the log. Post back here with the ESET log and the HiJackThis log.

I would not hesitate with running these and posting back asap.

MikeN.
02-07-2010, 09:31 AM
Here is another link,please download this version. You chose the beta version from the Trend Micro site. Install it and choose what Mom has already mentioned. Should be easy to copy and paste the log,if its a bit too large which can happen,split it into 2 posts.

http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

jholland1964
02-07-2010, 09:39 AM
I have now generated HJT v.2.0.3 Beta log--a whole list of itmes but the noitce on top says these are not necessarily malicious.
I have problem with copy/paste, the list is not amenable to copying!
How to overcome this particular hurdle, please?

Don't use the Beta version...that means it is a TEST version. Use the current version found HERE (http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10781312.html)

The notice at the top about items not necessarily being malicious is for the protection of the creator of the program, meaning, essentially, "if you remove the wrong things we are not at fault"
You are not going to remove anything with HiJackThis, it is just being used to get a picture of what may be running on the computer...that is it.

I agree with mom25kids, there is nothing difficult about copy/pasting the log. This log would be copy/pasted exactly the same way that you copy/pasted the MBA-M log so I am not certain what you mean when you say the list is not amenable to copying

Please run a new system scan with the current version. The longer you wait the more likely it is that your computer will become MORE infected. IF these are trojans, then their job is to bring in more infection.

Sorry Mike...stepped on you again!!!

MikeN.
02-07-2010, 09:45 AM
I changed the link in my thread so it goes to Cnet,wondered when somebody was going to post with that beta version that is also on the Trend Micro page.

joyarjun
02-07-2010, 10:09 AM
Hello Mama!
got it!
The log came out in the notepad as you indicated, only, it was hiding behind the uncopiable HJT main window with--(I presume) -- the same log. Ok, here goes the HJT log; shall follow up with eset:

Logfile of Trend Micro HijackThis

v2.0.3 (BETA)
Scan saved at 20:06:13, on

07/02/2010
Platform: Windows XP SP2 (WinNT

5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program

Files\Lavasoft\Ad-Aware\AAWService.

exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir

Desktop\sched.exe
C:\Program

Files\Google\Update\1.2.183.13\Goog

leCrashHandler.exe
C:\Program Files\Avira\AntiVir

Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common

Files\Microsoft

Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search

Enhancement

Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program

Files\Huawei\MT882\dslagent.exe
C:\Program Files\Avira\AntiVir

Desktop\avgnt.exe
C:\Program Files\Common

Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program

Files\Java\jre6\bin\jusched.exe
C:\Program Files\The Weather

Channel

FW\Desktop\DesktopWeather.exe
C:\Program

Files\Skype\Phone\Skype.exe
C:\Program

Files\Google\GoogleToolbarNotifier\G

oogleToolbarNotifier.exe
C:\Program Files\Skype\Plugin

Manager\skypePM.exe
C:\Program

Files\Lavasoft\Ad-Aware\AAWTray.ex

e
C:\Program Files\Internet

Explorer\iexplore.exe
C:\Program

Files\TrendMicro\HiJackThis\HiJackThi

s.exe

O2 - BHO: (no name) -

{0115C898-5309-4A00-BCBC-EEEE30

EA5524} -

C:\WINDOWS\System32\comdlg3232.

dll (file missing)
O2 - BHO: (no name) -

{09392e6c-a889-4eb3-8118-c423114

b0b23} - (no file)
O2 - BHO: (no name) -

{0E2D55F7-DB55-46C1-9B73-444933

262CC8} - (no file)
O2 - BHO: (no name) -

{0E3D3DFC-DB56-4E52-A07D-0A07A

7AA9165} - (no file)
O2 - BHO: AcroIEHelperStub -

{18DF081C-E8AD-4283-A596-FA578

C2EBDC3} - C:\Program

Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEH

elperShim.dll
O2 - BHO: (no name) -

{1F5FDA83-4379-4C6A-94AD-CC7BC

688505A} - (no file)
O2 - BHO: RealPlayer Download and

Record Plugin for Internet Explorer -

{3049C3E9-B461-4BC5-8870-4C0914

6192CA} - C:\Program

Files\Real\RealPlayer\rpbrowserrecord

plugin.dll
O2 - BHO: (no name) -

{34D02D0B-ACCC-4456-A057-8D390

43F86BF} - (no file)
O2 - BHO: (no name) -

{4E2826F1-53B4-4D3B-AFFB-1A710B

5F5923} - (no file)
O2 - BHO: (no name) -

{4E4B9E1A-2156-4B40-A925-8FD89D

C1C412} - (no file)
O2 - BHO: Spybot-S&D IE Protection -

{53707962-6F74-2D53-2644-206D79

42484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.

dll
O2 - BHO: (no name) -

{5C255C8A-E604-49b4-9D64-909885

71CECB} - (no file)
O2 - BHO: Search Helper -

{6EBF7485-159F-4bff-A14F-B9E3AAC

4465B} - C:\Program

Files\Microsoft\Search Enhancement

Pack\Search

Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live

ID-Anmelde-Hilfsprogramm -

{9030D464-4C02-4ABF-8ECC-516476

0863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll
O2 - BHO: (no name) -

{A5B8502E-06DA-4BD4-95B5-880C1

6AED7ED} - (no file)
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF105

77473F7} - C:\Program

Files\Google\Google

Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier

BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5

AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\5.

4.4525.1752\swg.dll
O2 - BHO: (no name) -

{C1213DC4-1358-40D4-B171-A7AAD

5A9C927} - (no file)
O2 - BHO: (no name) -

{C3853148-7D01-4DE8-9630-0C7BC

D433437} - (no file)
O2 - BHO: MSN Toolbar BHO -

{d2ce3e00-f94a-4740-988e-03dc2f38

c34f} - C:\Program Files\MSN

Toolbar\Platform\4.0.0346.1\npwinex

t.dll
O2 - BHO: Java(tm) Plug-In 2 SSV

Helper -

{DBC80044-A445-435b-BC74-9C25C1

C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper -

{E0FEFE40-FBF9-42AE-BA58-794CA7

E3FB53} - C:\Program

Files\Google\Google Gears\Internet

Explorer\0.5.33.0\gears.dll
O2 - BHO: Windows Live Toolbar

Helper -

{E15A8DC0-8516-42A1-81EA-DC94E

C1ACF10} - C:\Program

Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl -

{E7E6F031-17CE-4C07-BC86-EABFE5

94F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_pl

ugin.dll
O3 - Toolbar: &Windows Live Toolbar

-

{21FA44EF-376D-4D53-9B0F-8A89D3

229068} - C:\Program Files\Windows

Live\Toolbar\wltcore.dll
O3 - Toolbar: MSN Toolbar -

{8dcb7100-df86-4384-8842-8fa84429

7b3f} - C:\Program Files\MSN

Toolbar\Platform\4.0.0346.1\npwinex

t.dll
O3 - Toolbar: Google Toolbar -

{2318C2B1-4965-11d4-9B18-009027

A5CD4F} - C:\Program

Files\Google\Google

Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [DSLAGENTEXE]

C:\Program

Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [avgnt]

"C:\Program Files\Avira\AntiVir

Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Ad-Watch]

C:\Program

Files\Lavasoft\Ad-Aware\AAWTray.ex

e
O4 - HKLM\..\Run: [TkBellExe]

"C:\Program Files\Common

Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run:

[SunJavaUpdateSched] "C:\Program

Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Desktop

Calendar] C:\Program Files\Desktop

Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [DW6]

"C:\Program Files\The Weather

Channel

FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype]

"C:\Program

Files\Skype\Phone\Skype.exe"

/nosplash /minimized
O4 - HKCU\..\Run: [swg] "C:\Program

Files\Google\GoogleToolbarNotifier\G

oogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run:

[CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE

(User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run:

[CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE

(User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run:

[CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE

(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run:

[CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE

(User 'Default user')
O8 - Extra context menu item:

E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFI

CE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google

Sidewiki... - res://C:\Program

Files\Google\Google

Toolbar\Component\GoogleToolbarDy

namic_mui_en_60D6097707281E79.d

ll/cmsidewiki.html
O9 - Extra button: (no name) -

{09C04DA7-5B76-4EBC-BBEE-B25EA

C5965F5} - C:\Program

Files\Google\Google Gears\Internet

Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears

Settings -

{09C04DA7-5B76-4EBC-BBEE-B25EA

C5965F5} - C:\Program

Files\Google\Google Gears\Internet

Explorer\0.5.33.0\gears.dll
O9 - Extra button: Blog This -

{219C3416-8CB2-491a-A3C7-D9FCD

DC9D600} - C:\Program

Files\Windows

Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog

This in Windows Live Writer -

{219C3416-8CB2-491a-A3C7-D9FCD

DC9D600} - C:\Program

Files\Windows

Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C57

1A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11

\REFIEBAR.DLL
O9 - Extra button: (no name) -

{DFB852A3-47F8-48C4-A200-58CAB3

6FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.

dll
O9 - Extra 'Tools' menuitem: Spybot -

Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB3

6FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.

dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F7

95683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows

Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F7

95683} - C:\Program

Files\Messenger\msmsgs.exe
O17 -

HKLM\System\CCS\Services\Tcpip\..\{

39C3A1F5-10A6-4B5F-B1D2-F16E577

0369D}: NameServer =

218.248.255.193 218.248.240.180
O18 - Protocol: skype4com -

{FFC8B962-9B40-4DFF-9458-1830C7

DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SK

YPE4~1.DLL
O20 - Winlogon Notify: geBttTmm -

Invalid registry found
O22 - SharedTaskScheduler: Browseui

preloader -

{438755C2-A8BA-11D1-B96B-00A0C

90312E1} -

C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler:

Component Categories cache daemon

-

{8C7461EF-2B13-11d2-BE35-307830

2C2030} -

C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler

(AntiVirSchedulerService) - Avira

GmbH - C:\Program

Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard

(AntiVirService) - Avira GmbH -

C:\Program Files\Avira\AntiVir

Desktop\avguard.exe
O23 - Service: Google Update Service

(gupdate) (gupdate) - Google Inc. -

C:\Program

Files\Google\Update\GoogleUpdate.ex

e
O23 - Service: Google Software

Updater (gusvc) - Google -

C:\Program

Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter

(JavaQuickStarterService) - Sun

Microsystems, Inc. - C:\Program

Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware

Service - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware\AAWService.

exe

--
End of file - 8628 bytes

MikeN.
02-07-2010, 10:12 AM
Redo it please, you need to uncheck Word Wrap in Notepad, cant read the logs this way plus you used the Beta version. Please see above posts about downloading the other version

mom25kids
02-07-2010, 10:50 AM
Hello Mama!
got it!
The log came out in the notepad as you indicated, only, it was hiding behind the uncopiable HJT main window

I thought that may have been the problem as the HJT window isn't copyable. Sorry I forgot to mention to have word wrap unchecked :o

joyarjun
02-07-2010, 12:12 PM
Here goes:

2ND.POSTING, HJT log without wordwrap, corrected version (not Beta!), in Notepad

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:36:06, on 07/02/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler. exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Huawei\MT882\dslagent.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8 314837A86\PamelaPCR.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\HijackThis.exe

O2 - BHO: (no name) - {0115C898-5309-4A00-BCBC-EEEE30EA5524} - C:\WINDOWS\System32\comdlg3232.dll (file missing)
O2 - BHO: (no name) - {09392e6c-a889-4eb3-8118-c423114b0b23} - (no file)
O2 - BHO: (no name) - {0E2D55F7-DB55-46C1-9B73-444933262CC8} - (no file)
O2 - BHO: (no name) - {0E3D3DFC-DB56-4E52-A07D-0A07A7AA9165} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1F5FDA83-4379-4C6A-94AD-CC7BC688505A} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {34D02D0B-ACCC-4456-A057-8D39043F86BF} - (no file)
O2 - BHO: (no name) - {4E2826F1-53B4-4D3B-AFFB-1A710B5F5923} - (no file)
O2 - BHO: (no name) - {4E4B9E1A-2156-4B40-A925-8FD89DC1C412} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A5B8502E-06DA-4BD4-95B5-880C16AED7ED} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\s wg.dll
O2 - BHO: (no name) - {C1213DC4-1358-40D4-B171-A7AAD5A9C927} - (no file)
O2 - BHO: (no name) - {C3853148-7D01-4DE8-9630-0C7BCD433437} - (no file)
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0346.1\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0346.1\npwinext.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6 097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{39C3A1F5-10A6-4B5F-B1D2-F16E5770369D}: NameServer = 218.248.255.193 218.248.240.180
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: geBttTmm - C:\WINDOWS\
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 8623 bytes

===========================================

With the third object, eset.com, I dnloaded activex, under Tools/Inernet Options/Security/Enabled 'ActiveX Controls and Plugins', shall try to run eset scanner.

joyarjun
02-07-2010, 01:23 PM
By the way---!

sorry, MS. Holland!
Well, if I am not darned! It's of course good old Judy, my long-time virtual friend and benefactress!
The same person who triggered Judy Garland, and Elvis' and the Beatles' numbers with the same name!!
Your last name somehow sounds sombre to me, however, don't know why; it appears to be a male name to me (even though last names are no indicators of gender). May be some lingering memory of my teenage when Dutch and Belgian Jesuits fathers taught me, and the Father I esp. admired came from Holland!!
See, this mix up shows perhaps that not only my pc but the little grey matter that I had has been hijacked too, worse, being influenced by remote control (LOL!)!!
Hope to get back with the rest of the logs before I am totally "fubar'd" (I chanced upon 'urbandictionary.com' and it taught me this unparliamentary 'modern' expression! It's pretty expressive though, once you know its innards (LOL)!

jholland1964
02-07-2010, 01:24 PM
[QUOTE=jholland1964;1502202]No, for now leave all in Quarantine. They cannot hurt anything in there so leave them for now. Do that HJT ASAP. Also do this:
Please Run the ESET Online Scanner (http://www.eset.com/onlinescan/)
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Reboot.

By the way, that ESET will also take possibly and hour, cannot say for sure but it also is a MUST!

Then run HiJackThis (http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10781312.html) system scan and save the log.

?????? Think you have posted the wrong thing joyarun. Those are my instructions but nothing else.

MikeN.
02-07-2010, 01:47 PM
Rerun HJT,make sure its the version you just used, put a check in the box next to these then Fix Checked,bottom left corner of the program. Screen will turn white, thats expected, reboot to finish the process.

O2 - BHO: (no name) - {0115C898-5309-4A00-BCBC-EEEE30EA5524} - C:\WINDOWS\System32\comdlg3232.dll (file missing)
O2 - BHO: (no name) - {09392e6c-a889-4eb3-8118-c423114b0b23} - (no file)
O2 - BHO: (no name) - {0E2D55F7-DB55-46C1-9B73-444933262CC8} - (no file)
O2 - BHO: (no name) - {0E3D3DFC-DB56-4E52-A07D-0A07A7AA9165} - (no file)
O2 - BHO: (no name) - {1F5FDA83-4379-4C6A-94AD-CC7BC688505A} - (no file)
O2 - BHO: (no name) - {34D02D0B-ACCC-4456-A057-8D39043F86BF} - (no file)
O2 - BHO: (no name) - {4E2826F1-53B4-4D3B-AFFB-1A710B5F5923} - (no file)
O2 - BHO: (no name) - {4E4B9E1A-2156-4B40-A925-8FD89DC1C412} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {A5B8502E-06DA-4BD4-95B5-880C16AED7ED} - (no file)
O2 - BHO: (no name) - {C1213DC4-1358-40D4-B171-A7AAD5A9C927} - (no file)
O2 - BHO: (no name) - {C3853148-7D01-4DE8-9630-0C7BCD433437} - (no file)

You have a number of toolbars,MSN,WINDOWS LIVE,GOOGLE do you use them all?

joyarjun
02-08-2010, 07:14 AM
Ok 'Big Mama', Mike and Ms. Holland!
here's the eset scan results log:

C:\Documents and Settings\welcome\Start Menu\Programs\SmitfraudFix.exe multiple threats deleted - quarantined
C:\Documents and Settings\welcome\Start Menu\Programs\SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined
C:\Documents and Settings\welcome\Start Menu\Programs\SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
C:\WINDOWS\system32\Y51bppP9I4kSb.vbs VBS/Disabler.NAB trojan cleaned by deleting - quarantined
E:\STORIES\My Documents back up\INTNET, ANTI-ZLOB TROJAN, SmitfraudFix.exe multiple threats deleted - quarantined
E:\STORIES\My Documents back up\INTNET,ZLOB TROJAN REMOVE,How To Remove Antivirgear (removal Instructions)_files\INTNET, ANTI-ZLOB TROJAN, SmitfraudFix\INTNET, ANTI-ZLOB TROJAN, SmitfraudFix.exe multiple threats deleted - quarantined
E:\STORIES\My Documents back up\INTNET,ZLOB TROJAN REMOVE,How To Remove Antivirgear (removal Instructions)_files\INTNET, ANTI-ZLOB TROJAN, SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined
E:\STORIES\My Documents back up\INTNET,ZLOB TROJAN REMOVE,How To Remove Antivirgear (removal Instructions)_files\INTNET, ANTI-ZLOB TROJAN, SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
E:\STORIES\My Documents back up\SmitfraudFix, anti-ZLOB TROJAN\Process.exe Win32/PrcView application cleaned by deleting - quarantined
E:\STORIES\My Documents back up\SmitfraudFix, anti-ZLOB TROJAN\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined

A final final checking with HJT again? Coming up!

joyarjun
02-08-2010, 07:38 AM
Here's the eset scan log:

C:\Documents and Settings\welcome\Start Menu\Programs\SmitfraudFix.exe multiple threats deleted - quarantined
C:\Documents and Settings\welcome\Start Menu\Programs\SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined
C:\Documents and Settings\welcome\Start Menu\Programs\SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
C:\WINDOWS\system32\Y51bppP9I4kSb.vbs VBS/Disabler.NAB trojan cleaned by deleting - quarantined
E:\STORIES\My Documents back up\INTNET, ANTI-ZLOB TROJAN, SmitfraudFix.exe multiple threats deleted - quarantined
E:\STORIES\My Documents back up\INTNET,ZLOB TROJAN REMOVE,How To Remove Antivirgear (removal Instructions)_files\INTNET, ANTI-ZLOB TROJAN, SmitfraudFix\INTNET, ANTI-ZLOB TROJAN, SmitfraudFix.exe multiple threats deleted - quarantined
E:\STORIES\My Documents back up\INTNET,ZLOB TROJAN REMOVE,How To Remove Antivirgear (removal Instructions)_files\INTNET, ANTI-ZLOB TROJAN, SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined
E:\STORIES\My Documents back up\INTNET,ZLOB TROJAN REMOVE,How To Remove Antivirgear (removal Instructions)_files\INTNET, ANTI-ZLOB TROJAN, SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
E:\STORIES\My Documents back up\SmitfraudFix, anti-ZLOB TROJAN\Process.exe Win32/PrcView application cleaned by deleting - quarantined
E:\STORIES\My Documents back up\SmitfraudFix, anti-ZLOB TROJAN\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined

Final HJT log--coming up soon in a theatre near you!!!

joyarjun
02-08-2010, 07:55 AM
Hello there, 'Big Mama', Mike ('Hammer'?!) and Ms. Holland (from Zuider Zee!)!

here's what I got:

ESET SCAN LOG:


C:\Documents and Settings\welcome\Start Menu\Programs\SmitfraudFix.exe multiple threats deleted - quarantined
C:\Documents and Settings\welcome\Start Menu\Programs\SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined
C:\Documents and Settings\welcome\Start Menu\Programs\SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
C:\WINDOWS\system32\Y51bppP9I4kSb.vbs VBS/Disabler.NAB trojan cleaned by deleting - quarantined
E:\STORIES\My Documents back up\INTNET, ANTI-ZLOB TROJAN, SmitfraudFix.exe multiple threats deleted - quarantined
E:\STORIES\My Documents back up\INTNET,ZLOB TROJAN REMOVE,How To Remove Antivirgear (removal Instructions)_files\INTNET, ANTI-ZLOB TROJAN, SmitfraudFix\INTNET, ANTI-ZLOB TROJAN, SmitfraudFix.exe multiple threats deleted - quarantined
E:\STORIES\My Documents back up\INTNET,ZLOB TROJAN REMOVE,How To Remove Antivirgear (removal Instructions)_files\INTNET, ANTI-ZLOB TROJAN, SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined
E:\STORIES\My Documents back up\INTNET,ZLOB TROJAN REMOVE,How To Remove Antivirgear (removal Instructions)_files\INTNET, ANTI-ZLOB TROJAN, SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
E:\STORIES\My Documents back up\SmitfraudFix, anti-ZLOB TROJAN\Process.exe Win32/PrcView application cleaned by deleting - quarantined
E:\STORIES\My Documents back up\SmitfraudFix, anti-ZLOB TROJAN\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined



================================================== ================
and the

FINAL HJT SCAN LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:50:58, on 08/02/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler. exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Huawei\MT882\dslagent.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8 314837A86\PamelaPCR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {0115C898-5309-4A00-BCBC-EEEE30EA5524} - C:\WINDOWS\System32\comdlg3232.dll (file missing)
O2 - BHO: (no name) - {09392e6c-a889-4eb3-8118-c423114b0b23} - (no file)
O2 - BHO: (no name) - {0E2D55F7-DB55-46C1-9B73-444933262CC8} - (no file)
O2 - BHO: (no name) - {0E3D3DFC-DB56-4E52-A07D-0A07A7AA9165} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1F5FDA83-4379-4C6A-94AD-CC7BC688505A} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {34D02D0B-ACCC-4456-A057-8D39043F86BF} - (no file)
O2 - BHO: (no name) - {4E2826F1-53B4-4D3B-AFFB-1A710B5F5923} - (no file)
O2 - BHO: (no name) - {4E4B9E1A-2156-4B40-A925-8FD89DC1C412} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A5B8502E-06DA-4BD4-95B5-880C16AED7ED} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\s wg.dll
O2 - BHO: (no name) - {C1213DC4-1358-40D4-B171-A7AAD5A9C927} - (no file)
O2 - BHO: (no name) - {C3853148-7D01-4DE8-9630-0C7BCD433437} - (no file)
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0346.1\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0346.1\npwinext.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6 097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39C3A1F5-10A6-4B5F-B1D2-F16E5770369D}: NameServer = 218.248.255.193 218.248.240.180
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: geBttTmm - C:\WINDOWS\
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 8556 bytes

================================================== ======

I haven't touched any file reported in HJT since not all are suspect. Which ones should I delete or quarantine, please?

P.S.Please pardon me if there has been duplicate posting of any of my last 2 logs. I posted them one at a time buit after a short interval could not locate any! Is more time taken for the postings to appear? In any case, I hope bunching the two scan logs together will solve any problem-- so any duplication would be the result of inadvertent, blindly taken action!

MikeN.
02-08-2010, 08:50 AM
1st step, go back to my directions from post#22 that you skipped over,remove all those entries with HJT,reboot and do another HJT log. Want to see that they are gone. Once that is done, the next cleaning step will be posted. Unfortunately,major stuff was found in that Eset scan,you are not done cleaning.

joyarjun
02-09-2010, 09:22 AM
Hello there, MikeN:

here's the response to post 22 of yours, sorry for the dealy, I must have overlooked 'page 2' of my thread.

This is HJT log, devoid of the 12 'no name' entries that you asked me to remove. This the post-removal log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:42:25, on 09/02/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler. exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Huawei\MT882\dslagent.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8 314837A86\PamelaPCR.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\s wg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6 097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39C3A1F5-10A6-4B5F-B1D2-F16E5770369D}: NameServer = 218.248.255.193 218.248.240.180
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: geBttTmm - C:\WINDOWS\
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 7430 bytes
===========================


Apropos your query whether I use all these browser tools (BHOs?), well, not all the time but I do, sometimes.
What's next, Chef???

MikeN.
02-09-2010, 10:17 AM
Do 2 of these online scans,if one doesnt work, try another one. Need to disable your antivirus just like the Eset scan. Post the log after each scan please

http://www.windowsecurity.com/trojanscan/

http://housecall.trendmicro.com/

http://www.bitdefender.com/scanner/online/free.html?url=scan8/ie.html

jholland1964
02-09-2010, 10:34 AM
Can I ask you, when did you run Smitfraudfix? and why?

mom25kids
02-09-2010, 01:22 PM
Glad to see you're hanging onto your sense of humor, but perhaps time to get serious and down to business? Do you have a really busy schedule that prevents you from getting back onto the boards? You 1st posted on 02-03-2010, 10:53 AM and it's now the 9th. Judy and Mike are the ones that will help you get your computer woes fixed, I'm just kinda butting in so to speak, but I'd recommend following their instructions step by step and not jumping ahead. If you're bouncing between help forums that's most likely gonna make things all the more difficult. I'm following the thread in hopes of learning a thing or two. BTW, it should be "Little Mama" as I weigh less than 100lbs... lol

joyarjun
02-11-2010, 10:31 AM
Hello Ms. Holland:
I had used smitfraud long ago, for the reason I can't remember any more! Sorry! I seemed to have been quite satisfied, so did not delete it. Is it harmful???

Ok, 'Little Mama'--

sorry to have reacted late to my advisers, partly because many of the sites confuse me with their myriad promises and links and other paraphernalia, e.g., trendmicro has in effect edged me to download first a 67.3 MB a-squared software, and Registry Optimizer placed itself in between so well that I thought I was downloading a-sq. while I clicked dwnld. for the Reg.Optimizer! I discovered the error and then had to abort the latter in a hurry, then search for the right place for the behemoth a-sq.! It will take sometime now to dwnld. (@10 mbps internet speed), provided I have enough memory and disk space in my c drive left. In case one of these is inadequate, then I have to rectify that situation. Thereupon when I turn on a dwnlded. a-sq., I won't be surprised if it comes up with a new set of reconditions which I need to fill before I can proceed with scan! So, in my case at least, one thing leads to another and that eats up time (apart from a normally busy schedule).

However, I have already scanned my pc with bitdefender. This a-sq. business from trendmicro is the last job I have to do at the moment, as per MikeN's instructions. Shall post both results ASAP. Incidentally, bitdefender took ages initially to plod its way through my files, much to my surprise, since on its first pages it promised a scan lasting "less than 60 seconds"! Ad gimmicks confuse me all the more!!!

Please stick with me, Mama! It's good to have the feel of mama watching your performance over your shoulder!!

mom25kids
02-11-2010, 10:52 AM
Welcome back :)

Use Mike's link and only click the gray button that says "scan my computer for trojans!" A new page will open and you will have to allow the program if you haven't already done so. On your return it will have to update it's self prior to running the scan. Do the deep scan and yes, this will take awhile. Come back and let us know the results. If you have any questions please ask before proceeding. Keep us posted ;)

MikeN.
02-11-2010, 11:02 AM
Hello Ms. Holland:
I had used smitfraud long ago, for the reason I can't remember any more! Sorry! I seemed to have been quite satisfied, so did not delete it. Is it harmful???

Ok, 'Little Mama'--

sorry to have reacted late to my advisers, partly because many of the sites confuse me with their myriad promises and links and other paraphernalia, e.g., trendmicro has in effect edged me to download first a 67.3 MB a-squared software, and Registry Optimizer placed itself in between so well that I thought I was downloading a-sq. while I clicked dwnld. for the Reg.Optimizer! I discovered the error and then had to abort the latter in a hurry, then search for the right place for the behemoth a-sq.! It will take sometime now to dwnld. (@10 mbps internet speed), provided I have enough memory and disk space in my c drive left. In case one of these is inadequate, then I have to rectify that situation. Thereupon when I turn on a dwnlded. a-sq., I won't be surprised if it comes up with a new set of reconditions which I need to fill before I can proceed with scan! So, in my case at least, one thing leads to another and that eats up time (apart from a normally busy schedule).

However, I have already scanned my pc with bitdefender. This a-sq. business from trendmicro is the last job I have to do at the moment, as per MikeN's instructions. Shall post both results ASAP. Incidentally, bitdefender took ages initially to plod its way through my files, much to my surprise, since on its first pages it promised a scan lasting "less than 60 seconds"! Ad gimmicks confuse me all the more!!!

Please stick with me, Mama! It's good to have the feel of mama watching your performance over your shoulder!!
In the future, any time your confused, please post asking for clarification, save you the time and aggravation of going in the wrong direction,plus possibly installing the wrong thing and then using it! This is another reason for using Firefox with AdblockPlus add on. There aren't any other crap links on the page to click on!! I have been to the start page of Bitdefender numerous times using IE and no place on the page does it say scan lasting 60 seconds or less..NO deep scan can do it that fast and be effective.

joyarjun
02-12-2010, 08:21 AM
Thank you all.

Hello MikeN--

not bitdefender but trendmicro or its referral a-squared ( I can't recall which) says that-- about 60 seconds or less (Or was it the unexpected and cleverly interposed registry optimizer???!).
I could not locate any method to save the log of bitdefender, but have taken down the summary on paper. I have the log of a-sqrd. (via trendmicro) though. Both are given below:

1. Bitdenfender summary:

Files: Scanned 170775 out of 158656 {don't ask how that can be, the figures are what I saw!]

Scan time: 03.20.12

Objects: 446941

Folders: 10721

Boot sector: 0

Archives: 46621

Packed files: 32,004

Identified viruses: 8

Infected files: 22

Suspect files: 0

Warnings: 0

Disinfected files: 12

Deleted files: 16

At least 1 of the disinfected files could not be disinfected or deleted. These files are displayed in the 'Detailed Problems' tab.

N.B. All the infected/disinfected files seemed to relate to Avira Antivirus!
================================================== ==

2. A-squared Scan log:

a-squared Free - Version 4.5
Last update: 11/02/2010 21:51:00

Scan settings:

Scan type: Deep Scan
Objects: Memory, Traces, Cookies, C:\, D:\, E:\
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 12/02/2010 13:19:22

c:\documents and settings\all users\start menu\programs\the weather channel detected: Trace.Directory.Desktop Weather!A2
c:\program files\the weather channel fw detected: Trace.Directory.Desktop Weather!A2
c:\program files\imesh applications\imesh detected: Trace.Directory.iMesh!A2
c:\program files\pav detected: Trace.Directory.Personal Antivirus!A2
c:\documents and settings\welcome\application data\error fix\ detected: Trace.Directory.ErrorFix!A2
c:\documents and settings\welcome\application data\error fix detected: Trace.Directory.ErrorFix!A2
c:\documents and settings\welcome\application data\error fix\logs detected: Trace.Directory.ErrorFix!A2
c:\documents and settings\welcome\application data\error fix\results detected: Trace.Directory.ErrorFix!A2
c:\windows\tasks\error fix scan.job detected: Trace.File.ErrorFix!A2
c:\documents and settings\welcome\application data\error fix\results\junk.db detected: Trace.File.ErrorFix!A2
c:\documents and settings\welcome\application data\error fix\results\registry.db detected: Trace.File.ErrorFix!A2
c:\documents and settings\welcome\application data\error fix\results\update.db detected: Trace.File.ErrorFix!A2
c:\documents and settings\welcome\application data\error fix\results\evidence.db detected: Trace.File.ErrorFix!A2
Key: HKEY_LOCAL_MACHINE\software\Error Fix detected: Trace.Registry.ErrorFix!A2
Key: HKEY_LOCAL_MACHINE\software\Error Fix\Settings detected: Trace.Registry.ErrorFix!A2
Key: HKEY_USERS\S-1-5-21-790525478-152049171-1801674531-1003\software\Error Fix detected: Trace.Registry.ErrorFix!A2
Key: HKEY_USERS\S-1-5-21-790525478-152049171-1801674531-1003\software\Error Fix\Main detected: Trace.Registry.ErrorFix!A2
Key: HKEY_USERS\S-1-5-21-790525478-152049171-1801674531-1003\software\Error Fix\Privacy detected: Trace.Registry.ErrorFix!A2
Key: HKEY_USERS\S-1-5-21-790525478-152049171-1801674531-1003\software\Error Fix\Results detected: Trace.Registry.ErrorFix!A2
Key: HKEY_USERS\S-1-5-21-790525478-152049171-1801674531-1003\software\Error Fix\SectionToScan detected: Trace.Registry.ErrorFix!A2
Key: HKEY_USERS\S-1-5-21-790525478-152049171-1801674531-1003\software\Error Fix\ServiceSettings detected: Trace.Registry.ErrorFix!A2
c:\program files\error repair professional detected: Trace.Directory.ErrorRepairPro!A2
c:\program files\error repair professional\backups detected: Trace.Directory.ErrorRepairPro!A2
c:\program files\error repair professional\startbug detected: Trace.Directory.ErrorRepairPro!A2
c:\program files\imesh applications\imesh\install.log detected: Trace.File.iMesh!A2
Key: HKEY_USERS\S-1-5-21-790525478-152049171-1801674531-1003\software\imesh detected: Trace.Registry.IMesh!A2
C:\Documents and Settings\welcome\Start Menu\Programs\SmitfraudFix\Reboot.exe detected: Riskware.RiskTool.Win32.Reboot.f!A2
C:\Program Files\IronCode Software\Natwarlal\winboard.exe detected: Backdoor.Win32.SdBot!IK
D:\BudgetPlanner.exe detected: Riskware.Client-IRC.Win32.mIRC.603!A2
E:\FILES,INDIA COUNTER-TERROR\Think Progress » DNI McConnell_ I Lied To The Senate.htm detected: Trojan-Downloader.JS.Gumblar!IK
E:\STORIES\My Documents back up\FILES, SETUPS, BBC DESKTOP\BBC.zip/BBC.exe detected: Riskware.AdWare.Win32.DealHelper!IK

Scanned

Files: 205677
Traces: 664091
Cookies: 48
Processes: 36

Found

Files: 5
Traces: 26
Cookies: 0
Processes: 0
Registry keys: 0

Scan end: 12/02/2010 15:51:37
Scan time: 2:32:15

E:\STORIES\My Documents back up\FILES, SETUPS, BBC DESKTOP\BBC.zip/BBC.exe Quarantined Riskware.AdWare.Win32.DealHelper!IK
E:\FILES,INDIA COUNTER-TERROR\Think Progress » DNI McConnell_ I Lied To The Senate.htm Quarantined Trojan-Downloader.JS.Gumblar!IK
C:\Program Files\IronCode Software\Natwarlal\winboard.exe Quarantined Backdoor.Win32.SdBot!IK
C:\Documents and Settings\welcome\Start Menu\Programs\SmitfraudFix\Reboot.exe Quarantined Riskware.RiskTool.Win32.Reboot.f!A2
c:\program files\imesh applications\imesh\install.log Quarantined Trace.File.iMesh!A2
c:\program files\error repair professional Quarantined Trace.Directory.ErrorRepairPro!A2
c:\windows\tasks\error fix scan.job Quarantined Trace.File.ErrorFix!A2
c:\documents and settings\welcome\application data\error fix\results\junk.db Quarantined Trace.File.ErrorFix!A2
c:\documents and settings\welcome\application data\error fix\results\registry.db Quarantined Trace.File.ErrorFix!A2
c:\documents and settings\welcome\application data\error fix\results\update.db Quarantined Trace.File.ErrorFix!A2
c:\documents and settings\welcome\application data\error fix\results\evidence.db Quarantined Trace.File.ErrorFix!A2
c:\documents and settings\welcome\application data\error fix\ Quarantined Trace.Directory.ErrorFix!A2
c:\program files\pav Quarantined Trace.Directory.Personal Antivirus!A2
c:\program files\imesh applications\imesh Quarantined Trace.Directory.iMesh!A2
c:\documents and settings\all users\start menu\programs\the weather channel Quarantined Trace.Directory.Desktop Weather!A2

Quarantined

Files: 4
Traces: 26
Cookies: 0

N.B. Two 'high-risk' files have been quarantined. A No. of files (e.g. 5-21-7905254-152049171-1E ) "cannot be deleted" and advice given was: consult a-sq. forum (forum:emisoft.com).

mom25kids
02-12-2010, 08:31 AM
Leave everything that's been quarantined there and wait for your next set of instructions from Mike or Judy.

MikeN.
02-12-2010, 08:48 AM
First give us an uninstall list using HJT. Directions below

Uninstall list from HiJackThis

http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html?tag=mncol

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
click on the Save list... button and specify where you would like to save this file, desktop is easy to find and remember. When you press Save button a notepad will open with the contents of that file.
Copy/Paste that file back here.

Next cleaning directions. If you dont already have Superantispyware installed,please do so. Update it and run a Full scan. Check the attachment below for setting so it doesnt run at startup

http://www.superantispyware.com/download.html

Go into Add/Remove if there is iMesh bar there, uninstall it.

joyarjun
02-12-2010, 01:00 PM
Here's the hijackthis log again, as required by MikeN:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:31:56, on 12/02/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler. exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Huawei\MT882\dslagent.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.mc286.mail.yahoo.com/mc/welcome?.gx=1&.tm=1265731638&.rand=dkqpfu1midnf1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\s wg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.ex e
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6 FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39C3A1F5-10A6-4B5F-B1D2-F16E5770369D}: NameServer = 218.248.255.193 218.248.240.180
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: geBttTmm - C:\WINDOWS\
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 7923 bytes

========================================

There was no IMesh entry in Add/Remove.

By the way, what do I do with the byte-eating a-sq.Free 4.5 (97.99 MB) and Eset Online scanner 3 (87.51 MB)? HJT has 2 entries in Add/Remove, one is rated at 0.37 MB, there's no indication of bytes for the 2nd. HJT entry (one of these could be from an earlier dwnld.).

=========================================


I ran Superspyware and here's the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/12/2010 at 10:38 PM

Application Version : 4.33.1000

Core Rules Database Version : 4580
Trace Rules Database Version: 2392

Scan type : Complete Scan
Total Scan Time : 01:15:29

Memory items scanned : 450
Memory threats detected : 0
Registry items scanned : 5167
Registry threats detected : 53
File items scanned : 34034
File threats detected : 7

Adware.Tracking Cookie
C:\Documents and Settings\welcome\Cookies\welcome@dynamic[2].txt
C:\Documents and Settings\welcome\Cookies\welcome@mediafire[1].txt
C:\Documents and Settings\welcome\Cookies\welcome@revsci[1].txt
C:\Documents and Settings\welcome\Cookies\welcome@ad.adserver01[2].txt
C:\Documents and Settings\welcome\Cookies\welcome@adfarm1.adition[1].txt
C:\Documents and Settings\welcome\Cookies\welcome@1033012670[1].txt
C:\Documents and Settings\welcome\Cookies\welcome@media6degrees[1].txt

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Optimization
HKLM\SOFTWARE\Microsoft\MS Optimization#RID
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\bbcworld+service
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\bbcworld+service#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\bbcworld+service#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\bbcworld+service#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\google%20chrome%20download
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\google+chrome
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\google+toolbar
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\google+toolbar#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\google+toolbar#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\google+toolbar#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://www.google.com/support/toolbar/bin/answer.py%3Fanswer%3D75816%26hl%3Den
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://www.winzip.de/
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\indian+ballbust
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\indian+ballbust#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\indian+ballbust#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\indian+ballbust#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\knee+ballbust
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\knee+ballbust#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\knee+ballbust#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\knee+ballbust#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\vlc+media+player
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\vlc+media+player#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\vlc+media+player#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\vlc+media+player#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\winzip
HKLM\SOFTWARE\Microsoft\MS Optimization\me
HKLM\SOFTWARE\Microsoft\MS Optimization\me#LTM
HKLM\SOFTWARE\Microsoft\MS Optimization\me#CDY
HKLM\SOFTWARE\Microsoft\MS Optimization\me#CNT
HKLM\SOFTWARE\Microsoft\MS Optimization\me#LBL
HKLM\SOFTWARE\Microsoft\MS Optimization\me#MN
HKLM\SOFTWARE\Microsoft\MS Optimization\mm
HKLM\SOFTWARE\Microsoft\MS Optimization\mm#LTM
HKLM\SOFTWARE\Microsoft\MS Optimization\mm#CDY
HKLM\SOFTWARE\Microsoft\MS Optimization\mm#CNT
HKLM\SOFTWARE\Microsoft\MS Optimization\s4
HKLM\SOFTWARE\Microsoft\MS Optimization\s4#LTM
HKLM\SOFTWARE\Microsoft\MS Optimization\s4#CDY
HKLM\SOFTWARE\Microsoft\MS Optimization\s4#CNT
HKLM\SOFTWARE\Microsoft\MS Optimization\se
HKLM\SOFTWARE\Microsoft\MS Optimization\se#LTM
HKLM\SOFTWARE\Microsoft\MS Optimization\se#CDY
HKLM\SOFTWARE\Microsoft\MS Optimization\se#CNT
HKLM\SOFTWARE\Microsoft\MS Optimization\zz
HKLM\SOFTWARE\Microsoft\MS Optimization\zz#LTM
HKLM\SOFTWARE\Microsoft\MS Optimization\zz#CDY
HKLM\SOFTWARE\Microsoft\MS Optimization\zz#CNT

Rogue.Component/Trace
HKLM\Software\Microsoft\B48379B0
HKLM\Software\Microsoft\B48379B0#b48379b0
HKLM\Software\Microsoft\B48379B0#Version

=============================================

Hope that's it, boss!

Or are there any further instructions (nah, not agin'!!) ;-).

===============================================


Holland, Ma'am:
am sorry that I inadvertently posted YOUR statement under my name! I was trying to use the 'Quote' button by highlighting only a part of your statement but the whole thing came in! I probably messed up review, my apologies.

jholland1964
02-12-2010, 01:05 PM
joyarun, Mike wanted the Uninstall List as generated by HJT, not another scan log.
1. Start HijackThis
2. Click on the Misc Tools button
3. Click on the Open Uninstall Manager button.
click on the Save list... button and specify where you would like to save this file, desktop is easy to find and remember. When you press Save button a notepad will open with the contents of that file.
Copy/Paste that file back here.
See my attachments:

Crash Override
02-12-2010, 02:09 PM
I get these pop ups stating that there is tracking software found and have 25 infections found and anti virus xp2010 alert. my computer worked fine last night with this msg coming up but now it won't let me download anything or open up my system restore or Yahoo mail Can you tell me if that is a virus and how do I get rid of it

Dutch, please start a new thread so that it gets the proper attention.

joyarjun
02-13-2010, 10:52 AM
HJT UNINSTALL LIST:

Acrobat.com
Ad-Aware
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Any Video Converter 2.7.2
Apple Software Update
a-squared Free 4.5
Avira AntiVir Personal - Free Antivirus
CCleaner
Choice Guard
Defraggler (remove only)
Desktop Calendar 0.43b
ESET Online Scanner v3
Free Sound Recorder
Glary Utilities 2.13.0.686
Google Gears
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
HijackThis 2.0.2
Hotfix for Windows XP (KB954708)
Huawei MT882 USB ADSL Modem
Java(TM) 6 Update 17
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Default Manager
Microsoft Office Live Add-in 1.4
Microsoft Office Outlook Connector
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mirar
MSN
MSN Toolbar
MSN Toolbar Platform
MSVCRT
MSXML 4.0
MSXML 4.0
Natwarlal v0.14
Nero Suite
NZZ Online iSaver
Opera 10.10
ParetoLogic DriverCure
phonostar-Player Version 2.01.5
QuickTime
RealPlayer
Realtek AC'97 Audio
Safari
Segoe UI
Skype™ 4.1
Spybot - Search & Destroy
SpywareBlaster 4.2
SUPERAntiSpyware Free Edition
The Weather Channel Desktop 6
Visual C++ 8.0 CRT (x86) WinSXS MSM
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Family Safety
Windows Live ID-Anmelde-Assistent
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
yBook
Zip Files Opener 1.0

===============================================

Hope I got it right this time?!!

jholland1964
02-13-2010, 11:07 AM
What is this program? NZZ Online iSaver

Jimmy Carter
02-13-2010, 11:34 AM
What is this program? NZZ Online iSaver

jholland

I downloaded it and here is what it says before I run it on my PC.
Sounds like a form of "Drive updater"..only this is "software updater" .ie, we will scan your PC and keep all your software updated...

http://img705.imageshack.us/img705/9617/softwareinformer.jpg (http://img705.imageshack.us/my.php?image=softwareinformer.jpg)

PS: This is a PC I just made so I am going to run it and see what it does.
I'll let you know.

Here it is:
http://users.software.informer.com/guest_7105994/updates/


It appears to link updates...the first one said "download free Office 2007 trial..."
The second one said download new "Webshots". I would lose all my pictures if I did.
The others are also linked to new or the same to update.
The user does give them permission to scan their PC.
I'll see if anything was installed without my permission.

jholland1964
02-13-2010, 11:51 AM
jholland

I downloaded it and here is what it says before I run it on my PC.
Sounds like a form of "Drive updater"..only this is "software updater" .ie, we will scan your PC and keep all your software updated...

http://img705.imageshack.us/img705/9617/softwareinformer.jpg (http://img705.imageshack.us/my.php?image=softwareinformer.jpg)

PS: This is a PC I just made so I am going to run it and see what it does.
I'll let you know.

Here it is:
http://users.software.informer.com/guest_7105994/updates/


It appears to link updates...the first one said "download free Office 2007 trial..."
The second one said download new "Webshots". I would lose all my pictures if I did.
The others are also linked to new or the same to update.
The user does give them permission to scan their PC.
I'll see if anything was installed without my permission.

Jimmy, think you have looked at the wrong program. Just found that this NZZ Online iSaver appears to be some sort of screensaver software, though can't find a home page for the developer yet, which makes me question it. Click on the developer and you are taken to this link;
http://infomantis-gmbh.software.informer.com/
ParetoLogic DriverCure is what you may have looked at and it is a supposedly all in one driver updater, not one I would recommend either really but since our original poster doesn't seem to be inclined to stick around long enough to get this computer cleaned up don't know that I will concern myself with this one anymore.

Jimmy Carter
02-13-2010, 11:58 AM
jholland, OK, that's me, wrong bus.

This is neat, look what this program did...
I rebooted and it said "hey, right click on the start button and see your programs" ...really neat..:)



http://img688.imageshack.us/img688/1546/software.jpg (http://img688.imageshack.us/my.php?image=software.jpg)

jholland1964
02-13-2010, 12:03 PM
jholland, OK, that's me, wrong bus.

This is neat, look what this program did...
I rebooted and it said "hey, right click on the start button and see your programs" ...really neat..:)



http://img688.imageshack.us/img688/1546/software.jpg (http://img688.imageshack.us/my.php?image=software.jpg)
Sorry why download another program just to get updates of programs all ready on your computer? Best place to get updates of your programs is via the program itself.

mom25kids
02-13-2010, 12:19 PM
Judy you search faster than I do :) I'm also guessing that it's some sort of screen saver. Many sites offering it appear to be in German? I wasn't gonna go to any, just wanted to see what google brought up.

joyarjun
02-13-2010, 12:35 PM
NZZ iSaver is a screensaver, correct you are Mama (you still shoulder-surfing me, mom? "That's alright, Mama, Anyway you do"!!!), and it's for the prestigious Swiss-German newspaper Neue Zürcher Zeitung. I sometimes get these newspaper-oriented screensavers and then after some time delete them. This same iSaver works also for another German newspaper from Germany, die Welt. I have now deleted the NZZ iSaver.
Here's the updated, up-to-the-minute list: 13 Feb 10, 23.10 pm (5.40 pm UTC):

Acrobat.com
Ad-Aware
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
Any Video Converter 2.7.2
Apple Software Update
a-squared Free 4.5
Avira AntiVir Personal - Free Antivirus
CCleaner
Choice Guard
Defraggler (remove only)
Desktop Calendar 0.43b
ESET Online Scanner v3
Free Sound Recorder
Glary Utilities 2.13.0.686
Google Gears
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
HiJackThis
HijackThis 2.0.2
Hotfix for Windows XP (KB954708)
Huawei MT882 USB ADSL Modem
Java(TM) 6 Update 17
Junk Mail filter update
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Default Manager
Microsoft Office Live Add-in 1.4
Microsoft Office Outlook Connector
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mirar
MSN
MSN Toolbar
MSN Toolbar Platform
MSVCRT
MSXML 4.0
MSXML 4.0
Natwarlal v0.14
Nero Suite
Opera 10.10
ParetoLogic DriverCure
phonostar-Player Version 2.01.5
QuickTime
RealPlayer
Realtek AC'97 Audio
Safari
Segoe UI
Skype™ 4.1
Spybot - Search & Destroy
SpywareBlaster 4.2
SUPERAntiSpyware Free Edition
The Weather Channel Desktop 6
Visual C++ 8.0 CRT (x86) WinSXS MSM
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Family Safety
Windows Live ID-Anmelde-Assistent
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
yBook
Zip Files Opener 1.0

================================================== ===

By the way, how good is Pareto Logic? or Segoe UI? They seem to have entered without my consciously inviting them inhabit my pc! And, in case you are wondering about Natwarlal, it's a chess game, offline, with computer.

jholland1964
02-13-2010, 12:48 PM
I have now deleted the NZZ iSaver. Nobody said you had to delete it, we asked what it was is all. Did you "delete" or Uninstall?

mom25kids
02-13-2010, 12:51 PM
http://www.cnet.com/topic-software/paretologic.html

Pareto Logic products don't seem to be rated very well. After getting your computer nice and clean Mike and Judy will make recommendations as to what you should be using for security.

Still keeping an eye on you ;)

mom25kids
02-13-2010, 12:53 PM
http://www.microsoft.com/typography/Fonts/family.aspx?FID=331

Segoe UI are fonts

jholland1964
02-13-2010, 12:54 PM
mom25kids=Segoe UI are fonts I didn't question this one I knew what it was.

joyarun:
Please now do a File Search...
Start, Search, All Files and Folders, Advanced Options, Search system folders, Search hidden files and folders, Search sub folders and search "C" drive for SmitfraudFix
If you find any Delete them.
Report back here immediately, not tomorrow, immediately.

mom25kids
02-13-2010, 12:57 PM
No the poster did...
By the way, how good is Pareto Logic? or Segoe UI? They seem to have entered without my consciously inviting them inhabit my pc! And, in case you are wondering about Natwarlal, it's a chess game, offline, with computer.

mom25kids
02-13-2010, 01:02 PM
joyarun...
I can't speak for the Chess game it's self but Norton is giving me a Black "no go" on many sites where it's offered for download...perhaps how you've picked up some of these nasties? I'm gonna back out of here now, follow what Mike & Judy say.

jholland1964
02-13-2010, 01:04 PM
No the poster did...
Ok, I see.
The Segoe UI may have come with the Office program or an update of the Office program at some time. It is a MS file however.
The Pareto Logic program would have had to have been installed on purpose by somebody using the computer. It doesn't appear to be a program bundled with others without your knowledge.
If you note above I all ready said:
ParetoLogic DriverCure is... not one I would recommend either

jholland1964
02-13-2010, 01:10 PM
joyarun...
I can't speak for the Chess game it's self but Norton is giving me a Black "no go" on many sites where it's offered for download...perhaps how you've picked up some of these nasties? I'm gonna back out of here now, follow what Mike & Judy say.
Program itself seems fine, but as you say, depends on where the download originally came from, many download sites are getting Excellent ratings from WOT, some are getting a Poor Reputation Rating.

MikeN.
02-13-2010, 10:55 PM
Mirar needs to be uninstalled

http://www.2-spyware.com/remove-mirar.html

Judy, time for Combo Fix?

jholland1964
02-14-2010, 12:48 AM
Mirar needs to be uninstalled

http://www.2-spyware.com/remove-mirar.html

Judy, time for Combo Fix?
Good catch on that one Mike, I missed it!!
Maybe time for a more complex tool, but have been hesitant to suggest it with the lack of participation has been shown. It isn't a tool which can be done and then have logs posted a day or so later.

MikeN.
02-14-2010, 09:35 AM
It seems at this rate, either Combo Fix and post the logs immediately or heading for a format of that drive.

joyarjun
02-14-2010, 10:27 AM
Holland is not made only of tulips, cheese or windmills but also of law!
The 'stricter' side is showing, Ms. Holland--I need it I guess(with Mama monitoring me as well! And Mike 'Hammer' has hammered me well with his hint of the next step that sounds formidable= 'a combo fix'! I almost regret the day the internet was born!!), feel like a hapless patient lying on op table with anonymous docs barking med. mumbo-jumbo to each other.
Hail the Prez ! I may yet 'stay the course'!

Back to business, not tomorrow but right now (I was writing the above even as the thorough search instructed was already on).

It's ok, I 'uninstalled' NZZ iSaver rom Add/Remove since I have not been using it for ages--entirely voluntary, Ma'am.
I think I'll let the chess programme Natwarlal remain, it's been there for long but my 'blues' are recent.

Mirar-- I got to the page (via http://remove.getmirar.com) where it requires dwnld. of uninstall toolbar for mirar. Should I turst this and go ahead to dwnld., or rather skip it and let mirar remain in my Add/Remove (the toolbar no longer shows up in Int. Expl., thanks to a tip off from ws.com earlier)? The usual Add/remove procedure does not work with the Mirar entry, it always brings up ohter pages ultimately leading to the one I just described (=download option for its 'uninstall toobar program').

smitfraudfix-- 'Search' brought me several entries for smitfraudfix--seems to have worked for anti-zlob trojan in the past, the reason I retained it. Shall I remove all these entries, strewn across C, D and E drives (incl.virus scan logs)?

joyarjun
02-14-2010, 10:29 AM
I still have the mirar removal toolbar and smitfraudfix entries on hold. Shall look for your response in half-an-hour!

jholland1964
02-14-2010, 12:25 PM
Mirar is most definitely spyware/malware, however it "may" all ready be gone, the toolbar isn't showing in your latest log.
Mirar-- I got to the page xxxxxxxxxx where it requires dwnld. of uninstall toolbar for mirar. Should I turst this and go ahead to dwnld., Absolutely NOT. That page itself will bring in malware. Edit your post and take that link out of there in case others may try to go there
smitfraudfix-- 'Search' brought me several entries for smitfraudfix--seems to have worked for anti-zlob trojan in the past, the reason I retained it. Shall I remove all these entries, strewn across C, D and E drives (incl.virus scan logs)?
Smitfraudfix can be deleted from wherever you find it. It is a ONE TIME only tool. MBA-M does a much better job today of removing Trojan.Zlob if one has the misfortune of becoming infected with it.

Update MBA-M. Do a new FULL SCAN with it. Allow it to remove all that is found.
Reboot the computer. Do a new HJT scan. Save the log.
Post back here with BOTH logs, even if the MBA-M shows nothing we need to see it.

joyarjun
02-14-2010, 01:13 PM
Thanks for taking all this trouble.
It's past midnight now--time to hit the sack!
First thing tomorrow morn, post-jentacular (that's Jeremy Bentham's English!), is to get down to carrying out your instructions.
GMT/UTC should be 5 hrs. 30 mts. behind my time, not counting DST, if any.Around 11.30 am -12.30 pm local time I should get into action.
No sweat, take your time and respond!
Thanks to all of you (Mama, r u there???!)!

jholland1964
02-15-2010, 12:26 AM
I will look for your logs. Do ONLY the MBA-M scan and the new HJT scan. Nothing else.
Don't download any more programs unless told to do so. Don't search online for any other programs to download either unless first given the instructions to do so.

mom25kids
02-15-2010, 08:05 AM
(Mama, r u there???!)!

Hubby starts a new shift this week, whole schedule at our house is flip-flopping. Check your private messages as I've sent you 2 that you must have not seen. I understand that time differences & schedules can make this a challenge but stick with your thread and post back asap.

Out of here for now...good luck :)

joyarjun
02-15-2010, 08:21 AM
Zu Befehl! ("At your command!")

Okay, here are the two logs: (15 Feb 10)

1. Malwarebyte's mbam log:

Malwarebytes' Anti-Malware 1.44
Database version: 3740
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

15/02/2010 15:14:04
mbam-log-2010-02-15 (15-14-04).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 252894
Time elapsed: 1 hour(s), 55 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


================================================== ===


2. (Post-boot) HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:40:51, on 15/02/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Huawei\MT882\dslagent.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler. exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.mc286.mail.yahoo.com/mc/welcome?.gx=1&.tm=1265731638&.rand=dkqpfu1midnf1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\s wg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6 FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39C3A1F5-10A6-4B5F-B1D2-F16E5770369D}: NameServer = 218.248.255.193 218.248.240.180
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SASWINLO.dll
O20 - Winlogon Notify: geBttTmm - C:\WINDOWS\
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 7993 bytes

================================================== ==

All downloads postponed till further notice!

joyarjun
02-15-2010, 08:25 AM
"Sometimes, I feel,
Like a motherless child...
A loooong way from home"!
Shall check your 2 mails.
Please return ASAP!

mom25kids
02-15-2010, 09:04 AM
Check your private messages here at WS, under the welcome joyarjun. You will see "Private Messages". Click that and it will take you to your pm inbox.

PLEASE REMOVE YOUR EMAIL ADRESS FROM YOUR LAST REPLY
as you leave yourself open to getting spammed or worse. Go back to that reply and use the edit feature.

I will be in touch...take care

joyarjun
02-15-2010, 09:28 AM
Thanks, Mummy!
Have done the needful.
C u soon!

jholland1964
02-15-2010, 10:23 AM
Looks much better. Several things you MUST do.
#1. Update to IE7. This has been out a LONG time. It is more secure than IE6. I actually recommend you use a different, more secure browser all together, Firefox is excellent, fast, easy to use and much more secure than IE. Regardless, you definitely should update to IE 7 whether you add another browser or not. Using the old version of IE does put your computer at risk. DON'T go clear up to IE 8 however, IE7 is sufficient.
Here is the download link for IE 7
http://www.microsoft.com/downloads/details.aspx?familyid=9ae91ebe-3385-447c-8a30-081805b2f90b&displaylang=en
And here is download link for Firefox
http://www.mozilla.com/en-US/firefox/personal.html

#2. Update your Java. Current version is 6 update 18. http://www.java.com/en/download/manual.jsp. Choose the Offline install and save it to the desk top. Close all browsers and double click the install file to install. Watch the install progress VERY CAREFULLY. Occasionally there are other toolbars or software offered with the download. There will be a notice of this at the bottom of one of the screens with a check mark in it all ready, take the check mark OUT before you proceed so that you do NOT install anything other than the Java update.

#3. You have 2 services running for no reason;

a-squared Free Service
Lavasoft Ad-Aware Service

Both of these are FREE programs and offer NO in the background protection. The only thing these two do is run and use valuable resources. Use them only for manual scanning. Stop those two services by going to Start, Control Panel, Administrative Tools, Services. Scroll through the list, it is alphabetical order. Double click on each. When the properties box opens for the service first press the Stop button to stop the service. You will see that it is being stopped. Then change the Start up type to Disabled. Ok your way out when you have stopped both of these.
To be honest, I would get rid of the AdAware. It just isn't the program it used to be. I used to swear by it several years ago but finally decided it just wasn't doing much...certainly nothing that the other programs I use couldn't do so I uninstalled it. Your choice of course.

#4. You also have programs running unnecessarily at start up, slowing the boot time and can also slow the computer. Download Mike Lin's Start Up Control Panel. (http://www.mlin.net/StartupCPL.shtml) Once installed you will find it in the Control Panel with a little computer icon and labeled as Start Up.
Open the program and you will see several Tabs. Go through each tab and remove the check marks from the following listings:

Ad-Watch
TkBellExe
SunJavaUpdateSched
Google Quick Search Box


Once you have removed the check marks then close the program and Reboot the computer.
You also have the MSCONFIG warning showing in your auto starts. This is the entry that appears when you uncheck an item in the MSConfig Startup group, and will disappear if on the next reboot you select the option to not be reminded that you are running in Selective Startup mode So when you get that notice on reboot be sure to say you don't want to see this again.

Do all of the above. Then run a new HJT scan and post back with that new log.

joyarjun
02-16-2010, 12:09 PM
Hello Ms. Holland:

here are the actions taken:



#1. Update to IE7.

Here is the download link for IE 7
http://www.microsoft.com/downloads/d...displaylang=en

Me: The link above is not working.
I tried to reach IE& download separately but there's always a clutter greeting me. Seems it will take some time before I can get a clean shot at IE& download only!

Meanwhile, I have Google Chrome, Opera and Safari browsers, fairly latest though I am not sure I have the very latest versions. I use chrome mostly these days. Is that good enough?

#2. Update your Java. Current version is 6 update 18. http://www.java.com/en/download/manual.jsp. Choose the Offline install and save it to the desk top. Close all browsers and double click the install file to install. Watch the install progress VERY CAREFULLY. Occasionally there are other toolbars or software offered with the download. There will be a notice of this at the bottom of one of the screens with a check mark in it all ready, take the check mark OUT before you proceed so that you do NOT install anything other than the Java update.

Me: Done. I retaiined the option of automatic monthly scan for updates. Shoul I remove this option?

#3. You have 2 services running for no reason;

a-squared Free Service
Lavasoft Ad-Aware Service

Me: Stopped & disabled both. Also deleted both as unnecessary Though you recommended deleltion of AdAware only).


#4. You also have programs running unnecessarily at start up, slowing the boot time and can also slow the computer. Download Mike Lin's Start Up Control Panel. Once installed you will find it in the Control Panel with a little computer icon and labeled as Start Up.
Open the program and you will see several Tabs. Go through each tab and remove the check marks from the following listings:

Ad-Watch
TkBellExe
SunJavaUpdateSched
Google Quick Search Box

Me: Found three under HKLM/Run, --unchecked them, but TkBellExe not listed.

Once you have removed the check marks then close the program and Reboot the computer.
You also have the MSCONFIG warning showing in your auto starts. This is the entry that appears when you uncheck an item in the MSConfig Startup group, and will disappear if on the next reboot you select the option to not be reminded that you are running in Selective Startup mode So when you get that notice on reboot be sure to say you don't want to see this again.

Me: This last line is a bonus! I was for long wondering how to disable this constant reminder and despite there being a choice in the dlg.box 'not to show this reminder again', it kept popping up at every boot. ---I did check that option after rebooting this time and lo and behold! That nagging reminder was gone! I restarted the pc again--it wasn't there! What a relief! Also relief that the booting has become noticeably faster!!
Now to another HJT scan!



Do all of the above. Then run a new HJT scan and post back with that new log.
__________________

Here's the latest (16 Feb 10. night) HJT scan result:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:32:16, on 16/02/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler. exe
C:\Program Files\Huawei\MT882\dslagent.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.mc286.mail.yahoo.com/mc/welcome?.gx=1&.tm=1265731638&.rand=dkqpfu1midnf1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\s wg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6 FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39C3A1F5-10A6-4B5F-B1D2-F16E5770369D}: NameServer = 218.248.255.193 218.248.240.180
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SASWINLO.dll
O20 - Winlogon Notify: geBttTmm - C:\WINDOWS\
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 7096 bytes

=================================================

MikeN.
02-16-2010, 12:14 PM
Google search, no clutter, Microsoft site http://www.microsoft.com/downloads/details.aspx?familyid=9ae91ebe-3385-447c-8a30-081805b2f90b&displaylang=en By the way,its the exact link Judy gave you and works fine,as does the link she originally posted,i tried it, takes you right to the Microsoft download page.

Should also consider adding SP3,lots of security updates in that service pack.

Chrome is not a better alternative than Firefox. Opera would be a better choice which you already have.

joyarjun
02-17-2010, 11:02 AM
Thank you, MikeN. I must have missed the download button. It's dwnlding now as I type.
Should I replace ie6 and THEN install 1e7, or would ie7 automatically install itself over existing ie 6?

MikeN.
02-17-2010, 11:08 AM
Install IE7 right over the top of IE6. When thats installed,you are done.

joyarjun
02-20-2010, 09:44 AM
Updated browser to ie7.
PC working far better than before, thanks to JHolland64, MikeN, Mama25 Kids and all the others who lent me a helping hand.

I am grateful to you all.

Three more questions, please:

1. Should I delete the setup files of the various programmes (HJT, Malwarebyte, etc.)?

2. Should I delete the programmes themselves, now that they have been used?

3. What is the ideal percentage of 'virtual memory' size compared to the HDD like C drive? Is it possible to set aside that percent of bytes for virtual memory? and how?

MikeN.
02-20-2010, 09:53 AM
You can delete the HJT exe and uninstall HJT. I would keep the Malwarebytes .exe and leave that installed and obviously use it to scan with.

Virtual memory info

http://www.howstuffworks.com/virtual-memory.htm

Your welcome for the help

jholland1964
02-20-2010, 10:28 AM
You're welcome joyarun. Generally the recommended amount of virtual memory is 1.5 times the amount of RAM installed on the computer.
Right Click My Computer, Choose Properties. When that opens choose the Advanced Tab.
Click Performance Settings. Then click the Advanced Tab. Virtual Memory is at the bottom. Click the Change button. When that opens you will see two boxes, initial and maximum. For mine I have both numbers the same which are 1.5 times the amount of RAM I have installed. Then click the Set Button, then OK your way out.

mom25kids
02-20-2010, 11:26 AM
You're Welcome :)

If you can...
I would suggest adding some more RAM.

XP Pro, IE 6, 40 GB HDD, AMD Athlon 2000+ CPU, 512 MB PC 2700 DDR RAM, nvidea sound & video card, Avira anti-virus, spybot s & d, ccleaner v.2.07.575, adaware 2007, spyware blaster,xp pro default firewall.

joyarjun
02-20-2010, 11:29 AM
Thank you, JHolland and Mike.

jholland1964
02-20-2010, 11:39 AM
You're Welcome :)

If you can...
I would suggest adding some more RAM.
Agreed. Go to http://www.crucial.com/
You can scan your computer and then it will tell you exactly what RAM you need and how much you can add. Crucial is generally the cheapest place to purchase RAM and extremely easy to install.

joyarjun
02-22-2010, 11:23 AM
Hello JH and Mama:

crucial.com found 2 sets of 256 MB RAMS (totalling installed RAM capacity to 512 MB, though I followed the 'Dutch' way and increased both initial and maximal virtual memories to 768 MB= 1.5 times 'real' RAM installed).
Mama-- one slot, says crucial.com, is empty! That seems like where YOU (rather your reco) come(s) in!

Thank you again for taking soooo good care of me! I have not a care now in the wide world!

MikeN.
02-22-2010, 04:59 PM
Even with tweaking the virtual memory settings, and the small amount of memory on that machine its not enough to run smoothly. Will always be a bit slow and lag. What did crucial say you could add for more memory when you did the scan?

joyarjun
02-24-2010, 11:54 AM
Hello MikeN!

crucial said there is a third slot for RAM but empty. So far as I can recall, it did not specifically recommend adding any--but I may have missed something there!
My current strength is total of 512 MB RAM, as per JHolland's reco I set the virtual memories, in both the windows (for initial and maximal) at 1.5 times that 512= 768 MB.
Do you recommend adding some more RAM?

MikeN.
02-24-2010, 11:55 AM
Yes

jholland1964
02-24-2010, 12:28 PM
If you go back to the Crucial site and do the scan again if you read carefully it will show you how much you can add to that computer.