More trojans
-
More trojans
Hi, hope you can help
I've been infected by some trojan virus's, trojan H Generic2.EUQ and Generic2.IOB
AVG has removed most but can't get rid of the last one.
I also keep getting a pop up saying the computor is infected and I need to run some spyware. I initially clicked it and it ran BraveSentry where 74 infected items were detected, to get rid of the infected items I am prompted to buy a licence and subscribe.
Could you please advise, please see below my hijackthis log
Many thanks
Richard
Logfile of HijackThis v1.99.1
Scan saved at 20:36:26, on 06/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Windows\xpupdate.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\dlh9jkd1q6.exe
C:\WINDOWS\system32\dlh9jkd1q7.exe
C:\Program Files\BraveSentry\BraveSentry.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\Go ogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\Richard\LOCALS~1\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.d ll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.d ll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels88.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\Go ogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?f9dda6f4d0f14056b8dc6bdbedd87eee
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?f9dda6f4d0f14056b8dc6bdbedd87eee
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Homepage - {629FE824-6D1D-48DD-9845-6365AAC94464} - http://www.btopenworld.com/default (file missing) (HKCU)
O9 - Extra button: BT - {F7F2DEEF-76E1-4438-BB5D-AE9FE3720BF6} - http://www.bt.com (file missing) (HKCU)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
-
You are not running HijackThis (HJT) from a desired location. You really need to setup a dedicated folder for HJT items – to avoid horrible clutter and/or potential lost backup issues.
It's best that the HijackThis tool NOT be located in its current location (particularly on your Desktop or in a TEMP folder). This way you can more easily undo any changes if something goes wrong.- Create a new folder in your C: Drive.
- Name the FOLDER HijackThis (or HJT) such as C:\Program Files\HijackThis or C:\HJT and move the HijackThis.exe file into it.
- Run HJT from there (and revise your shortcut accordingly).
Try uninstalling 'Bravesentry' in Add/Remove Programs. Otherwise, remove the relevant FOLDER, in question.
Download SDFix and save it to your Desktop.
Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
- In Safe Mode, right click the SDFix.zip folder and choose Extract All,
- Open the extracted folder and double click RunThis.bat to start the script.
- Type Y to begin the script.
- It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- Your system will take longer that normal to restart as the fixtool will be running and removing files.
- When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
- Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.
-
Many thanks for your help here, sorry for the late reply, I've been away for a few days.
After I contacted you I updated my spybot software and ran the program and this seem to fix quite a lot. Since then I now see that I have the smitfraud-c virus that spybot can't move.
I followed your instructions and the new SDfix and hijackthis log is below.
I'm sorry but I don't know how to move the hijack file, all my files appear under the desktop?
SDFix: Version 1.46
****************
13/12/2006 - 13:00:06.39
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Stage One - Safe Mode
Checking For Trojan Services...
Service Name:
File Path:
Starting Registry Repairs...
Killing PID 152 'smss.exe'
Killing PID 228 'winlogon.exe'
Restoring Default Hosts File...
Stage One Complete
Rebooting...
Stage Two - Normal Mode
Checking For Malware:
--------------------
C:\DOCUME~1\Richard\LOCALS~1\Temp\setup_wm.exe
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\rpcc.dll
C:\WINDOWS\system32\TFTP2132
Backing Up and Removing any Files Found...
Final Check:
Services:
---------
Authorized Applications Key Export:
Files:
------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking for files with Hidden Attributes:
C:\System Volume Information\_restore{7442D121-FAA6-4474-870B-07BBD1BE6505}\RP503\A0060990.dll
C:\WINDOWS\system32\win_16e.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\hiberfil.sys
C:\pagefile.sys
C:\Documents and Settings\Richard\My Documents\a RW\~WRL2057.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Tesco\~WRL0988.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Tesco\~WRL2393.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Tesco\~WRL4070.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Spain\~WRL4009.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Sales Meetings\~WRL1859.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Mark & Advert\~WRL3520.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Mark & Advert\~WRL3746.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Export\~WRL2760.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Export\Sweden\~WRL2554.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\~WRL2057.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Tesco\~WRL0988.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Tesco\~WRL2393.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Tesco\~WRL4070.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Spain\~WRL4009.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Sales Meetings\~WRL1859.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Mark & Advert\~WRL3520.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Mark & Advert\~WRL3746.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Export\~WRL2760.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Export\Sweden\~WRL2554.tmp
C:\Backup Folder\My Documents(pc)\a RW\~WRL2057.tmp
C:\Backup Folder\My Documents(pc)\a RW\Sales Meetings\~WRL1859.tmp
C:\Backup Folder\My Documents(pc)\a RW\Spain\~WRL4009.tmp
C:\Backup Folder\My Documents(pc)\a RW\Mark & Advert\~WRL3746.tmp
C:\Backup Folder\My Documents(pc)\a RW\Mark & Advert\~WRL3520.tmp
C:\Backup Folder\My Documents(pc)\a RW\Export\~WRL2760.tmp
C:\Backup Folder\My Documents(pc)\a RW\Export\Sweden\~WRL2554.tmp
C:\Backup Folder\My Documents(pc)\a RW\Tesco\~WRL0988.tmp
C:\Backup Folder\My Documents(pc)\a RW\Tesco\~WRL4070.tmp
C:\Backup Folder\My Documents(pc)\a RW\Tesco\~WRL2393.tmp
C:\Backup Folder\My Documents\My Documents\a RW\~WRL2057.tmp
C:\Backup Folder\My Documents\My Documents\a RW\Spain\~WRL4009.tmp
C:\Backup Folder\My Documents\My Documents\a RW\Sales Meetings\~WRL1859.tmp
C:\Backup Folder\My Documents\My Documents\a RW\Mark & Advert\~WRL3520.tmp
C:\Backup Folder\My Documents\My Documents\a RW\Mark & Advert\~WRL3746.tmp
C:\Backup Folder\My Documents\My Documents\a RW\Export\~WRL2760.tmp
C:\Backup Folder\My Documents\My Documents\a RW\Export\Sweden\~WRL2554.tmp
C:\Backup Folder\My Documents\a RW\~WRL2057.tmp
C:\Backup Folder\My Documents\a RW\Tesco\~WRL0988.tmp
C:\Backup Folder\My Documents\a RW\Tesco\~WRL2393.tmp
C:\Backup Folder\My Documents\a RW\Tesco\~WRL4070.tmp
C:\Backup Folder\My Documents\a RW\Spain\~WRL4009.tmp
C:\Backup Folder\My Documents\a RW\Sales Meetings\~WRL1859.tmp
C:\Backup Folder\My Documents\a RW\Mark & Advert\~WRL3520.tmp
C:\Backup Folder\My Documents\a RW\Mark & Advert\~WRL3746.tmp
C:\Backup Folder\My Documents\a RW\Export\~WRL2760.tmp
C:\Backup Folder\My Documents\a RW\Export\Sweden\~WRL2554.tmp
C:\Andy\My Documents\a RW\~WRL2057.tmp
C:\Andy\My Documents\a RW\Export\~WRL2760.tmp
C:\Andy\My Documents\a RW\Export\Sweden\~WRL2554.tmp
C:\Andy\My Documents\a RW\Mark & Advert\~WRL3520.tmp
C:\Andy\My Documents\a RW\Mark & Advert\~WRL3746.tmp
C:\Andy\My Documents\a RW\Sales Meetings\~WRL1859.tmp
C:\Andy\My Documents\a RW\Spain\~WRL4009.tmp
C:\Andy\My Documents\a RW\Tesco\~WRL0988.tmp
C:\Andy\My Documents\a RW\Tesco\~WRL2393.tmp
C:\Andy\My Documents\a RW\Tesco\~WRL4070.tmp
C:\Andy\My Documents\My Documents\a RW\~WRL2057.tmp
C:\Andy\My Documents\My Documents\a RW\Export\~WRL2760.tmp
C:\Andy\My Documents\My Documents\a RW\Export\Sweden\~WRL2554.tmp
C:\Andy\My Documents\My Documents\a RW\Mark & Advert\~WRL3520.tmp
C:\Andy\My Documents\My Documents\a RW\Mark & Advert\~WRL3746.tmp
C:\Andy\My Documents\My Documents\a RW\Sales Meetings\~WRL1859.tmp
C:\Andy\My Documents\My Documents\a RW\Spain\~WRL4009.tmp
C:\Andy\suspect a RW folder\~WRL2057.tmp
C:\Andy\suspect a RW folder\Tesco\~WRL0988.tmp
C:\Andy\suspect a RW folder\Tesco\~WRL4070.tmp
C:\Andy\suspect a RW folder\Tesco\~WRL2393.tmp
C:\Andy\suspect a RW folder\Export\~WRL2760.tmp
C:\Andy\suspect a RW folder\Export\Sweden\~WRL2554.tmp
C:\Andy\suspect a RW folder\Mark & Advert\~WRL3746.tmp
C:\Andy\suspect a RW folder\Mark & Advert\~WRL3520.tmp
C:\Andy\suspect a RW folder\Spain\~WRL4009.tmp
C:\Andy\suspect a RW folder\Sales Meetings\~WRL1859.tmp
FINISHED!
hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 13:07:28, on 13/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\Richard\LOCALS~1\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.d ll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.d ll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\Go ogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?f9dda6f4d0f14056b8dc6bdbedd87eee
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?f9dda6f4d0f14056b8dc6bdbedd87eee
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Homepage - {629FE824-6D1D-48DD-9845-6365AAC94464} - http://www.btopenworld.com/default (file missing) (HKCU)
O9 - Extra button: BT - {F7F2DEEF-76E1-4438-BB5D-AE9FE3720BF6} - http://www.bt.com (file missing) (HKCU)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\tmp_00.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
Finally since the SDfix work was done, when I switched the computor back on there is a Windows security icon warning me that the firewalls are switched off?
Many thanks
Richard
-
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
DO NOT RUN ANY OTHER OPTIONS UNTIL REQUESTED TO.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here
SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).
Do a search for all FILES with the following pattern and DELETE - enter exact search text:
*.TMP
Delete your current HijackThis file and recreate a new version in the correct default location as per the following instructions (last section):
http://www.d-a-l.com/help/showthread.php?t=32403
POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
