Programs won't run! (RESOLVED)

  1. 05-03-2006  #1
    roger_g_d
    roger_g_d is offline Junior Member

    Programs won't run! (RESOLVED)

    Hi,
    When I boot-up (using XP), I can't get any of my programs to run either thro' the desktop shortcuts or by going directly to the program "Start"page. I have to switch off my computer by keeping my finger on the POWER button, and then restart. (The computer will sometimes EVENTUALLY start the chosen program, but that can be 15minutes or more down the road!
    I have run Ad-Aware & Spy-bot, and after removal of what appears to be quite "harmless" cookies the program persists.
    Any help would be greatfully accepted.
    There follows the current "HiJackThis" log
    Kind regards
    Roger


    Logfile of HijackThis v1.99.1
    Scan saved at 11:23:18, on 05/03/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\eX5\eX5\eX5.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\LightSurf\Common\IconMgr.exe
    C:\Program Files\LightSurf\Colorific\hgcctl95.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\Program Files\LightSurf\Color Indicator\TICIcon.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: Shell=
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {7C7A8947-5935-4430-AC0E-E7D04697414E} - (no file)
    O2 - BHO: (no name) - {CD9B7762-DFBC-42B1-BB30-02A78287B456} - (no file)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe"
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [Phase One Media Reader] C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [eX5] "C:\Program Files\eX5\eX5\eX5.EXE" "5000"
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: LightSurf.lnk = C:\Program Files\LightSurf\Common\IconMgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {27FA5271-12D2-43E3-9424-365A43236EE7} (PIXACO upload plugin) - http://www.pixaco.co.uk/static/downl...dropupload.cab
    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - http://dlmanager.akamaitools.com.edg...ex-2.0.2.7.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E57AB3B2-31F7-482C-88AD-3E6DFEE31525}: NameServer = 80.225.252.178 80.225.252.186
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Microsoft Digital Identity Service (InfoCard Service) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50215\info card.exe (file missing)
    O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
  2. 05-03-2006  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: Shell=

    O2 - BHO: (no name) - {7C7A8947-5935-4430-AC0E-E7D04697414E} - (no file)
    O2 - BHO: (no name) - {CD9B7762-DFBC-42B1-BB30-02A78287B456} - (no file)

    Make sure that all browser windows and internet links are closed, even this one!
    CLICK ’FIX CHECKED’ with HijackThis.



    POST A REVISED HIJACKTHIS LOG for review:
    Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

    I will be suggesting additional scans once you report back.
  3. 05-03-2006  #3
    roger_g_d
    roger_g_d is offline Junior Member
    Quote Originally Posted by VopThis
    SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: Shell=

    O2 - BHO: (no name) - {7C7A8947-5935-4430-AC0E-E7D04697414E} - (no file)
    O2 - BHO: (no name) - {CD9B7762-DFBC-42B1-BB30-02A78287B456} - (no file)

    Make sure that all browser windows and internet links are closed, even this one!
    CLICK ’FIX CHECKED’ with HijackThis.



    POST A REVISED HIJACKTHIS LOG for review:
    Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

    I will be suggesting additional scans once you report back.
    Hi Vincent P,
    Thanks for the v.quick response.
    I've carried out the requested jobs, and here is the "new" hijackthis log:
    Logfile of HijackThis v1.99.1
    Scan saved at 17:27:58, on 05/03/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\eX5\eX5\eX5.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\LightSurf\Common\IconMgr.exe
    C:\Program Files\LightSurf\Colorific\hgcctl95.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\Program Files\LightSurf\Color Indicator\TICIcon.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe"
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [Phase One Media Reader] C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [eX5] "C:\Program Files\eX5\eX5\eX5.EXE" "5000"
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: LightSurf.lnk = C:\Program Files\LightSurf\Common\IconMgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {27FA5271-12D2-43E3-9424-365A43236EE7} (PIXACO upload plugin) - http://www.pixaco.co.uk/static/downl...dropupload.cab
    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - http://dlmanager.akamaitools.com.edg...ex-2.0.2.7.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E57AB3B2-31F7-482C-88AD-3E6DFEE31525}: NameServer = 80.225.252.178 80.225.252.186
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: Microsoft Digital Identity Service (InfoCard Service) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50215\info card.exe (file missing)
    O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

    .
    After re-booting, programs are now opening as they should. What else would you suggest I do, and what were the lines I removed?
    Regards

    Roger
  4. 05-03-2006  #4
    VopThis
    VopThis is offline Senior Member (Canada)
    HijackThis lines with only an equal sign (=) can cause the behavior noted. The line below essentially led your PC to think there was no user interface to be selected (with no values after the = sign).

    F2 - REG:system.ini: Shell=


    The (no file) entries are often ophaned or no longer useful startup entries (useless clutter).





    Try the following second opinion scans to look for any other unknown additional potential issues:

    Please download, install, update and scan your system with the free (trial) version of Ewido trojan scanner:
    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    3. From the main ewido screen, click on update in the left menu, then click the Start update button.
    4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
    5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
    6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread.


    REBOOT.




    Please do an online scan (scan only tool) with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      • Scan using the following Anti-Virus database:
        - Extended (if available otherwise Standard)
      • Scan Options:
        - Scan Archives
        - Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
  5. 06-03-2006  #5
    roger_g_d
    roger_g_d is offline Junior Member
    Hi Vincent,

    Below are the requested logs from the 2 program scans which you suggested.
    Can I safely remove the "downloader.small.ckj" as a warning comes up that it is embedded in another file & I haven't , so far, removed it

    Thanks for all your help
    Regards
    Roger




    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 22:47:44, 05/03/2006
    + Report-Checksum: C4EDD6F3

    + Scan result:

    C:\System Volume Information\_restore{D9F505DD-229B-4371-AB97-691DEA25FC6C}\RP51\A0025170.exe/run.exe -> Downloader.Small.ckj : Error during cleaning
    C:\System Volume Information\_restore{D9F505DD-229B-4371-AB97-691DEA25FC6C}\RP54\A0029303.exe -> Downloader.VB.ts : Cleaned with backup


    ::Report End

    -------------------------------------------------------------------------------
    KASPERSKY ON-LINE SCANNER REPORT
    Monday, March 06, 2006 8:00:19 AM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky On-line Scanner version: 5.0.78.0
    Kaspersky Anti-Virus database last update: 6/03/2006
    Kaspersky Anti-Virus database records: 180346
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\
    J:\

    Scan Statistics:
    Total number of scanned objects: 70436
    Number of viruses found: 22
    Number of infected objects: 50
    Number of suspicious objects: 7
    Duration of the scan process: 00:35:43

    Infected Object Name / Virus Name / Last Action
    C:\articles\home.html Suspicious: Exploit.HTML.CodeBaseExec skipped
    C:\Documents and Settings\Roger\.housecall\Quarantine\count.jar-da64f2a-7278983e.zip.bac_a02976/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
    C:\Documents and Settings\Roger\.housecall\Quarantine\count.jar-da64f2a-7278983e.zip.bac_a02976/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
    C:\Documents and Settings\Roger\.housecall\Quarantine\count.jar-da64f2a-7278983e.zip.bac_a02976/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
    C:\Documents and Settings\Roger\.housecall\Quarantine\count.jar-da64f2a-7278983e.zip.bac_a02976 ZIP: infected - 3 skipped
    C:\Documents and Settings\Roger\.housecall\Quarantine\count.jar-da64f2a-7278983e.zip.bac_a02976 CryptFF.b: infected - 3 skipped
    C:\Documents and Settings\Roger\.housecall\Quarantine\xpl[1].wmf.bac_a02976 Infected: Trojan-Downloader.Win32.Agent.acd skipped
    C:\Program Files\SpyRemover\Recovery\BackWeblite.zip/backWeb-8876480.exe Suspicious: Password-protected-EXE skipped
    C:\Program Files\SpyRemover\Recovery\BackWeblite.zip ZIP: suspicious - 1 skipped
    C:\Program Files\Trend Micro\Internet Security\A0015344.exe Infected: Trojan-Downloader.Win32.VB.hb skipped
    C:\Program Files\Trend Micro\Internet Security\BlackBox.class-5ac21830-47e621c6.class Infected: Exploit.Java.ByteVerify skipped
    C:\Program Files\Trend Micro\Internet Security\BlackBox.class-5ac21830-7022f71f.class Infected: Exploit.Java.ByteVerify skipped
    C:\Program Files\Trend Micro\Internet Security\counter[1].htm Infected: Exploit.HTML.Mht skipped
    C:\Program Files\Trend Micro\Internet Security\Dummy.class-6b9fccb8-226149be.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped
    C:\Program Files\Trend Micro\Internet Security\Dummy.class-6b9fccb8-73764039.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped
    C:\Program Files\Trend Micro\Internet Security\ex1[1].htm Infected: Exploit.HTML.IframeBof skipped
    C:\Program Files\Trend Micro\Internet Security\ex1[1]_570.VIR Infected: Exploit.HTML.IframeBof skipped
    C:\Program Files\Trend Micro\Internet Security\ex4[1].htm Infected: Exploit.HTML.IframeBof skipped
    C:\Program Files\Trend Micro\Internet Security\ex4[1]_58c.VIR Infected: Exploit.HTML.IframeBof skipped
    C:\Program Files\Trend Micro\Internet Security\fav[1].exe Infected: Trojan.Win32.Favadd.k skipped
    C:\Program Files\Trend Micro\Internet Security\gammainstaller.exe.exe Infected: Trojan-Downloader.Win32.IstBar.er skipped
    C:\Program Files\Trend Micro\Internet Security\gammainstaller.exe[1].exe Infected: Trojan-Downloader.Win32.IstBar.er skipped
    C:\Program Files\Trend Micro\Internet Security\index2[1].htm Suspicious: Exploit.HTML.Mht skipped
    C:\Program Files\Trend Micro\Internet Security\index2[1]_1a8.VIR Suspicious: Exploit.HTML.Mht skipped
    C:\Program Files\Trend Micro\Internet Security\index2[1]_75c.VIR Suspicious: Exploit.HTML.Mht skipped
    C:\Program Files\Trend Micro\Internet Security\index2[1]_df4.VIR Suspicious: Exploit.HTML.Mht skipped
    C:\Program Files\Trend Micro\Internet Security\open[1].exe Infected: Trojan-Spy.Win32.Agent.w skipped
    C:\Program Files\Trend Micro\Internet Security\our[1].htm Infected: Exploit.HTML.IframeBof skipped
    C:\Program Files\Trend Micro\Internet Security\PreInstaller_p1.exe/data0001 Infected: Trojan-Downloader.Win32.Keenval.o skipped
    C:\Program Files\Trend Micro\Internet Security\PreInstaller_p1.exe NSIS: infected - 1 skipped
    C:\Program Files\Trend Micro\Internet Security\PreInstaller_p1.exe CryptFF.b: infected - 1 skipped
    C:\Program Files\Trend Micro\Internet Security\RRAUT.EXE Infected: Trojan-Downloader.Win32.VB.hb skipped
    C:\Program Files\Trend Micro\Internet Security\searchbarcash.exe Infected: Trojan-Downloader.Win32.Small.iq skipped
    C:\Program Files\Trend Micro\Internet Security\searchbarcash_f30.VIR Infected: Trojan-Downloader.Win32.Small.iq skipped
    C:\Program Files\Trend Micro\Internet Security\setup.exe Infected: Trojan-Downloader.Win32.Keenval.n skipped
    C:\Program Files\Trend Micro\Internet Security\setup_e34.VIR Infected: Trojan-Downloader.Win32.Keenval.n skipped
    C:\Program Files\Trend Micro\Internet Security\setup_f30.VIR Infected: Trojan-Downloader.Win32.Keenval.n skipped
    C:\Program Files\Trend Micro\Internet Security\simpletraffic.exe Infected: Trojan-Dropper.Win32.Small.nm skipped
    C:\Program Files\Trend Micro\Internet Security\simpletraffic_e34.VIR Infected: Trojan-Dropper.Win32.Small.nm skipped
    C:\Program Files\Trend Micro\Internet Security\traceroute18467.exe Infected: Trojan-Downloader.Win32.IstBar.er skipped
    C:\Program Files\Trend Micro\Internet Security\traceroute18467_524.VIR Infected: Trojan-Downloader.Win32.IstBar.er skipped
    C:\Program Files\Trend Micro\Internet Security\VerifierBug.class-1c2fcece-2bbdb3d5.class Infected: Exploit.Java.ByteVerify skipped
    C:\Program Files\Trend Micro\Internet Security\VerifierBug.class-1c2fcece-47e83778.class Infected: Exploit.Java.ByteVerify skipped
    C:\Program Files\Trend Micro\Internet Security\Xhrmy.exe Infected: Trojan.Win32.SecondThought.aa skipped
    C:\Program Files\Trend Micro\Internet Security\Xhrmy_76c.VIR Infected: Trojan.Win32.SecondThought.aa skipped
    C:\secure32.html Infected: not-virus:Hoax.Win32.Renos.ax skipped
    C:\System Volume Information\_restore{D9F505DD-229B-4371-AB97-691DEA25FC6C}\RP31\A0012411.exe/data0014 Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
    C:\System Volume Information\_restore{D9F505DD-229B-4371-AB97-691DEA25FC6C}\RP31\A0012411.exe/data0015 Infected: not-a-virus:AdWare.Win32.SaveNow.bo skipped
    C:\System Volume Information\_restore{D9F505DD-229B-4371-AB97-691DEA25FC6C}\RP31\A0012411.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{D9F505DD-229B-4371-AB97-691DEA25FC6C}\RP51\A0025166.exe/run.exe Infected: Trojan-Downloader.Win32.Small.ckj skipped
    C:\System Volume Information\_restore{D9F505DD-229B-4371-AB97-691DEA25FC6C}\RP51\A0025166.exe ZIP: infected - 1 skipped
    C:\System Volume Information\_restore{D9F505DD-229B-4371-AB97-691DEA25FC6C}\RP51\A0025170.exe/run.exe Infected: Trojan-Downloader.Win32.Small.ckj skipped
    C:\System Volume Information\_restore{D9F505DD-229B-4371-AB97-691DEA25FC6C}\RP51\A0025170.exe ZIP: infected - 1 skipped
    C:\WINDOWS\Downloaded Installations\{6D71E69C-E07A-4D2C-A2B7-3E5489F0CA52}\MindSoft Utilities XP 9.06.msi/Data1.cab/io.exe Infected: Backdoor.Win32.VB.alb skipped
    C:\WINDOWS\Downloaded Installations\{6D71E69C-E07A-4D2C-A2B7-3E5489F0CA52}\MindSoft Utilities XP 9.06.msi/Data1.cab Infected: Backdoor.Win32.VB.alb skipped
    C:\WINDOWS\Downloaded Installations\{6D71E69C-E07A-4D2C-A2B7-3E5489F0CA52}\MindSoft Utilities XP 9.06.msi Embedded: infected - 2 skipped
    C:\WINDOWS\secure32.html Infected: not-virus:Hoax.Win32.Renos.ax skipped

    Scan process completed.
  6. 06-03-2006  #6
    VopThis
    VopThis is offline Senior Member (Canada)
    Can I safely remove the "downloader.small.ckj"
    We will deal with that in a separate step for infected items residing in a 'system restore' point. Want to be as clean as possible before doing so.




    Please try and clean up the files stored in the anti-malware quarantine areas (Housecall and Trend Micro).


    Delete the following files (in SAFE MODE, if necessary):

    C:\WINDOWS\Downloaded Installations\{6D71E69C-E07A-4D2C-A2B7-3E5489F0CA52}\MindSoft Utilities XP 9.06.msi
    C:\WINDOWS\secure32.html

    It is a good idea to re-run Kaspersky as a verification of those cleanup steps.



    Lets try one last scan:

    Place a shortcut to Panda ActiveScan on your desktop.


    Run the Panda ActiveScan shortcut.
    - Once you are on the Panda site click the Scan your PC button
    - A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send
    - Select either Home User or Company
    - Click the big Scan Now button
    - If it wants to install an ActiveX component allow it
    - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    - When download is complete, click on Local Disks to start the scan
    - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


    Post a Panda log back here, if anything is reported.



    Post your latest HJT log and tell us how your PC is doing.
  7. 07-03-2006  #7
    roger_g_d
    roger_g_d is offline Junior Member
    Hi Vincent,

    As requested, the latest HJT log & Panda Active. Looking forward to hearing from you with your suggestions,
    Roger
    ...........

    Logfile of HijackThis v1.99.1
    Scan saved at 18:53:49, on 07/03/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\Program Files\eX5\eX5\eX5.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\LightSurf\Common\IconMgr.exe
    C:\Program Files\LightSurf\Colorific\hgcctl95.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\Program Files\LightSurf\Color Indicator\TICIcon.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe"
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [Phase One Media Reader] C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [eX5] "C:\Program Files\eX5\eX5\eX5.EXE" "5000"
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: LightSurf.lnk = C:\Program Files\LightSurf\Common\IconMgr.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {27FA5271-12D2-43E3-9424-365A43236EE7} (PIXACO upload plugin) - http://www.pixaco.co.uk/static/downl...dropupload.cab
    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} - http://dlmanager.akamaitools.com.edg...ex-2.0.2.7.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E57AB3B2-31F7-482C-88AD-3E6DFEE31525}: NameServer = 80.225.252.178 80.225.252.186
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Microsoft Digital Identity Service (InfoCard Service) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50215\info card.exe (file missing)
    O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


    Incident Status Location

    Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Roger\Cookies\roger@adopt.hbmediapro[2].txt
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Roger\Cookies\roger@apmebf[1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Roger\Cookies\roger@belnk[1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Roger\Cookies\roger@dist.belnk[2].txt
    Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Roger\Cookies\roger@winfixer[2].txt
    Adware:Adware/IST.YourSiteBar Not disinfected C:\Documents and Settings\Roger\Local Settings\Temporary Internet Files\Content.IE5\LKTPVHHF\CACR4V85.HTM
    Adware:adware/secure32 Not disinfected C:\secure32.html
    Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq
    Spyware:spyware/adclicker Not disinfected C:\WINDOWS\usta33.ini
  8. 07-03-2006  #8
    VopThis
    VopThis is offline Senior Member (Canada)
    Go to Start > Run and type: CLEANMGR.EXE and hit enter.
    When prompted select the C: drive and click ok.
    Check the boxes for:
    • Temporary Internet Files
    • Downloaded Program Files
    • Recycle Bin
    • Temporary Files
    Click OK or Enter




    Next,
    1) Please download the Killbox.
    Unzip it to the desktop and run it.

    2) Select "Delete on Reboot".
    3) Then Click the "All Files" button.

    4) Copy the file names below to the clipboard by highlighting them and pressing Control-C:


    C:\Documents and Settings\Roger\Cookies\roger@adopt.hbmediapro[2].txt
    C:\Documents and Settings\Roger\Cookies\roger@apmebf[1].txt
    C:\Documents and Settings\Roger\Cookies\roger@belnk[1].txt
    C:\Documents and Settings\Roger\Cookies\roger@dist.belnk[2].txt
    C:\Documents and Settings\Roger\Cookies\roger@winfixer[2].txt
    C:\Documents and Settings\Roger\Local Settings\Temporary Internet Files\Content.IE5\LKTPVHHF\CACR4V85.HTM
    C:\secure32.html
    C:\WINDOWS\uniq
    C:\WINDOWS\usta33.ini


    5) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

    6) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" to reboot next.




    Recommend that you verify that Panda now runs clean.

    Tell us how your PC is doing.







    To help avoid serious infection again, please look carefully at this post for some excellent preventative measures. Prevention must be made the first line of defense to improve upon.



    ONLY ONCE you are as clean as possible from any needed cleanup steps - As a final cleanup step (after serious infection), it may be advisable to Reset and Re-enable your System Restore to remove any bad files that may have been backed up by Windows . The files in System Restore are protected to prevent any programs changing them. And, this is the only complete way to clean these files: (You will lose all previous restore points which could likely be infected, anyway.)

    PLEASE NOTE: you will need to log into your computer with an account that has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.


    (Windows XP)
    c:\System Volume Information\_restore….
    To Turn OFF System Restore.
    1. Click the Start button.
    2. Right-click My Computer, and then click Properties.
    3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.
    4. Click Apply.

    REBOOT.

    To Turn ON System Restore.
    1. Follow the steps in the previous section, but in step 3, uncheck Turn off System Restore or Turn off System Restore on all drives. Then click OK.
    2. Create new System Restore points.


    (Windows ME)
    c:\_RESTORE\TEMP\….
    See the following link for instructions:
    http://service1.symantec.com/SUPPORT...rc=sec_doc_nam




    To reduce the re-infection potential for malware and protect your PC against spyware, here are a few helpful suggestions:
    1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft . This will patch many of the security holes through which attackers can gain access to your computer . You CANNOT complete this update using an alternate browser – you must use Internet Explorer.
      http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
      http://www.microsoft.com/windows/ie/default.asp
      • http://www.securityfocus.com/news/11273
        If you surf to questionable (blockable) parts of the Web, you could encounter sites that compromise your PC without any user interaction. In experiments [reported Aug 2005], Microsoft identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system. Also, be aware that the WinXP Service Pack 2 was an update that focused almost exclusively on security. Also reported was that a fully patched Windows XP SP2 system cannot be compromised by any such discovered rogue Web sites.

    2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching (using a real-time AV tool only one at a time), there are some good free Antivirus programs that are decent, including AVG and Avast!.
      AVG: http://free.grisoft.com/doc/1
      Avast: http://www.avast.com/eng/avast_4_home.html

    3. In addition to using Ad-aware, consider using another free malware scanning/removal program :
      Adaware SE: http://www.download.com/Ad-Aware-SE-Person...ubj=dl&tag=top5
      Spybot S&D: http://www.download.com/Spybot-Search-Dest...tml?tag=lst-0-1
      MS Antispyware beta: http://www.microsoft.com/athome/security/s...re/default.mspx

    4. Consider using a free firewall if you are not already using one (use only one firewall at a time – normally you will need to disable the MS firewall). Some good free ones (for incoming and added outgoing traffic protection) are:
      Kerio Personal Firewall: http://www.sunbelt-software.com/Kerio.cfm
      *** After 30 days, Kerio shuts down selected features, but will continue to run in 'free' mode.
      Zone Alarm: http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za

      It is not a bad idea to also consider using a Router/Hardware firewall device where you have a High-Speed Internet access connection. A software firewall may occasionally need to be disabled or it gets/remains disabled by someone or something. Such an added layer of security consistency has a lot of merit to it.

    5. Consider using an alternate free browser for general web surfing but you must use IE for windows updates.
      Mozilla Firefox: http://www.mozilla.org/products/firefox/

    6. Consider increasing your browser security by using these programs:
      SpywareGuard will help protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
      SpywareBlaster will increase browser protection by blocking access to thousands of known malware sites by adding them to IE's restricted sites zone. It essentially blocks known- bad ActiveX program items from being installed or running on your computer. Download it here: http://www.javacoolsoftware.com/spywareblaster.html
    7. A HOSTS file can block Internet access to thousands of known-bad sites by not allowing you any easy browser access to such sites knowingly or unknowingly. Use HJT to determine if a current HOSTS file exists and any contents therein:
      • Run the HiJackThis tool and select ‘Open the Misc Tools section’.
      • Next select ‘Open host file manager’ button.
      • Use the ‘Open in Notepad’ button in XP/W2K or use WORDPAD if necessary [type wordpad.exe in the RUN box (Start>Run)] and load the FILE PATH identified in HJT.
      • Go to http://www.mvps.org/winhelp2002/hosts.txt . # Read the initial instructions #. Copy and paste (append or replace) the RELEVANT host address entry contents of that file into Notepad or Wordpad and save the updated file contents.

        EXCERPT:
        #start of lines added by WinHelp2002
        # [Misc A - Z]
        127.0.0.1 phpadsnew.abac.com
        127.0.0.1 a.abnad.net
        127.0.0.1 e.abnad.net
        127.0.0.1 www.accoona.com #[Adware-Accoona][Adware.Atoolb][Panda.Accoona]
        .
        .
        .
        #end of lines added by WinHelp2002




    *Remember just like your primary anti-virus software, it is important to:
    • Keep all of these programs up-to-date, and
    • Use them on a regular basis.
  9. 07-03-2006  #9
    roger_g_d
    roger_g_d is offline Junior Member
    Hi,

    I'm still getting the following report from the Panda scan. How can I remove them?
    Regards
    Roger



    Incident Status Location

    Spyware:Cookie/Hbmediapro Not disinfected C:\!KillBox\roger@adopt.hbmediapro[2].txt
    Spyware:Cookie/Apmebf Not disinfected C:\!KillBox\roger@apmebf[1].txt
    Spyware:Cookie/Belnk Not disinfected C:\!KillBox\roger@belnk[1].txt
    Spyware:Cookie/Belnk Not disinfected C:\!KillBox\roger@dist.belnk[2].txt
    Spyware:Cookie/WinFixer Not disinfected C:\!KillBox\roger@winfixer[2].txt
  10. 08-03-2006  #10
    VopThis
    VopThis is offline Senior Member (Canada)
    Save 20% on AVG Internet Security 2012 Suite!
    Those low risk remaining cookie items are sitting in the KILLBOX (backup) FOLDER:

    C:\!KillBox\


    Enable hidden files if you haven't already done so:

    HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

    LOcate and delete those items there.


    If everything appears to be working fine, you could now reset your 'system restore' points.
+ Reply to Thread
Page 1 of 2 1 2 LastLast
« HiJack This Log - Low Disk Space/Slow Browser | Internet Popups »