#1  
Old 02-03-2010, 08:53 AM
joyarjun's Avatar
joyarjun joyarjun is offline
Senior Member
 
Join Date: Sep 2004
Posts: 251
Angry Trojan invasion! Help!!

Hello folks:

right at boot up, my pc showing around 2 dozen alarm msgs. from my anti-virus Avira Personal (free), all perfectly standardised, i.e. the same, over and over again. It says "TR/Bldr.Tracur.B.48 Trojan" has been detected. Action choices: (default checked: deny access, quanrantine, delete. Rename is also there, I think. Repair is greyed out. I tried all of the choices open, but the msgs. are persistent even after booting is finished. Though a provision is there asking Avira to remember the decision (and act accordingly in future), it does not remember.They keep appearing, with less frequency once in a while during a single prolonged session.
Is it Avira Personal's false positive?
What to do, please?
__________________
joyarjun

Never lose HOPE... (Joe Whelan, Library of Congress, 1985)!

XP Pro, IE 6, 40 GB HDD, AMD Athlon 2000+ CPU, 512 MB PC 2700 DDR RAM, nvidea sound & video card, AVG anti-virus (free ed.), ccleaner v.2.07.575, spyware blaster,xp pro default firewall.

Last edited by joyarjun; 02-03-2010 at 08:57 AM.
Reply With Quote
  #2  
Old 02-03-2010, 09:03 AM
MikeN.
Guest
 
Posts: n/a
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

http://www.download.com/Malwarebytes...dlPid=10997763
* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version if one is available. There are always new updates to the definitions.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Reboot the computer.

http://www.download.com/Trend-Micro-...html?tag=mncol

Right click on the desktop. Choose New Folder,then name it HiJackThis Folder
Then download HiJackThis to that new folder.
Do a full system scan with HJT and save the log.
Post back here with both the MBA-M log and the HJT log.
Reply With Quote
  #3  
Old 02-03-2010, 09:35 AM
jholland1964's Avatar
jholland1964 jholland1964 is online now
Almost Really Old Member
 
Join Date: Feb 2004
Location: The Middle
Posts: 30,767
Quote:
Is it Avira Personal's false positive?
As an added bit of information, it is likely NOT a false positive. This same trojan is flagged by many other av programs of late....many given a different name by each av program but all the same thing.
Quote:
TrojanDownloader:Win32/Tracur.B is a trojan component installed by TrojanDownloader:Win32/Tracur.A. This trojan component downloads and executes arbitrary files.
Aliases
Win32/Nugg.worm.143360 (AhnLab)
Trojan.Tracur.A (BitDefender)
P2P-Worm.Win32.nugg.bd (Kaspersky)
Generic Downloader.x!cg (McAfee)
W32/Agent.MPDD (Norman)
W32/P2PWorm.AK.worm (Panda)
Troj/Agent-INP (Sophos)
Worm.P2P.Nugg.BV (VirusBuster)
__________________

1. Dell Inspiron N5040;
Windows 7 64bit SP1
Firefox v.32.0.2, IE11;WLM2012; Avira Free, Windows Firewall, MBAM, SpywareBlaster, SUPERAntispyware

2.Dell Inspiron N7010; Windows 7 64bit SP1
*same programs as computer 1 above*


Help Us To Help You

System Restore

Stick with the Clean up
Reply With Quote
  #4  
Old 02-05-2010, 10:10 AM
joyarjun's Avatar
joyarjun joyarjun is offline
Senior Member
 
Join Date: Sep 2004
Posts: 251
Talking A big thank you to all!

Hello friends:

malwarebyte has worked miracles!
I programmed it to scan all my drives, C-G, but ran out of patience since I had to use certain programmes for some work, so m-byte ran for about 60-70 per cent, when I aborted the run, intending to start again next day. However, I opted for removing the threats, about 2-3 it said could only be removed upon rebooting. I allowed that and rebooted.
This was yesterday.
Today evening (now!) I started my computer as usual. After some time I was struck that not a single virus warning msg. with that 'Tracur...something' had appeared, or appeared so far (am at the pc for around one hour!).
I checked the log created in Notepad, as was suggested. Here it is:

Malwarebytes' Anti-Malware 1.44
Database version: 3689
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

04/02/2010 22:21:31
mbam-log-2010-02-04 (22-21-31).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 56953
Time elapsed: 33 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\cnvfat32.dll (Trojan.Tracur) -> Delete on reboot.
C:\WINDOWS\system32\3D.tmp (Trojan.Tracur) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\b4836b91720 (Trojan.Tracur) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: c:\windows\system32\cnvfat32.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: system32\cnvfat32.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cnvfat32.dll (Trojan.Tracur) -> Delete on reboot.
C:\WINDOWS\system32\3D.tmp (Trojan.Tracur) -> Delete on reboot.
C:\Documents and Settings\welcome\My Documents\repair-pro-setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\welcome\My Documents\zipfopen.repair-pro-setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Should I run malwarebyte again and fully scan all my drives? About 30% of the job remains! And also run HJT?

Also thank you for warning me to take the virus warnings seriously, not a false positive!
I sincerely thank both of you, my friends, for that helping hand! If only nations could do this at the international level, the world could have been a far better place to live in.
Hats off to Worldstart.com
__________________
joyarjun

Never lose HOPE... (Joe Whelan, Library of Congress, 1985)!

XP Pro, IE 6, 40 GB HDD, AMD Athlon 2000+ CPU, 512 MB PC 2700 DDR RAM, nvidea sound & video card, AVG anti-virus (free ed.), ccleaner v.2.07.575, spyware blaster,xp pro default firewall.

Last edited by joyarjun; 02-05-2010 at 10:11 AM. Reason: put in names
Reply With Quote
  #5  
Old 02-05-2010, 10:19 AM
mom25kids mom25kids is offline
Senior Member
 
Join Date: May 2007
Posts: 2,821
Quote:
Should I run malwarebyte again and fully scan all my drives? About 30% of the job remains! And also run HJT?
Definitely YES
Reply With Quote
  #6  
Old 02-05-2010, 10:51 AM
jholland1964's Avatar
jholland1964 jholland1964 is online now
Almost Really Old Member
 
Join Date: Feb 2004
Location: The Middle
Posts: 30,767
Quote:
Should I run malwarebyte again and fully scan all my drives? About 30% of the job remains! And also run HJT?
100% yes. Because in all likelyhood there may be more infected files. Though some were removed I have to say joyarjun, what you did and how you ran the program is positively the wrong way to clean your system. By stopping and starting the program you did not give it a chance to fully clean the system. It only cleaned part of it. You absolutely MUST allow it to run, without stopping, 100% all the way through this is the ONLY way to guarantee that it will find everything and in the proper order. MBA-M is set to run a specific way, in a specific order and by stopping the scans part way through it was not allowed to do this.

Look at the elapsed time...33 minutes...you say you believe it ran 60 to 70%, well I very much doubt that it ran that far. On a small computer like mine, with it's one 40GB hard drive, a Full Scan takes slightly over one hour and will scan about 180000+ objects.

A Quick Scan on my computer, takes around 10 minutes, max and scans slightly more than 90000 files. I have no idea of the size of your computer or the size of the drives on your computer but look at what was scanned and how long...33 minutes and 56953 objects (slightly over half of what a quick scan scans on my system) and all the infections were found on "C" drive. This tells me no other drives were scanned. So believing that 60 to 70% of the scan completed is very likely wishful thinking, unless all the drives on the computer are very small and no other drive on the computer contained any infections.

Yes, you need to UPDATE MBA-M and run a Full System scan allow it to Remove All found and the absolute rule now with every MBA-M scan that finds something that needs to be removed is to always REBOOT. The reason for this is that some parts of an infection found cannot be removed if it is running and in order to remove before it begins to run is to reboot and remove it before the computer gets to start up of the infected file. That is always the rule today with this program.

So yes, update, run a full scan (no stopping it let it run fully) remove, reboot and then run a system scan with HiJackThis. Post both logs.
You also should not be using the computer for other things until the scan is run and complete.

This particular Trojan which sits on the system and waits for instructions from an attacker. The trojan may be instructed to download and execute arbitrary files, redirect the web browser to a URL of the attacker's choice and worst of all...creates a pipe named that can allow an attacker access to steal personal data from your machine.
__________________

1. Dell Inspiron N5040;
Windows 7 64bit SP1
Firefox v.32.0.2, IE11;WLM2012; Avira Free, Windows Firewall, MBAM, SpywareBlaster, SUPERAntispyware

2.Dell Inspiron N7010; Windows 7 64bit SP1
*same programs as computer 1 above*


Help Us To Help You

System Restore

Stick with the Clean up
Reply With Quote
  #7  
Old 02-05-2010, 01:54 PM
joyarjun's Avatar
joyarjun joyarjun is offline
Senior Member
 
Join Date: Sep 2004
Posts: 251
Talking Right oh!

Hello 'Mama' and Mr.Holland:

I was paranoid enough to run a full, uninterrupted scan and--you were right! A whole bunch of invaders were detected on this second scan (of C, D and E drives). I must have messed up the statistics--the earlier scan must have covered far less than 60 p.cent, don't know why I got that impression of 60-70 p.c.! Here's malwarebyte's 2nd. full scan result:

Malwarebytes' Anti-Malware 1.44
Database version: 3689
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

06/02/2010 00:45:01
mbam-log-2010-02-06 (00-45-01).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 249765
Time elapsed: 1 hour(s), 47 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\SysWoW32 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\SysWoW32\@u1859727819v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v4 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v4.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v6 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v6.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v7 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v7.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1859727819v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1859727819v5.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v0.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v1.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v2.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> Quarantined and deleted successfully.

I did the needful, upon rebooting that's the log I got.
Tomorrow, or rather today-- shall run HJT and let you know.

One thing more. Malwarebyte's 'quarantine' shows the list of malwares, presumably quarantined only, while its log states '"quarantined and deleted successfully". Shall I still go ahead and hit the 'remove all' key in malwarebyte?
Thank you for your patience and advice!
__________________
joyarjun

Never lose HOPE... (Joe Whelan, Library of Congress, 1985)!

XP Pro, IE 6, 40 GB HDD, AMD Athlon 2000+ CPU, 512 MB PC 2700 DDR RAM, nvidea sound & video card, AVG anti-virus (free ed.), ccleaner v.2.07.575, spyware blaster,xp pro default firewall.
Reply With Quote
  #8  
Old 02-05-2010, 01:59 PM
jholland1964's Avatar
jholland1964 jholland1964 is online now
Almost Really Old Member
 
Join Date: Feb 2004
Location: The Middle
Posts: 30,767
No, for now leave all in Quarantine. They cannot hurt anything in there so leave them for now. Do that HJT ASAP. Also do this:
Please Run the ESET Online Scanner
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.

* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Reboot.

By the way, that ESET will also take possibly and hour, cannot say for sure but it also is a MUST!

Then run HiJackThis system scan and save the log. Post back here with the ESET log and the HiJackThis log.
Judy (not a mister...lol)
__________________

1. Dell Inspiron N5040;
Windows 7 64bit SP1
Firefox v.32.0.2, IE11;WLM2012; Avira Free, Windows Firewall, MBAM, SpywareBlaster, SUPERAntispyware

2.Dell Inspiron N7010; Windows 7 64bit SP1
*same programs as computer 1 above*


Help Us To Help You

System Restore

Stick with the Clean up
Reply With Quote
  #9  
Old 02-05-2010, 02:00 PM
MikeN.
Guest
 
Posts: n/a
Quote:
Originally Posted by joyarjun View Post
Hello 'Mama' and Mr.Holland:

I was paranoid enough to run a full, uninterrupted scan and--you were right! A whole bunch of invaders were detected on this second scan (of C, D and E drives). I must have messed up the statistics--the earlier scan must have covered far less than 60 p.cent, don't know why I got that impression of 60-70 p.c.! Here's malwarebyte's 2nd. full scan result:

Malwarebytes' Anti-Malware 1.44
Database version: 3689
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

06/02/2010 00:45:01
mbam-log-2010-02-06 (00-45-01).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 249765
Time elapsed: 1 hour(s), 47 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\SysWoW32 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\SysWoW32\@u1859727819v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v4 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v4.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v6 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v6.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v7 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mi1859727819v7.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1859727819v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\mu1859727819v5.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v0.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v1.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v2.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\wu1859727819v3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SysWoW32\_u1859727819v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> Quarantined and deleted successfully.

I did the needful, upon rebooting that's the log I got.
Tomorrow, or rather today-- shall run HJT and let you know.

One thing more. Malwarebyte's 'quarantine' shows the list of malwares, presumably quarantined only, while its log states '"quarantined and deleted successfully". Shall I still go ahead and hit the 'remove all' key in malwarebyte?
Thank you for your patience and advice!
Remove Selected at the end of a scan or Remove All from Quarantine? By your log you did remove all into the quarantine folder. Next cleaning steps after providing a HJT log please.

Next do this:
Please Run the ESET Online Scanner
http://www.eset.com/onlinescan/

* You will need to use Internet Explorer to complete this scan and you will need to allow an Active X to be installed or you may use Firefox if you have the IE tab addon.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us.
Reply With Quote
  #10  
Old 02-05-2010, 02:25 PM
mom25kids mom25kids is offline
Senior Member
 
Join Date: May 2007
Posts: 2,821
Glad you ran a full Malwarebytes scan, now follow exactly what Judy and Mike tell you. Why? Because Mama said so.....lol

It will take some time & work but they won't lead you wrong in helping get that computer squeaky clean
Reply With Quote
  #11  
Old 02-07-2010, 02:08 AM
joyarjun's Avatar
joyarjun joyarjun is offline
Senior Member
 
Join Date: Sep 2004
Posts: 251
HJT log problem!

I have now generated HJT v.2.0.3 Beta log--a whole list of itmes but the noitce on top says these are not necessarily malicious.
I have problem with copy/paste, the list is not amenable to copying!
How to overcome this particular hurdle, please?
__________________
joyarjun

Never lose HOPE... (Joe Whelan, Library of Congress, 1985)!

XP Pro, IE 6, 40 GB HDD, AMD Athlon 2000+ CPU, 512 MB PC 2700 DDR RAM, nvidea sound & video card, AVG anti-virus (free ed.), ccleaner v.2.07.575, spyware blaster,xp pro default firewall.
Reply With Quote
  #12  
Old 02-07-2010, 04:29 AM
mom25kids mom25kids is offline
Senior Member
 
Join Date: May 2007
Posts: 2,821
When you ran HJT did you select "Do a system scan and save a log file" ? After HJT scans your log file should open up in note pad and it's very easy to copy for pasting.

Have you ran the Eset online scanner? Judy would like for you to run both the Eset scanner and HJT and post both logs for her to review.

Quote:
No, for now leave all in Quarantine. They cannot hurt anything in there so leave them for now. Do that HJT ASAP. Also do this:
Please Run the ESET Online Scanner
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Reboot.

By the way, that ESET will also take possibly and hour, cannot say for sure but it also is a MUST!

Then run HiJackThis system scan and save the log. Post back here with the ESET log and the HiJackThis log.
I would not hesitate with running these and posting back asap.
Reply With Quote
  #13  
Old 02-07-2010, 08:31 AM
MikeN.
Guest
 
Posts: n/a
Here is another link,please download this version. You chose the beta version from the Trend Micro site. Install it and choose what Mom has already mentioned. Should be easy to copy and paste the log,if its a bit too large which can happen,split it into 2 posts.

http://download.cnet.com/Trend-Micro...-10227353.html
Reply With Quote
  #14  
Old 02-07-2010, 08:39 AM
jholland1964's Avatar
jholland1964 jholland1964 is online now
Almost Really Old Member
 
Join Date: Feb 2004
Location: The Middle
Posts: 30,767
Quote:
Originally Posted by joyarjun View Post
I have now generated HJT v.2.0.3 Beta log--a whole list of itmes but the noitce on top says these are not necessarily malicious.
I have problem with copy/paste, the list is not amenable to copying!
How to overcome this particular hurdle, please?
Don't use the Beta version...that means it is a TEST version. Use the current version found HERE

The notice at the top about items not necessarily being malicious is for the protection of the creator of the program, meaning, essentially, "if you remove the wrong things we are not at fault"
You are not going to remove anything with HiJackThis, it is just being used to get a picture of what may be running on the computer...that is it.

I agree with mom25kids, there is nothing difficult about copy/pasting the log. This log would be copy/pasted exactly the same way that you copy/pasted the MBA-M log so I am not certain what you mean when you say
Quote:
the list is not amenable to copying
Please run a new system scan with the current version. The longer you wait the more likely it is that your computer will become MORE infected. IF these are trojans, then their job is to bring in more infection.

Sorry Mike...stepped on you again!!!
__________________

1. Dell Inspiron N5040;
Windows 7 64bit SP1
Firefox v.32.0.2, IE11;WLM2012; Avira Free, Windows Firewall, MBAM, SpywareBlaster, SUPERAntispyware

2.Dell Inspiron N7010; Windows 7 64bit SP1
*same programs as computer 1 above*


Help Us To Help You

System Restore

Stick with the Clean up
Reply With Quote
  #15  
Old 02-07-2010, 08:45 AM
MikeN.
Guest
 
Posts: n/a
I changed the link in my thread so it goes to Cnet,wondered when somebody was going to post with that beta version that is also on the Trend Micro page.
Reply With Quote
  #16  
Old 02-07-2010, 09:09 AM
joyarjun's Avatar
joyarjun joyarjun is offline
Senior Member
 
Join Date: Sep 2004
Posts: 251
HJT LOG--got it!

Hello Mama!
got it!
The log came out in the notepad as you indicated, only, it was hiding behind the uncopiable HJT main window with--(I presume) -- the same log. Ok, here goes the HJT log; shall follow up with eset:

Logfile of Trend Micro HijackThis

v2.0.3 (BETA)
Scan saved at 20:06:13, on

07/02/2010
Platform: Windows XP SP2 (WinNT

5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program

Files\Lavasoft\Ad-Aware\AAWService.

exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir

Desktop\sched.exe
C:\Program

Files\Google\Update\1.2.183.13\Goog

leCrashHandler.exe
C:\Program Files\Avira\AntiVir

Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common

Files\Microsoft

Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search

Enhancement

Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program

Files\Huawei\MT882\dslagent.exe
C:\Program Files\Avira\AntiVir

Desktop\avgnt.exe
C:\Program Files\Common

Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program

Files\Java\jre6\bin\jusched.exe
C:\Program Files\The Weather

Channel

FW\Desktop\DesktopWeather.exe
C:\Program

Files\Skype\Phone\Skype.exe
C:\Program

Files\Google\GoogleToolbarNotifier\G

oogleToolbarNotifier.exe
C:\Program Files\Skype\Plugin

Manager\skypePM.exe
C:\Program

Files\Lavasoft\Ad-Aware\AAWTray.ex

e
C:\Program Files\Internet

Explorer\iexplore.exe
C:\Program

Files\TrendMicro\HiJackThis\HiJackThi

s.exe

O2 - BHO: (no name) -

{0115C898-5309-4A00-BCBC-EEEE30

EA5524} -

C:\WINDOWS\System32\comdlg3232.

dll (file missing)
O2 - BHO: (no name) -

{09392e6c-a889-4eb3-8118-c423114

b0b23} - (no file)
O2 - BHO: (no name) -

{0E2D55F7-DB55-46C1-9B73-444933

262CC8} - (no file)
O2 - BHO: (no name) -

{0E3D3DFC-DB56-4E52-A07D-0A07A

7AA9165} - (no file)
O2 - BHO: AcroIEHelperStub -

{18DF081C-E8AD-4283-A596-FA578

C2EBDC3} - C:\Program

Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEH

elperShim.dll
O2 - BHO: (no name) -

{1F5FDA83-4379-4C6A-94AD-CC7BC

688505A} - (no file)
O2 - BHO: RealPlayer Download and

Record Plugin for Internet Explorer -

{3049C3E9-B461-4BC5-8870-4C0914

6192CA} - C:\Program

Files\Real\RealPlayer\rpbrowserrecord

plugin.dll
O2 - BHO: (no name) -

{34D02D0B-ACCC-4456-A057-8D390

43F86BF} - (no file)
O2 - BHO: (no name) -

{4E2826F1-53B4-4D3B-AFFB-1A710B

5F5923} - (no file)
O2 - BHO: (no name) -

{4E4B9E1A-2156-4B40-A925-8FD89D

C1C412} - (no file)
O2 - BHO: Spybot-S&D IE Protection -

{53707962-6F74-2D53-2644-206D79

42484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.

dll
O2 - BHO: (no name) -

{5C255C8A-E604-49b4-9D64-909885

71CECB} - (no file)
O2 - BHO: Search Helper -

{6EBF7485-159F-4bff-A14F-B9E3AAC

4465B} - C:\Program

Files\Microsoft\Search Enhancement

Pack\Search

Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live

ID-Anmelde-Hilfsprogramm -

{9030D464-4C02-4ABF-8ECC-516476

0863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll
O2 - BHO: (no name) -

{A5B8502E-06DA-4BD4-95B5-880C1

6AED7ED} - (no file)
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF105

77473F7} - C:\Program

Files\Google\Google

Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier

BHO -

{AF69DE43-7D58-4638-B6FA-CE66B5

AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\5.

4.4525.1752\swg.dll
O2 - BHO: (no name) -

{C1213DC4-1358-40D4-B171-A7AAD

5A9C927} - (no file)
O2 - BHO: (no name) -

{C3853148-7D01-4DE8-9630-0C7BC

D433437} - (no file)
O2 - BHO: MSN Toolbar BHO -

{d2ce3e00-f94a-4740-988e-03dc2f38

c34f} - C:\Program Files\MSN

Toolbar\Platform\4.0.0346.1\npwinex

t.dll
O2 - BHO: Java(tm) Plug-In 2 SSV

Helper -

{DBC80044-A445-435b-BC74-9C25C1

C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper -

{E0FEFE40-FBF9-42AE-BA58-794CA7

E3FB53} - C:\Program

Files\Google\Google Gears\Internet

Explorer\0.5.33.0\gears.dll
O2 - BHO: Windows Live Toolbar

Helper -

{E15A8DC0-8516-42A1-81EA-DC94E

C1ACF10} - C:\Program

Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl -

{E7E6F031-17CE-4C07-BC86-EABFE5

94F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_pl

ugin.dll
O3 - Toolbar: &Windows Live Toolbar

-

{21FA44EF-376D-4D53-9B0F-8A89D3

229068} - C:\Program Files\Windows

Live\Toolbar\wltcore.dll
O3 - Toolbar: MSN Toolbar -

{8dcb7100-df86-4384-8842-8fa84429

7b3f} - C:\Program Files\MSN

Toolbar\Platform\4.0.0346.1\npwinex

t.dll
O3 - Toolbar: Google Toolbar -

{2318C2B1-4965-11d4-9B18-009027

A5CD4F} - C:\Program

Files\Google\Google

Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [DSLAGENTEXE]

C:\Program

Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [avgnt]

"C:\Program Files\Avira\AntiVir

Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Ad-Watch]

C:\Program

Files\Lavasoft\Ad-Aware\AAWTray.ex

e
O4 - HKLM\..\Run: [TkBellExe]

"C:\Program Files\Common

Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run:

[SunJavaUpdateSched] "C:\Program

Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Desktop

Calendar] C:\Program Files\Desktop

Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [DW6]

"C:\Program Files\The Weather

Channel

FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype]

"C:\Program

Files\Skype\Phone\Skype.exe"

/nosplash /minimized
O4 - HKCU\..\Run: [swg] "C:\Program

Files\Google\GoogleToolbarNotifier\G

oogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run:

[CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE

(User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run:

[CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE

(User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run:

[CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE

(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run:

[CTFMON.EXE]

C:\WINDOWS\system32\CTFMON.EXE

(User 'Default user')
O8 - Extra context menu item:

E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFI

CE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google

Sidewiki... - res://C:\Program

Files\Google\Google

Toolbar\Component\GoogleToolbarDy

namic_mui_en_60D6097707281E79.d

ll/cmsidewiki.html
O9 - Extra button: (no name) -

{09C04DA7-5B76-4EBC-BBEE-B25EA

C5965F5} - C:\Program

Files\Google\Google Gears\Internet

Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears

Settings -

{09C04DA7-5B76-4EBC-BBEE-B25EA

C5965F5} - C:\Program

Files\Google\Google Gears\Internet

Explorer\0.5.33.0\gears.dll
O9 - Extra button: Blog This -

{219C3416-8CB2-491a-A3C7-D9FCD

DC9D600} - C:\Program

Files\Windows

Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog

This in Windows Live Writer -

{219C3416-8CB2-491a-A3C7-D9FCD

DC9D600} - C:\Program

Files\Windows

Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C57

1A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11

\REFIEBAR.DLL
O9 - Extra button: (no name) -

{DFB852A3-47F8-48C4-A200-58CAB3

6FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.

dll
O9 - Extra 'Tools' menuitem: Spybot -

Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB3

6FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.

dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F7

95683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows

Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F7

95683} - C:\Program

Files\Messenger\msmsgs.exe
O17 -

HKLM\System\CCS\Services\Tcpip\..\{

39C3A1F5-10A6-4B5F-B1D2-F16E577

0369D}: NameServer =

218.248.255.193 218.248.240.180
O18 - Protocol: skype4com -

{FFC8B962-9B40-4DFF-9458-1830C7

DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SK

YPE4~1.DLL
O20 - Winlogon Notify: geBttTmm -

Invalid registry found
O22 - SharedTaskScheduler: Browseui

preloader -

{438755C2-A8BA-11D1-B96B-00A0C

90312E1} -

C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler:

Component Categories cache daemon

-

{8C7461EF-2B13-11d2-BE35-307830

2C2030} -

C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler

(AntiVirSchedulerService) - Avira

GmbH - C:\Program

Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard

(AntiVirService) - Avira GmbH -

C:\Program Files\Avira\AntiVir

Desktop\avguard.exe
O23 - Service: Google Update Service

(gupdate) (gupdate) - Google Inc. -

C:\Program

Files\Google\Update\GoogleUpdate.ex

e
O23 - Service: Google Software

Updater (gusvc) - Google -

C:\Program

Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter

(JavaQuickStarterService) - Sun

Microsystems, Inc. - C:\Program

Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware

Service - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware\AAWService.

exe

--
End of file - 8628 bytes
__________________
joyarjun

Never lose HOPE... (Joe Whelan, Library of Congress, 1985)!

XP Pro, IE 6, 40 GB HDD, AMD Athlon 2000+ CPU, 512 MB PC 2700 DDR RAM, nvidea sound & video card, AVG anti-virus (free ed.), ccleaner v.2.07.575, spyware blaster,xp pro default firewall.
Reply With Quote
  #17  
Old 02-07-2010, 09:12 AM
MikeN.
Guest
 
Posts: n/a
Redo it please, you need to uncheck Word Wrap in Notepad, cant read the logs this way plus you used the Beta version. Please see above posts about downloading the other version
Reply With Quote
  #18  
Old 02-07-2010, 09:50 AM
mom25kids mom25kids is offline
Senior Member
 
Join Date: May 2007
Posts: 2,821
Quote:
Hello Mama!
got it!
The log came out in the notepad as you indicated, only, it was hiding behind the uncopiable HJT main window
I thought that may have been the problem as the HJT window isn't copyable. Sorry I forgot to mention to have word wrap unchecked
Reply With Quote
  #19  
Old 02-07-2010, 11:12 AM
joyarjun's Avatar
joyarjun joyarjun is offline
Senior Member
 
Join Date: Sep 2004
Posts: 251
2ND.POSTING, HJT log without wordwrap in Notepad

Here goes:

2ND.POSTING, HJT log without wordwrap, corrected version (not Beta!), in Notepad

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:36:06, on 07/02/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler. exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Huawei\MT882\dslagent.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\903CB56BA52F42478957BE8 314837A86\PamelaPCR.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\HijackThis.exe

O2 - BHO: (no name) - {0115C898-5309-4A00-BCBC-EEEE30EA5524} - C:\WINDOWS\System32\comdlg3232.dll (file missing)
O2 - BHO: (no name) - {09392e6c-a889-4eb3-8118-c423114b0b23} - (no file)
O2 - BHO: (no name) - {0E2D55F7-DB55-46C1-9B73-444933262CC8} - (no file)
O2 - BHO: (no name) - {0E3D3DFC-DB56-4E52-A07D-0A07A7AA9165} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1F5FDA83-4379-4C6A-94AD-CC7BC688505A} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {34D02D0B-ACCC-4456-A057-8D39043F86BF} - (no file)
O2 - BHO: (no name) - {4E2826F1-53B4-4D3B-AFFB-1A710B5F5923} - (no file)
O2 - BHO: (no name) - {4E4B9E1A-2156-4B40-A925-8FD89DC1C412} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID-Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A5B8502E-06DA-4BD4-95B5-880C16AED7ED} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\s wg.dll
O2 - BHO: (no name) - {C1213DC4-1358-40D4-B171-A7AAD5A9C927} - (no file)
O2 - BHO: (no name) - {C3853148-7D01-4DE8-9630-0C7BCD433437} - (no file)
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0346.1\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0346.1\npwinext.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Desktop Calendar] C:\Program Files\Desktop Calendar\Desktop Calendar.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6 097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{39C3A1F5-10A6-4B5F-B1D2-F16E5770369D}: NameServer = 218.248.255.193 218.248.240.180
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: geBttTmm - C:\WINDOWS\
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 8623 bytes

===========================================

With the third object, eset.com, I dnloaded activex, under Tools/Inernet Options/Security/Enabled 'ActiveX Controls and Plugins', shall try to run eset scanner.
__________________
joyarjun

Never lose HOPE... (Joe Whelan, Library of Congress, 1985)!

XP Pro, IE 6, 40 GB HDD, AMD Athlon 2000+ CPU, 512 MB PC 2700 DDR RAM, nvidea sound & video card, AVG anti-virus (free ed.), ccleaner v.2.07.575, spyware blaster,xp pro default firewall.

Last edited by joyarjun; 02-07-2010 at 11:15 AM. Reason: added info
Reply With Quote
  #20  
Old 02-07-2010, 12:23 PM
joyarjun's Avatar
joyarjun joyarjun is offline
Senior Member
 
Join Date: Sep 2004
Posts: 251
By the way---!

sorry, MS. Holland!
Well, if I am not darned! It's of course good old Judy, my long-time virtual friend and benefactress!
The same person who triggered Judy Garland, and Elvis' and the Beatles' numbers with the same name!!
Your last name somehow sounds sombre to me, however, don't know why; it appears to be a male name to me (even though last names are no indicators of gender). May be some lingering memory of my teenage when Dutch and Belgian Jesuits fathers taught me, and the Father I esp. admired came from Holland!!
See, this mix up shows perhaps that not only my pc but the little grey matter that I had has been hijacked too, worse, being influenced by remote control (LOL!)!!
Hope to get back with the rest of the logs before I am totally "fubar'd" (I chanced upon 'urbandictionary.com' and it taught me this unparliamentary 'modern' expression! It's pretty expressive though, once you know its innards (LOL)!
__________________
joyarjun

Never lose HOPE... (Joe Whelan, Library of Congress, 1985)!

XP Pro, IE 6, 40 GB HDD, AMD Athlon 2000+ CPU, 512 MB PC 2700 DDR RAM, nvidea sound & video card, AVG anti-virus (free ed.), ccleaner v.2.07.575, spyware blaster,xp pro default firewall.

Last edited by joyarjun; 02-07-2010 at 12:35 PM. Reason: change info
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 01:00 PM.


Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright 2000-2011 WorldStart, Inc