Avast constantly scanning outgoing emails, 1000s of emails being sent
-
Avast constantly scanning outgoing emails, 1000s of emails being sent
Hi guys. Great site!!
My Avast is constantly scanning hundreds nad hundreds of outgoing emails.
Obvioulsy this is just evidence of some sort of program sending 1000s of emails. My hard drive is writing and reading everytime one goes. I've tried almost everything to find the ba*tard.
Hope you can help me!
Thanks.
Here is a HijackThis Log.
------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 23:49:37, on 12/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_ 3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Autodesk\3dsMax8\VRLServer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Dantz\RETROS~1.0\retrorun.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Autodesk\3dsMax8\3dsmax.exe
C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\AdskCleanup.000 1
C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\AdskCleanup.000 1
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=192.168.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKLM\..\Run: [defender] C:\\dfndrff_9.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_9.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Shortcut to VRLServer.lnk = C:\Program Files\Autodesk\3dsMax8\VRLServer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_ 3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\PROGRA~1\Dantz\RETROS~1.0\retrorun.exe
O23 - Service: Retrospect Helper - EMC Dantz - C:\PROGRA~1\Dantz\RETROS~1.0\rthlpsvc.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe
<end>
--------------------------------------------------------------------------------------------------
Last edited by JHalton; 12-08-2006 at 11:50 PM.
Reason: spelling
-
Welcome,
Runiing two anti-virus programs is not a good idea, you should uninstall one of them or disable one and use it as an on demand scanner.
Do you know what this is below?
C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\AdskCleanup.000 1
Print this post out for instructions
Go here to learn how to show hidden files/folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5
Re-hide after we are done
Run Ewido below in safe mode explained further down this post
Download and install
Ewido anti-spyware
4.0 (uninstall any previous version first).- Click the Download BUTTON. On the next page click the
Download now BUTTON. - Save and then install (Run) from the save location.
- Open ewido anti-spyware
- Wait a few moments and Ewido should Auto update itself (note date of last
update). If it doesn't update, click the update ICON at top of
screen:
- Click on the Update now LINK at the top of the window
- Click on the Start update button
- Wait for the update to download and install
- This is very important to get the LATEST
updates
- Click on the Status ICON
- Under "Your computers Security"
Click change status on Resident shield to inactive
(ONLY consider activation of that feature once you are
clean)
- Click on the Scanner ICON at the top of the window
- Click on the Settings tab then select Recommended Actions
and choose Quarantine
Close ALL open Windows / Programs / Folders. Please start
Ewido, and run a full scan:
- Click on the default Status ICON and select
the Scan now LINK.
OR
- Click on the Scanner ICON . Select the Scan
TAB.
- Select Complete System Scan. Ewido will now begin to scan your
system.
- If Ewido finds anything it will list them in the Preview WINDOW:
- Make sure that Set all elements to: shows
Quarantine, if not click on the link and choose
Quarantine from the popup menu. - Select Apply all actions at the bottom of the window (and the
items found will be quarantined - and recoverable, if any items are needed
back).
- When the scan has completed, click on the Save Scan Report button
and save the scan to your Desktop where it can be easily found. - Copy and paste the EWIDO scan results into your next
post. - Close Ewido.
Please download Brute Force Uninstaller to your desktop.- Right click the BFU folder on your desktop, and choose Extract All
- Click "Next"
- In the box to choose where to extract the files to,
- Click "Browse"
- Click on the + sign next to "My Computer"
- Click on "Local Disk (C
or whatever your primary drive is - Click "Make New Folder"
- Type in BFU
- Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not run the Uninstaller and the Remover yet.
Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.
- Lauch ewido anti-spyware by double-clicking the icon on your desktop.
- Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
- ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following: - If you have any infections you will prompted, then select "Apply all actions"
- Next select the "Reports" icon at the top.
- Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system. Make sure to remember where you save that file.
Now close ewido anti-spyware..
Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
Press execute and let it do its job.
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Please run HijackThis, click Scan, and check the following:
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKLM\..\Run: [defender] C:\\dfndrff_9.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_9.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe
Close all open windows except HijackThis, and click Fix Checked.
Still in safe mode
Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):
DELETE FILES:
C:\WINDOWS\system\smss.exe---WARNING!!! do not delete this file from the SYSTEM32 folder but from the system folder only. To be sure when you find it right click the file and click properties so you can see if it is the legitamate Windows file or not.
C:\\dfndrff_9.exe
C:\\kybrdff_9.exe
C:\winstall.exe
C:\WINDOWS\system32\nvsvcd.exe
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.
-
Hey thanks!
I think everything has gone. Avast has stopped scanning outgoing emails.
My new Hijack Report and the Ewido are below:-
You questioned ''C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\AdskCleanup.0 00 1"
I believe this is to do with Autodesk Studio Max 8 that I use. Sometimes there are 3 of these at the same time in Task Manager.
HIJACK
Logfile of HijackThis v1.99.1
Scan saved at 11:17:12, on 14/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_ 3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1.0\retrorun.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Autodesk\3dsMax8\VRLServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=192.168.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Shortcut to VRLServer.lnk = C:\Program Files\Autodesk\3dsMax8\VRLServer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_ 3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\PROGRA~1\Dantz\RETROS~1.0\retrorun.exe
O23 - Service: Retrospect Helper - EMC Dantz - C:\PROGRA~1\Dantz\RETROS~1.0\rthlpsvc.exe
::Report end
EWIDO
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 09:23:34 14/08/2006
+ Scan result:
C:\Program Files\BraveSentry -> Adware.Bravesentry : Cleaned with backup (quarantined).
C:\Program Files\BraveSentry\BraveSentry1.bs -> Adware.Bravesentry : Cleaned with backup (quarantined).
C:\Program Files\Alwil Software\Avast4\DATA\moved\guard.tmp.vir -> Adware.Look2Me : Cleaned with backup (quarantined).
HKU\S-1-5-21-117609710-2052111302-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run \\Windows installer -> Adware.PestTrap : Cleaned with backup (quarantined).
D:\work\dannyhatton\library\models\people\AXYZ People\MeBuT0001_ntz8.zip/MeBuT0001.exe -> Hijacker.Delf.eg : Cleaned with backup (quarantined).
D:\work\dannyhatton\library\models\people\AXYZ People\MeCaCS002a_lp07.zip/MeCaCS002a.exe -> Hijacker.Delf.eg : Cleaned with backup (quarantined).
D:\work\dannyhatton\library\models\people\AXYZ People\MeCaCS002b_zf34.zip/MeCaCS002b.exe -> Hijacker.Delf.eg : Cleaned with backup (quarantined).
D:\work\dannyhatton\library\models\people\AXYZ People\emotion_mo_cap.zip/emo0001.exe -> Hijacker.Delf.eg : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\0ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\11ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\12ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\15ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\16ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\17ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\18ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\19ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\23ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\24ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\25ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\26ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\27ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\28ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\2ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\30ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\31ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\32ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\33ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\34ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\37ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\38ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\39ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\3ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\42ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\43ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\44ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\45ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\46ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\47ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\49ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\4ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\50ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\51ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\52ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\53ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\54ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\55ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\56ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\57ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\58ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\59ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\5ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\60ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\61ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\64ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\67ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\69ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\6ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\71ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\72ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\74ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\76ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\77ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\78ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\80ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\81ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\82ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\83ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\84ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\86ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\87ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\8ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\90ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\93ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\94ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\95ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\96ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\98ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\9ex1.modul32s.exe -> Proxy.Horst.ep : Cleaned with backup (quarantined).
:mozilla.53:C:\Documents and Settings\Daniel Hatton\Application Data\Mozilla\Firefox\Profiles\lrs8qbol.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\Cookies\daniel hatton@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Cookies\daniel hatton@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\Daniel Hatton\Application Data\Mozilla\Firefox\Profiles\lrs8qbol.default\coo kies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\Daniel Hatton\Application Data\Mozilla\Firefox\Profiles\lrs8qbol.default\coo kies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Cookies\daniel hatton@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\Daniel Hatton\Application Data\Mozilla\Firefox\Profiles\lrs8qbol.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.25:C:\Documents and Settings\Daniel Hatton\Application Data\Mozilla\Firefox\Profiles\lrs8qbol.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\Daniel Hatton\Application Data\Mozilla\Firefox\Profiles\lrs8qbol.default\coo kies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\Daniel Hatton\Application Data\Mozilla\Firefox\Profiles\lrs8qbol.default\coo kies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\Daniel Hatton\Application Data\Mozilla\Firefox\Profiles\lrs8qbol.default\coo kies.txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\Cookies\daniel hatton@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\Daniel Hatton\Application Data\Mozilla\Firefox\Profiles\lrs8qbol.default\coo kies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\Daniel Hatton\Application Data\Mozilla\Firefox\Profiles\lrs8qbol.default\coo kies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\Daniel Hatton\Application Data\Mozilla\Firefox\Profiles\lrs8qbol.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Cookies\daniel hatton@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Daniel Hatton\Local Settings\Temp\Cookies\daniel hatton@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
D:\software\newtek_lightwave_8\Newtek.Lightwave.v8 .0.rar/crack.rar/ssg-lw80.exe -> Trojan.Agent.jh : Cleaned with backup (quarantined).
::Report end
-
Hi,
Everything looks good, let's do this below just in case something might be hiding in the bushes.
Please download http://siri.urz.free.fr/Fix/SmitfraudFix.zip (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Please do not run any other option until asked to do so, Thanks
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Please post a new hijackthis log and the smitfraudfix log. Thanks.
-
Neal,
Thanks for your help on all of this. I'll definatly be making a donation to D-A-L!
I have posted a Smitfraud and a new HiJack report.
I have also installed Style XP since.
SmitfraudFix
SmitFraudFix v2.81
Scan done at 0:12:20.23, 15/08/2006
Run from C:\Documents and Settings\Daniel Hatton\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
C:\uniq FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\teller2.chk FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Daniel Hatton\Application Data
C:\Documents and Settings\Daniel Hatton\Application Data\Install.dat FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DANIEL~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Hijack This Report
Logfile of HijackThis v1.99.1
Scan saved at 00:16:41, on 15/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_ 3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1.0\retrorun.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Autodesk\3dsMax8\VRLServer.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=192.168.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Shortcut to VRLServer.lnk = C:\Program Files\Autodesk\3dsMax8\VRLServer.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_ 3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\PROGRA~1\Dantz\RETROS~1.0\retrorun.exe
O23 - Service: Retrospect Helper - EMC Dantz - C:\PROGRA~1\Dantz\RETROS~1.0\rthlpsvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
end
Last edited by JHalton; 15-08-2006 at 12:19 AM.
Reason: Adding HiJack This Report
-
Yep, there was stuff hiding in the bushes,
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.- Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
- Run Smitfraud Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
- Clean out your Temporary Internet files. Proceed like this:
- Quit Internet Explorer and quit any instances of Windows Explorer.
- Click Start, click Control Panel, and then double-click Internet Options.
- On the General tab, click Delete Files under Temporary Internet Files.
- In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
- On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
- Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
- Click OK.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
- Run SmitfraudFix. Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
- Post Logs. Please post:
- c:\rapport.txt
- A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.
-
New Hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 12:12:07, on 15/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_ 3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1.0\retrorun.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Autodesk\3dsMax8\VRLServer.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=192.168.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [GuruClock] C:\Program Files\ABIT\ABIT uGuru\GuruClock.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Shortcut to VRLServer.lnk = C:\Program Files\Autodesk\3dsMax8\VRLServer.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_ 3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\PROGRA~1\Dantz\RETROS~1.0\retrorun.exe
O23 - Service: Retrospect Helper - EMC Dantz - C:\PROGRA~1\Dantz\RETROS~1.0\rthlpsvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
New SmitFraud
SmitFraudFix v2.81
Scan done at 11
07.68, 15/08/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
-
How is your computer behaving now? Looks good on this end.
-
Yep its great. Everything looks fine. I have a widget which shows the memory and cpu processors and the hard disk read and write.
What were the programs on my machine then, just for curiosity.
Thanks for all your help. I will make a donation because it would have cost me alot of time and effort to get this sorted. I work from home.
-
Great news,
You had:
spysheriff
alcan worm
emal virus
numerous crap in temp folders
If you are no longer having any more trouble here is some preventative measures for you.
Be sure to re-hide hidden files/folders if you were asked to unhide them
Here are some preventive measures you can take to keep your computer from getting infected again. also keep all these and Ad-awareSE and SpybotS&D updated.
http://www.d-a-l.com/help/showthread.php?t=32403
Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.
Explained Here:
Windows XP: http://vil.nai.com/vil/SystemHelpDoc...ysRestore.aspx
Explained Here
Microsoft ME:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam
RegProtect
This small registry protection tool will save you hours of heartache by notifying you when some program good or bad is trying to access your registry.
You have the option of allowing(good) items or blocking(bad)items.
http://www.diamondcs.com.au/index.php?page=regprot
To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:
1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupdate.microsoft.co....aspx?ln=en-us
http://www.microsoft.com/windows/ie/default.asp
2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1
Avast: http://www.avast.com/eng/avast_4_home.html
3. In addtion to using Ad-aware consider using another free malware scanning/removal program:
Windows Defender
http://www.microsoft.com/athome/secu...e/default.mspx
4. Consider using a free firewall if you are not already using one. Some good free ones are:
Kerio
http://www.sunbelt-software.com/Kerio.cfm
OutPost Personal Firewall:
Outpost
5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: www.mozilla.org/products/firefox/
6. Consider increasing your browser security by using these programs:
SpywareGuard will protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster will increase browser protection by blocking Thousands of known malware sites by adding them to IE's restricted sites zone. Download it here:
http://www.javacoolsoftware.com/spywareblaster.html
If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm
Block access to Untrustworthy Sites
You can prevent your computer from visiting a myriad of untrustworthy sites and ad-servers by installing a customised hosts file. One of the best available is the: MVPS Hosts File. Simply follow the instructions to install the file in the correct location. This will not only make surfing safer but will improve website load times and block popups from many of the large ad-servers.
*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis. It's Free
