Removal of Win32:Trojan-gen. {other}

BullGuard Antivirus Forum > Virus Removal > Removal Help > Removal of Win32:Trojan-gen. {other}

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Arjay13
New Member

Date Joined Nov 2005
Total Posts : 10

Posted 11-28-2005 12:38 (GMT +1)

Hello whoever can help. I'm looking for removal elp for some viruses, I installed avast! home edition a few days ago by a recommendation from a shaw employee and ever since Many viruses have been found but they've only been "Win32:Trojano-2502 [Trj]" and "Win32:Trojan-gen. {other}"

The first one is inside "C:\\Web\Wallpaper\dllmain.dll" A file inside the wallpaper folder that comes with the computer. I'm not sure how to delete it though, the avast scanning detects that same file over and over and it doesn't delete and can't be moved because 'another file is using it'.

Other times a small window with the title RUNDLL continues to pop up claiming its failed to load that file. It continues to popup until I pause th standard sheild scanning. Its frustrating.

The second one is inside the system restore volume information and I followed instructions from another forum, not sure if it was deleted, hope so.

If anyone could help me remove these files and assure things are safe, it would be greatly appreciated. Thank you for your time.

Arjay

*Cookie
Junior Member

Date Joined Oct 2005
Total Posts : 79

Posted 11-30-2005 9:00 (GMT +1)

Hi Arjay13,

I think Avast! is absolutely one of the best AV-programmes in the market so I hope you will be happy with it once your PC is clean again.

I don’t know if you still need help – but if you do, I suggest you follow the following procedure:

1. Download these programmes (i.e. in their own folders on your Desktop), but do not run them till I ask you to:

Ewido

CCleaner

HijackThis (HJT)

2. Run CCleaner

3. Boot PC into Safe Mode (tap the F8 key repeatedly at bootup - or click here).

4. Run a full scan with Ewido

Click on scanner. Click on Complete System Scan and the scan will begin.

While the scan is in progress, you will be prompted to clean files, click OK

When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report. Save the report .txt file to your desktop. Close ewido security

5. Reboot PC into Normal Mode.

6. Run HijackThis, save and post the log in this thread together with the log from Ewido and we will try to help you :-)

//*Cookie

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Make somebody else's day - commit an act of kindness ... TODAY :o)!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Arjay13
New Member

Date Joined Nov 2005
Total Posts : 10

Posted 12-1-2005 12:37 (GMT +1)

Thank you so much for all this, I wasn't sure anyone would bother to reply, I'll download those right away and Follow the instructions but I'm not positive about the last step. I don't know how to save logs from running those programs, ocne you tell me that I'll do those things. Hope this isn't an inconvenience

Arjay

ps. None of that software costs anything I assume?

Post Edited (Arjay13) : 12/1/2005 12:09:19 AM GMT

Arjay13
New Member

Date Joined Nov 2005
Total Posts : 10

Posted 12-1-2005 3:47 (GMT +1)

Hey there

I booted my pc into safemode using the instructions above and Got rid of everything recommended. The Ewido Program also scanned my computer and removed all infected files detected. I ran HijackThis while in safemode and after a complete system scan in a matter of seconds a list came up of several complicated programs. It said Fix Checked and I checked everyone but a warning told me it would degreade my peformance and wasn't recommended so I booted into normal mode to ask what I should do. I recognized some of the files as the ones that were detcted to be infected but I'm not sure, I'll go back into safemode and run HijackThis after you tell me whether or not to Fix anything.

I saved both logs and I'll post them if that will help at all.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:46:51 PM, 11/30/2005
+ Report-Checksum: DAB3E4EC

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\RunMSC.Loader\CLSID\\ -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\RunMSC.Loader.1\CLSID\\ -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\WUSN.1 -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhenUSaveMsg -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\WhenUSave -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\WhenUSave\Partners -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\WhenUSave\Partners\EEPE -> Spyware.SaveNow : Cleaned with backup
HKU\S-1-5-21-2632869610-1284346915-3326691056-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000EF1-0786-4633-87C6-1AA7A44296DA} -> Spyware.FavoriteMan : Cleaned with backup
HKU\S-1-5-21-2632869610-1284346915-3326691056-1009\Software\WhenU -> Spyware.SaveNow : Cleaned with backup
C:\WINDOWS\AppPatch\logdoc.dll -> Spyware.Virtumonde : Cleaned with backup
C:\WINDOWS\system32\geedd.dll -> TrojanDownloader.ConHook.k : Cleaned with backup
C:\WINDOWS\Web\Wallpaper\dllmain.dll -> Spyware.Virtumonde : Cleaned with backup

::Report End

HIJACKTHIS SCAN

Logfile of HijackThis v1.99.1
Scan saved at 7:25:15 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q404&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q404&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kjvrartdckdxrzxnzujqs.com/Lz5pXY1YjJYd/yIzTQR5cSjD/146Nakc5Zm3qAdvLHRMvGj_S4qW6gtyW6iRsUME.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://start.shaw.ca/start/enca/addons/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.shaw.ca/start/enca/addons/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca/start/enca/addons/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca/start/enca/addons/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=11638
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Web\Wallpaper\dllmain.dll
O2 - BHO: (no name) - {97B8EF71-A5AC-C93B-05BD-84C44C4819C2} - C:\DOCUME~1\COMPAQ~1\APPLIC~1\METAPA~1\CORN BIN.exe
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\Compaq_Owner\Desktop\WAS5Scan.exe"
O4 - HKLM\..\Run: [PlatformArmyGlobalDale] C:\Documents and Settings\All Users\Application Data\curb second platform army\DEAFHTM.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Proxy link] C:\DOCUME~1\COMPAQ~1\APPLIC~1\TYPEEX~1\chin16.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\PROGRA~1\Save\Save.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpamSubtract.lnk = C:\Program Files\InterMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: dllmain - C:\WINDOWS\Web\Wallpaper\dllmain.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Compaq_Owner\Desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Compaq_Owner\Desktop\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

What do I do from there. I'm not exactly sure what HijackThis does, does it remove all those files? Because Avast! is on there and thats what I use for anti-virus protection. I wasn't sure what to fix, because that was the only option.

-arjay

*Cookie
Junior Member

Date Joined Oct 2005
Total Posts : 79

Posted 12-1-2005 10:45 (GMT +1)

Hi Arjay13,

I'm glad you figure out HJT. I was about to write down some instructions to you, but no need to now .

However, it appears, you ran HJT in safe mode. I need a HJT log from normal mode (as mentioned under 5 in my previous post smilewinkgrin

But I can tell from your log that you’ve got the Vundo infection too, so please, follow below procedure too – BEFORE running HJT again, thanks.

Download Spysweeper (Free Trial):

Install it.
Click Options and press Update Definitions
Click on Options > Sweep Options
Check mark Sweep all Folders on Selected drives
Check mark Local Disc C
Under What to Sweep: check mark all the boxes – except Sweep Contents of Compressed Files and do not Sweep Systemrestore Folder
Click on Sweep and allow it to run a full scan
Once finished, click Remove, click Select All and then Next

PLEASE, NOTE!

SpySweeper initially quarantines the spyware it finds on your computer. DO NOT remove any item from Quarantine until you verify your PC is still functioning properly with the found spyware under quarantine.

Reboot PC into normal mode and ensure important programs still work before you remove any items from Quarantine.

Run HJT again and post a new log, please.

How are things running now?

//*Cookie

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Make somebody else's day - commit an act of kindness ... TODAY :o)!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post Edited (*Cookie) : 12/1/2005 9:48:33 PM GMT

*Cookie
Junior Member

Date Joined Oct 2005
Total Posts : 79

Posted 12-1-2005 11:10 (GMT +1)

“I'm not exactly sure what HijackThis does, does it remove all those files?”

No, HijackThis does not remove any files automatically. It “just” generates a list of settings/processes found in your computer – mostly also what a Spyware or Hijacker program would leave behind.

Interpreting these results can be quite tricky so please do NOT fix anything in HJT till I ask you to! I can not stress how important it is to follow this warning!!

BTW, I got to log off now. Will be online again tomorrow evening/night - so you have plenty of time to carry out the procedures turn

//*Cookie

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Make somebody else's day - commit an act of kindness ... TODAY :o)!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Arjay13
New Member

Date Joined Nov 2005
Total Posts : 10

Posted 12-2-2005 2:42 (GMT +1)

Hey

I did those except I forgot to uncheck "do not scan system restore folder" I don't think it made any difference though, everything is running great and I scanned things twice to ensure removal of everything.

I have the HJT Log from normal mode I'll paste it.

Logfile of HijackThis v1.99.1
Scan saved at 6:37:18 PM, on 12/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\InterMute\SpamSubtract\SpamSub.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Documents and Settings\Compaq_Owner\Desktop\security suite\ewidoctrl.exe
C:\Documents and Settings\Compaq_Owner\Desktop\security suite\ewidoguard.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HijackThis Antivirus setup.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q404&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q404&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.kjvrartdckdxrzxnzujqs.com/Lz5pXY1YjJYd/yIzTQR5cSjD/146Nakc5Zm3qAdvLHRMvGj_S4qW6gtyW6iRsUME.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://start.shaw.ca/start/enca/addons/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.shaw.ca/start/enca/addons/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca/start/enca/addons/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca/start/enca/addons/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=11638
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {97B8EF71-A5AC-C93B-05BD-84C44C4819C2} - C:\DOCUME~1\COMPAQ~1\APPLIC~1\METAPA~1\CORN BIN.exe (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\Compaq_Owner\Desktop\WAS5Scan.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpamSubtract.lnk = C:\Program Files\InterMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: dllmain - C:\WINDOWS\Web\Wallpaper\dllmain.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Compaq_Owner\Desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Compaq_Owner\Desktop\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

So there it is, let me know anything else I should do, uncluding what to do with the quarantined items from Spy Sweeper and what to fix from HJT

-Arjay

*Cookie
Junior Member

Date Joined Oct 2005
Total Posts : 79

Posted 12-2-2005 10:17 (GMT +1)

Hi again Arjay13,

It looks much better so there is only a bit left to remove smilewinkgrin

1. Download Mwav in its own folder (IMPORTANT!) – i.e. on your Desktop - but do not run it till I ask you to.

2. Uninstall MessengerPlus3 via Control Panel -> Add/Remove Programmes.

3. Boot PC into Safe Mode (tap the F8 key repeatedly at bootup - or click here).

4. Run HijackThis (HJT) again and place a check mark in the box next to the entries listed below:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - Startup: PowerReg Scheduler.exe

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: dllmain - C:\WINDOWS\Web\Wallpaper\dllmain.dll (file missing)

Close all browser and explorer windows, and click "Fix checked".

5. Enable “show all files” (if you don’t know how, click here).

6. Search & delete the files/folders marked in red if still present:

C:\Program Files\Common Files\Real\Update_OB\realsched.exe <<<< Delete file
C:\Windows\Creator\Remind_XP.exe <<<< Delete file
C:\Program Files\MessengerPlus! 3\ <<<< Delete folder

C:\WINDOWS\Web\Wallpaper\ <<<< Delete folder

7. Run a full scan with Mwav:

Place a check mark in: Memory, Startup folders, drive, Registry, System folders and Services.

- and a dot in: All local drives og Scan all files. Click on Scan.

The scanning might take a couple of hours - depending on how much you have installed on your PC.

Once scanned and items deleted: Click OK. Click Exit - and Exit again if you don’t want to buy the programme.

NOTE! Do NOT click ”Add to Start-up folders”!

8. Reboot PC into Normal mode.

9. Run HJT again and post the new log for a final check, please.

……………

It appears you have tried to install MSN Messenger 7.5 but with no success?! If you want version 7.5, maybe you should uninstall the former version before trying to install 7.5 again?

Concerning the quarantined files in Spy Sweeper, I presume you checked if your system was running fine with these items in quarantine? In affirmative case: Right click on Spy Sweeper icon in tray – Options – Quarantined, select all - delete selected.

Well

//*Cookie

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Make somebody else's day - commit an act of kindness ... TODAY :o)!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Arjay13
New Member

Date Joined Nov 2005
Total Posts : 10

Posted 12-4-2005 10:21 (GMT +1)

Hey cookie I did all the instructions you told me and deleted all viruses found (automatically) in thw mwav Scan but when I Enabled "show all folders" using the instructions provided from that link posted beside that line, all these files/programs are now displayed onto my desktop where I'd rather not have them.

Now I Went back to the folder options in my computer and Checked hide protected operating system files and unchecked show hidden files and folders it would remove these files and restore them where they were but in normal mode they are still there filling up the desktop. I won't touch them because they look important but are kinda annoying.

I'm not sure what to do if you could tell me how to put all these back where they were it would be great. I'm sure all the viruses are Gone from my computer its working good. thats the only problem I'm having I'll run HJT and post the log.

Logfile of HijackThis v1.99.1
Scan saved at 2:14:24 PM, on 12/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\InterMute\SpamSubtract\SpamSub.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Documents and Settings\Compaq_Owner\Desktop\security suite\ewidoctrl.exe
C:\Documents and Settings\Compaq_Owner\Desktop\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\My Documents\Virus Removal Programs\HijackThis Antivirus setup.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://start.shaw.ca/start/enca/addons/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=Q404&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.shaw.ca/start/enca/addons/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca/start/enca/addons/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca/start/enca/addons/search/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=11638
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpamSubtract.lnk = C:\Program Files\InterMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Compaq_Owner\Desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Compaq_Owner\Desktop\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Thank you, Fixing the desktop is the last thing I'm not sure about.

-Arjay

PS. several of these files displayed on my desktop have the extenions .avc and some other unfamiliar titles/extensions. Alot of files are also titled "troj---(numbers).avc"

Post Edited (Arjay13) : 12/4/2005 9:29:46 PM GMT

*Cookie
Junior Member

Date Joined Oct 2005
Total Posts : 79

Posted 12-5-2005 12:38 (GMT +1)

Hi Arjay,

Did you download Mwav in its own folder as I asked you to in my previous post:
“1. Download Mwav in its own folder (IMPORTANT!) – i.e. on your Desktop)” shocked

Anyway, you can delete these files manually: Right-click on Start => Explore => Desktop => Details. Then sort files by type and date of creation. This might help you "recognize" the mwav files. Then delete the files created on the day and time you used Mwav. Do not delete any file if you are not sure it’s a “mwav file” (i.e. *.avc and alike)!

As to your log, well done, it’s clean!

And now with a clean PC, it’s a good idea to carry out the following procedure so you have a clean point to return to if your PC should get infected again:

A) Hide system files again if you haven’t done so (if you don’t know how, click here).

B) Run CCleaner again

C) IMPORTANT: Define a new point of System Restore:

- Disable System Restore (if you don’t know how, click here)

- Reboot PC

- Re-activate System Restore

-------

For further protection, I can also recommend below-mentioned programmes:

SpywareBlaster

SpywareBlaster prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers and other potentially unwanted software. Unlike other programs, SpywareBlaster doesn’t have to remain running in the background.

SpywareGuard

SpywareGuard provides a real-time protection solution against spyware. It’s a great addition to SpywareBlaster.

IE Spyad

IE-SPYAD adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. Nor will they be able to use your browser to push unwanted pop-ups, cookies or auto-installing programmes on your PC.

Microsoft Update

Visit Microsoft and check for Critical Security Updates!

-------

Everything's OK now - incl. getting rid of the mwav files :-)

//*Cookie

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Make somebody else's day - commit an act of kindness ... TODAY :o)!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post Edited (*Cookie) : 12/4/2005 11:39:31 PM GMT

Arjay13
New Member

Date Joined Nov 2005
Total Posts : 10

Posted 12-5-2005 2:28 (GMT +1)

Just so I have this all clear...

Sort all desktop files and delete any no associated with mwav. I've hidden system files and reversed what I did in the folder options.

Now for System Restore....I'm a tad confused as to what this does and how it can be used.

I'll Use the instructions in the link and turn it back on when I have restarted the computer, and that will automatically Make the condition of the computer now the point at which it will be restored to in the future?

THat makes sense but I'm not sure how to restore my computer to this point if ever to get an infection again and does it matter how frequently I do this??

Regarding the files you recommended me to download for these things, What should I keep what should I uninstall? Or just maybe keep it in a folder behind the scenes.

"Everything's OK now - incl. getting rid of the mwav files :-)

I thought I was not to delete any files related to mwav?

Thats all my questions then I'll get right to it.

Arjay13
New Member

Date Joined Nov 2005
Total Posts : 10

Posted 12-5-2005 2:33 (GMT +1)

Okay, little problem maybe.

I accidently Deleted all those files on my desktop now I kno you said thats fine and I'm guessing by your last line it didn't matter that I got rid the mwav files to?..........

I just did that I won't go any further for tonight.

*Cookie
Junior Member

Date Joined Oct 2005
Total Posts : 79

Posted 12-5-2005 11:08 (GMT +1)

Hi Arjay,

Sorry for not having made myself clear. I meant the opposite of what you thought I meant blush

! You were supposed to delete the mwav files only. In case you were not sure it was a mwav file or not, then you were supposed to leave it alone.

So, hmmm, I hope you have deleted no important files?! Is your PC still running perfectly? If yes, then please, carry out the procedure described in my previous post (items A-C posted 12/5/2005 12:38 AM (GMT +1)) if you haven’t done so.

DEFINITION of SYSTEM RESTORE:

System restore is a disaster recovery feature in Microsoft Windows Me and XP. This feature allows the user to revert crucial operating system files back to a previous recorded state (known as a 'restore point'). There are several reasons why a user might want to perform a system restore, including to repair the operating system in the aftermath of infection by a computer virus or if the Windows registry has become corrupted.

Meaning ... you are NOT supposed to use the System restore now – if ever. I just suggested, you establish one restore point now, so you have a “clean point” to return to in case your PC is “misbehaving” again. IF it does, just open a new topic, and I / we will tell you how to use it if you don’t know how.

Everything’s OK now :-)

//*Cookie

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Make somebody else's day - commit an act of kindness ... TODAY :o)!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Arjay13
New Member

Date Joined Nov 2005
Total Posts : 10

Posted 12-16-2005 9:15 (GMT +1)

Hey.

Sorry for not replying in so long I had forgot. I followed every step including system restore but still aren't sure why I'd do this if I am not recommended to restore my system back to that reference point....

I'll download those other files but my spysweeper and ewido protection trials expired.

Thanks for all the help i'm not sure I need anything else I'll come back here for any problems I have in th e future!

-Arjay

*Cookie
Junior Member

Date Joined Oct 2005
Total Posts : 79

Posted 12-18-2005 1:41 (GMT +1)

Hi Arjay,

No probs you forgot lol

….. and you’re very welcome. My pleasure!

Good to know you carried out the System restore part too – even though you do not know why – yet turn

Now your PCs behaving again, I’ll ask a mod to close this thread. If your PC is acting weird again in the future, just open a new topic – with a link to this one, if possible – and I’m positive one of us will try to help you.

Safe surfing!

//*Cookie

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Make somebody else's day - commit an act of kindness ... TODAY :o)!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 12-18-2005 9:07 (GMT +1)

Since your problem appears to be resolved, this thread will now be closed

Regards - Touch

Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.

Do not PM me with logfiles. They will be deleted

Forum Information

Currently it is Saturday, November 21, 2009 3:43 PM (GMT +1)
There are a total of 73.034 posts in 17.116 threads.
In the last 3 days there were 14 new threads and 71 reply posts. View Active Threads