Computer running very slowly(RESOLVED)
-
Computer running very slowly(RESOLVED)
Hi
Computer is running very slowly so I suspect some sort of intrusion.
Hijack This log follows, thanks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:01:33, on 25/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\SpywareBot\SpywareBotSrv.srv.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Ahead\InCD\InCDsrv.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
G:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
G:\PROGRA~1\Grisoft\AVG7\avgemc.exe
G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
G:\WINDOWS\Explorer.EXE
G:\PROGRA~1\Grisoft\AVG7\avgcc.exe
G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
G:\Program Files\Ahead\InCD\InCD.exe
G:\Program Files\Google\Google Talk\googletalk.exe
G:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\iTunes\iTunesHelper.exe
H:\programs\Winamp\winampa.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\Program Files\VIA\RAID\raid_tool.exe
G:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
G:\Program Files\Analog Devices\SoundMAX\Smax4.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
G:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
H:\MAINROOM\svchost.exe
G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
G:\Program Files\MSN Messenger\msnmsgr.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\WINDOWS\system32\ntvdm.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
G:\WINDOWS\system32\NOTEPAD.EXE
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - G:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - G:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] G:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [googletalk] G:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] H:\programs\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RaidTool] G:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SoundMAXPnP] G:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "G:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "G:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ATICCC] "G:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows LSSS Service] H:\MAINROOM\svchost.exe
O4 - HKLM\..\Run: [win16dll] H:\programs\Advanced Invisible Keylogger\Advanced Invisible Keylogger.exe
O4 - HKLM\..\Run: [Google Desktop Search] "G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Video Driver] H:\MAINROOM\svchost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [msnmsgr] "G:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpywareBot] G:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] G:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1178635981937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1178635970921
O20 - AppInit_DLLs: G:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - G:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GoogleDesktopManager - Google - G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - G:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - G:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - G:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - G:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SpywareBot Scanning Engine (SpywareBotSrv) - Unknown owner - G:\Program Files\SpywareBot\SpywareBotSrv.srv.exe
O24 - Desktop Component 0: (no name) - http://www.itsagoal.com/skins/defaul...titlebgpic.jpg
-
Welcome,
I have a couple questions for you:
1. Do you know what this is - H:\MAINROOM\svchost.exe
2. Did you install this keylogger:
O4 - HKLM\..\Run: [win16dll] H:\programs\Advanced Invisible Keylogger\Advanced Invisible Keylogger.exe
3. Did you put this on your desktop:
O24 - Desktop Component 0: (no name) - http://www.itsagoal.com/skins/defaul...titlebgpic.jpg
To clean your temp folder, recycle bin, etc..please download this free tool:
CCleaner
Don't install any Toolbars, or other programs, should it ask you!Just uncheck the option of installing the Yahoo toolbar.
It will put a shortcut on your Desktop.
Uncheck cookies
Before first use:
Select Options then Advanced.
UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Click on CCleaner to start it. Then click "Run Cleaner", just use the windows tab up front by default.
Then Reboot (Exit)
1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Post a new hijackthis log also please.
Please uninstall SpywareBot(Rogue Program) from add/remove program, then reboot.
-
Hi, Thanks for the reply.
Have done what you suggested.
In answer to your questions
1. Mainroom is the name of this computer. This is a folder with the file svchost.exe in but I don't know what it does.
2. This keylogger was not installed knowingly.
3. Yes it is a shortcut to a game online.
ComboFix 07-10-28.2 - Dad 2007-10-28 15:25:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.555 [GMT 0:00]
Running from: G:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\73XDILG0\ComboFix[1].exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
G:\Documents and Settings\Jenny\Desktop\internet.lnk
.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 )))))))))))))))))))))))))))))))
.
2007-10-28 15:24 51,200 --a------ G:\WINDOWS\NirCmd.exe
2007-10-28 15:07 <DIR> d-------- G:\Program Files\CCleaner
2007-10-25 17:35 <DIR> d-------- G:\Program Files\Trend Micro
2007-10-25 13:30 <DIR> d-------- G:\Documents and Settings\Dad\WINDOWS
2007-10-21 13:47 <DIR> d-------- G:\Program Files\ReflexiveArcade
2007-10-20 09:53 19,504 --a------ G:\Documents and Settings\Dad\Application Data\GDIPFONTCACHEV1.DAT
2007-10-09 21:01 584,192 -----c--- G:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-01 19:26 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\Escape From Paradise
2007-09-29 13:12 <DIR> d-------- G:\Documents and Settings\Jenny\Application Data\PlayFirst
2007-09-29 13:12 <DIR> d-a------ G:\Documents and Settings\All Users\Application Data\TEMP
2007-09-29 13:12 <DIR> d-------- G:\Documents and Settings\All Users\Application Data\PlayFirst
2007-09-29 13:11 <DIR> d-------- G:\Program Files\MSN Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-10-28 05:21 --------- d-----w G:\Documents and Settings\All Users\Application Data\avg7
2007-10-25 17:40 --------- d-----w G:\Documents and Settings\Dad\Application Data\AVG7
2007-10-24 15:10 --------- d-----w G:\Program Files\Java
2007-10-24 02:00 --------- d-----w G:\Documents and Settings\Dad\Application Data\SpywareBot
2007-10-23 17:54 --------- d-----w G:\Documents and Settings\Jenny\Application Data\LimeWire
2007-09-25 19:11 19,504 ----a-w G:\Documents and Settings\Jenny\Application Data\GDIPFONTCACHEV1.DAT
2007-09-20 19:25 --------- d-----w G:\Program Files\Google
2007-09-20 18:50 --------- d-----w G:\Documents and Settings\Jenny\Application Data\Uniblue
2007-09-14 17:03 --------- d-----w G:\Documents and Settings\All Users\Application Data\a32w
2007-08-21 06:15 683,520 ----a-w G:\WINDOWS\system32\inetcomm.dll
2007-07-30 18:19 92,504 ----a-w G:\WINDOWS\system32\cdm.dll
2007-07-30 18:19 549,720 ----a-w G:\WINDOWS\system32\wuapi.dll
2007-07-30 18:19 53,080 ----a-w G:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:19 43,352 ----a-w G:\WINDOWS\system32\wups2.dll
2007-07-30 18:19 325,976 ----a-w G:\WINDOWS\system32\wucltui.dll
2007-07-30 18:19 271,224 ----a-w G:\WINDOWS\system32\mucltui.dll
2007-07-30 18:19 207,736 ----a-w G:\WINDOWS\system32\muweb.dll
2007-07-30 18:19 203,096 ----a-w G:\WINDOWS\system32\wuweb.dll
2007-07-30 18:19 1,712,984 ----a-w G:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:18 33,624 ----a-w G:\WINDOWS\system32\wups.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG7_CC"="G:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-23 04:23]
"RemoteControl"="G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 02:01]
"NeroFilterCheck"="G:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 09:50]
"InCD"="G:\Program Files\Ahead\InCD\InCD.exe" [2006-01-16 16:46]
"googletalk"="G:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 21:22]
"SunJavaUpdateSched"="G:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"QuickTime Task"="G:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"iTunesHelper"="G:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 10:25]
"WinampAgent"="H:\programs\Winamp\winampa.exe" [2006-09-26 14:49]
"TkBellExe"="G:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-09 01:56]
"RaidTool"="G:\Program Files\VIA\RAID\raid_tool.exe" [2005-04-27 11:22]
"SoundMAXPnP"="G:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 09:52]
"SoundMAX"="G:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-03-26 13:40]
"Adobe Photo Downloader"="G:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"ATICCC"="G:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 09:12]
"Adobe Reader Speed Launcher"="G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"Windows LSSS Service"="H:\MAINROOM\svchost.exe" [2007-08-16 21:47]
"win16dll"="H:\programs\Advanced Invisible Keylogger\Advanced Invisible Keylogger.exe" []
"Google Desktop Search"="G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-09-20 19:28]
"Video Driver"="H:\MAINROOM\svchost.exe" [2007-08-16 21:47]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="G:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"swg"="G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-06-14 17:00]
"msnmsgr"="G:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
"SpywareBot"="G:\Program Files\SpywareBot\SpywareBot.exe" [2007-07-31 18:13]
G:\Documents and Settings\Jenny\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - H:\programs\LimeWire\LimeWire.exe [2007-01-29 21:33:41]
G:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-08 22:16:39]
Microsoft Office.lnk - G:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=G:\PROGRA~1\Google\GOOGLE~3\GOEC62~ 1.DLL
R0 viamraid;viamraid;G:\WINDOWS\system32\DRIVERS\viam raid.sys
R2 SpywareBotSrv;SpywareBot Scanning Engine;"G:\Program Files\SpywareBot\SpywareBotSrv.srv.exe"
S3 NPF;NetGroup Packet Filter Driver;G:\WINDOWS\system32\drivers\npf.sys
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);G:\WINDOWS\system32\DRIVERS\ss_bus.sys
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{b1ed8c66-fe28-11db-8a20-0015f246228e}]
AutoRun\command - G:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-28 15:20:51 G:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
.
************************************************** ************************
catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 15:27:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
************************************************** ************************
.
Completion time: 2007-10-28 15:28:57
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:05:13, on 28/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\SpywareBot\SpywareBotSrv.srv.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Ahead\InCD\InCDsrv.exe
G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
G:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
G:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
G:\PROGRA~1\Grisoft\AVG7\avgemc.exe
G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
G:\WINDOWS\Explorer.EXE
G:\PROGRA~1\Grisoft\AVG7\avgcc.exe
G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
G:\Program Files\Ahead\InCD\InCD.exe
G:\Program Files\Google\Google Talk\googletalk.exe
G:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\iTunes\iTunesHelper.exe
H:\programs\Winamp\winampa.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\VIA\RAID\raid_tool.exe
G:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
G:\Program Files\Analog Devices\SoundMAX\Smax4.exe
G:\Program Files\iPod\bin\iPodService.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
G:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
H:\MAINROOM\svchost.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
G:\Program Files\MSN Messenger\msnmsgr.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - G:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - G:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] G:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [googletalk] G:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] H:\programs\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RaidTool] G:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SoundMAXPnP] G:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "G:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "G:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ATICCC] "G:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows LSSS Service] H:\MAINROOM\svchost.exe
O4 - HKLM\..\Run: [win16dll] H:\programs\Advanced Invisible Keylogger\Advanced Invisible Keylogger.exe
O4 - HKLM\..\Run: [Google Desktop Search] "G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Video Driver] H:\MAINROOM\svchost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [msnmsgr] "G:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpywareBot] G:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] G:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1178635981937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1178635970921
O20 - AppInit_DLLs: G:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - G:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GoogleDesktopManager - Google - G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - G:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - G:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - G:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - G:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SpywareBot Scanning Engine (SpywareBotSrv) - Unknown owner - G:\Program Files\SpywareBot\SpywareBotSrv.srv.exe
O24 - Desktop Component 0: (no name) - http://www.itsagoal.com/skins/defaul...titlebgpic.jpg
--
End of file - 9758 bytes
-
Be advised that if this keylogger was maliciously installed it is possible that sensitive information could of been stolen. Online banking, credit cards, passwords etc. After we remove this you should change passwords and have any companies you've done financial transactions with to keep an eye on your accounts. Also if the SDFix tool finds backdoor Trojans same applies to that as well as the keylogger, and we can not be absolutely sure of getting it all, so computer may be compromised and not trust worthy for financial dealings or passwords unless a reformat is done.
If this shows in add/remove program uninstall it, then reboot.
Advanced Invisible Keylogger
Run hijackthis and click on "scan system only" button and put check next to this if still present:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [win16dll] H:\programs\Advanced Invisible Keylogger\Advanced Invisible Keylogger.exe
Everything closed out but hijackthis and click on "fix checked"
Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):
DELETE FOLDERS
H:\programs\Advanced Invisible Keylogger
Reboot back to normal mode and...
Download SDFix and save it to your Desktop.
Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
- In Safe Mode, right click the SDFix.zip folder and choose Extract All,
- Open the extracted folder and double click RunThis.bat to start the script.
- Type Y to begin the script.
- It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- Your system will take longer that normal to restart as the fixtool will be running and removing files.
- When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
- Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
Also...
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
New hijackthis log also. Thanks.
-
Apologies for the delay but I've had a few family issues.
When I press F8 on boot up it does not go to safe mode screen but displays a window saying Please select boot device and lists Floppy, HDD and CD Rom.
If I press reset while the windows logo is loading then the pc reboots and ends up at the safe mode screen. When I click on safe mode it displays a list of drivers on the screen which stays for about 30 secs. Then you get a screen with safe mode displayed at each corner for a couple of secs, then the pc reboots itself into normal mode. I can't get it to remain in safe mode so can't run SDFix.
I've tried loads of times but no joy.
When I remove spyware bot it reappears upon reboot.
Where can I go from here?
-
Try to delete the folder for keylogger from normal mode and see if it comes back.
Try this online scanner for now from normal mode:
* Click here to use the F-Secure Online Scanner- Then click the Start Scanning button below.
- You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
- Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
- In case you are having problems with installing the ActiveX/starting the scan, please read here.
- Click the Full System Scan button.
- It will start to download scanner components and databases. This can take a while.
- The main scan will start.
- Once the scan finished scanning, click the Automatic cleaning (recommended) button
- It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
- The cleaning can take a while, so please be patient.
- Then click the Show report button and copy and paste what's present under results in your next reply.
New hijackthis log please.
-
Scanning Report
Tuesday, November 06, 2007 17:58:09 - 07:41:46
Computer name: MAINROOM
Scanning type: Scan system for viruses, rootkits, spyware
Target: G:\ H:\ I:\ J:\
--------------------------------------------------------------------------------
Result: 253 malware found
Possible Browser Hijack attempt (spyware)
System (Disinfected)
SpywareBot (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System (Disinfected)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 55952
System: 4069
Not scanned: 3
Actions:
Disinfected: 5
Renamed: 0
Deleted: 0
None: 248
Submitted: 0
Files not scanned:
G:\PAGEFILE.SYS
G:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
G:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{B3324E 7F-14A7-46FD-834C-F0EE6E255149}.BIN
--------------------------------------------------------------------------------
Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-11-06
F-Secure AVP: 7.0.171, 2007-11-06
F-Secure Orion: 1.2.37, 2007-11-06
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0597-150-72
F-Secure Pegasus: 1.19.0, 2007-10-05
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:20:22, on 08/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\MSN Messenger\usnsvc.exe
G:\Program Files\SpywareBot\SpywareBotSrv.srv.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\Explorer.EXE
G:\PROGRA~1\Grisoft\AVG7\avgcc.exe
G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
G:\Program Files\Google\Google Talk\googletalk.exe
G:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\iTunes\iTunesHelper.exe
H:\programs\Winamp\winampa.exe
G:\Program Files\VIA\RAID\raid_tool.exe
G:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
G:\Program Files\Analog Devices\SoundMAX\Smax4.exe
G:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
G:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
H:\MAINROOM\svchost.exe
G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
G:\Program Files\MSN Messenger\msnmsgr.exe
G:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
G:\DOCUME~1\Dad\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
G:\DOCUME~1\Dad\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - G:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - G:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] G:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [googletalk] G:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] H:\programs\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RaidTool] G:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SoundMAXPnP] G:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "G:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "G:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ATICCC] "G:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows LSSS Service] H:\MAINROOM\svchost.exe
O4 - HKLM\..\Run: [Google Desktop Search] "G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Video Driver] H:\MAINROOM\svchost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [msnmsgr] "G:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] G:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-839522115-1708537768-725345543-1006\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe (User 'Jenny')
O4 - HKUS\S-1-5-21-839522115-1708537768-725345543-1006\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Jenny')
O4 - HKUS\S-1-5-21-839522115-1708537768-725345543-1006\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background (User 'Jenny')
O4 - HKUS\S-1-5-21-839522115-1708537768-725345543-1006\..\Run: [Uniblue RegistryBooster 2] G:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S (User 'Jenny')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-839522115-1708537768-725345543-1006 Startup: LimeWire On Startup.lnk = H:\programs\LimeWire\LimeWire.exe (User 'Jenny')
O4 - Global Startup: Adobe Gamma Loader.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1178635981937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1178635970921
O20 - AppInit_DLLs: G:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GoogleDesktopManager - Google - G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - G:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - G:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - G:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - G:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - http://www.itsagoal.com/skins/defaul...titlebgpic.jpg
--
End of file - 9998 bytes
-
Very suspicious here:
O4 - HKLM\..\Run: [Windows LSSS Service] H:\MAINROOM\svchost.exe
O4 - HKLM\..\Run: [Video Driver] H:\MAINROOM\svchost.exe
Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:
H:\MAINROOM\svchost.exe
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
If that one is to busy here is another option:
http://virusscan.jotti.org
And
http://www.kaspersky.com/scanforvirus.html
New hijackthis log please.
-
Hi, Info as requested.
File svchost.exe received on 11.09.2007 17:16:36 (CET)
Result: 20/32 (62.5%)
Antivirus Version Last Update Result
AhnLab-V3 2007.11.9.1 2007.11.09 -
AntiVir 7.6.0.34 2007.11.09 -
Authentium 4.93.8 2007.11.09 Possibly a new variant of W32/VB-Backdoor-PWNF-based!Maximus
Avast 4.7.1074.0 2007.11.08 Win32:007SpySoft
AVG 7.5.0.503 2007.11.09 Potentially harmful program Logger.BLC
BitDefender 7.2 2007.11.09 Backdoor.Generic.5609
CAT-QuickHeal 9.00 2007.11.09 -
ClamAV 0.91.2 2007.11.09 -
DrWeb 4.44.0.09170 2007.11.09 Trojan.Espy
eSafe 7.0.15.0 2007.11.08 suspicious Trojan/Worm
eTrust-Vet 31.2.5282 2007.11.09 -
Ewido 4.0 2007.11.09 Not-A-Virus.Monitor.Win32.007SpySoft.308
FileAdvisor 1 2007.11.09 -
Fortinet 3.11.0.0 2007.10.19 Keylog/VB
F-Prot 4.4.2.54 2007.11.09 W32/VB-Backdoor-PWNF-based!Maximus
F-Secure 6.70.13030.0 2007.11.09 -
Ikarus T3.1.1.12 2007.11.09 not-a-virus:Monitor.Win32.007SpySoft.308
Kaspersky 7.0.0.125 2007.11.09 not-a-virus:Monitor.Win32.007SpySoft.308
McAfee 5159 2007.11.08 Generic PWS.y
Microsoft 1.3007 2007.11.09 MonitoringTool:Win32/007Spy
NOD32v2 2650 2007.11.09 a variant of Win32/Spy.007 Spy
Norman 5.80.02 2007.11.08 W32/007Spy.AX
Panda 9.0.0.4 2007.11.09 Application/007Spy
Prevx1 V2 2007.11.09 -
Rising 20.17.41.00 2007.11.09 -
Sophos 4.23.0 2007.11.09 Mal/VB-G
Sunbelt 2.2.907.0 2007.11.09 -
Symantec 10 2007.11.09 Spyware.007Spy
TheHacker 6.2.9.122 2007.11.09 Aplicacion/007SpySoft.308
VBA32 3.12.2.4 2007.11.08 -
VirusBuster 4.3.26:9 2007.11.08 -
Webwasher-Gateway 6.0.1 2007.11.09 Riskware.007SpySoft.308
Additional information
File size: 164864 bytes
MD5: 3993a2202bf0b6aa1cd6086c683da85f
SHA1: 6d7be54696cb5cbef0e6a058d704a8c4d330c48b
packers: UPX
packers: UPX
packers: UPX
packers: UPX
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:04:03, on 09/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\MSN Messenger\usnsvc.exe
G:\Program Files\SpywareBot\SpywareBotSrv.srv.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\Explorer.EXE
G:\PROGRA~1\Grisoft\AVG7\avgcc.exe
G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
G:\Program Files\Google\Google Talk\googletalk.exe
G:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\iTunes\iTunesHelper.exe
H:\programs\Winamp\winampa.exe
G:\Program Files\VIA\RAID\raid_tool.exe
G:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
G:\Program Files\Analog Devices\SoundMAX\Smax4.exe
G:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
G:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
H:\MAINROOM\svchost.exe
G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
G:\Program Files\MSN Messenger\msnmsgr.exe
G:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
G:\DOCUME~1\Dad\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
G:\DOCUME~1\Dad\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
G:\Program Files\internet explorer\iexplore.exe
H:\programs\RealPlayer\RealPlay.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - G:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - g:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - G:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - G:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] G:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] "G:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] G:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [googletalk] G:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "G:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] H:\programs\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RaidTool] G:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SoundMAXPnP] G:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "G:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Adobe Photo Downloader] "G:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ATICCC] "G:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows LSSS Service] H:\MAINROOM\svchost.exe
O4 - HKLM\..\Run: [Google Desktop Search] "G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Video Driver] H:\MAINROOM\svchost.exe
O4 - HKCU\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [msnmsgr] "G:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] G:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-839522115-1708537768-725345543-1006\..\Run: [CTFMON.EXE] G:\WINDOWS\system32\ctfmon.exe (User 'Jenny')
O4 - HKUS\S-1-5-21-839522115-1708537768-725345543-1006\..\Run: [MsnMsgr] "G:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Jenny')
O4 - HKUS\S-1-5-21-839522115-1708537768-725345543-1006\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background (User 'Jenny')
O4 - HKUS\S-1-5-21-839522115-1708537768-725345543-1006\..\Run: [Uniblue RegistryBooster 2] G:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S (User 'Jenny')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] G:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-839522115-1708537768-725345543-1006 Startup: LimeWire On Startup.lnk = H:\programs\LimeWire\LimeWire.exe (User 'Jenny')
O4 - Global Startup: Adobe Gamma Loader.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://G:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1178635981937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1178635970921
O20 - AppInit_DLLs: G:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - G:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GoogleDesktopManager - Google - G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - G:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - G:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - G:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - G:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - http://www.itsagoal.com/skins/defaul...titlebgpic.jpg
--
End of file - 10084 bytes
-
thanks for that info, bad files indeed.
Please download the OTMoveIt by OldTimer.- Save it to your desktop.
- Please double-click OTMoveIt.exe to run it.
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
H:\MAINROOM\svchost.exe
- Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
- Click the red Moveit! button.
- Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
- Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
New hijackthis log please.
