Having difficulties with my computer, lots of add popping up, change in my internet home page. Settings that are reset by ??? Could you check the hijack report. Thanks ! Logfile of HijackThis v1.99.1 Scan saved at 7:34:22 PM, on 3/21/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5700.0006) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\temp\Hijack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O1 - Hosts: 1.1.1.1 f-secure.com O1 - Hosts: 1.1.1.1 www.f-secure.com O1 - Hosts: 1.1.1.1 ftp.f-secure.com O1 - Hosts: 1.1.1.1 ftp.sophos.com O1 - Hosts: 1.1.1.1 liveupdate.symantec.com O1 - Hosts: 1.1.1.1 customer.symantec.com O1 - Hosts: 1.1.1.1 dispatch.mcafee.com O1 - Hosts: 1.1.1.1 download.mcafee.com O1 - Hosts: 1.1.1.1 rads.mcafee.com O1 - Hosts: 1.1.1.1 mast.mcafee.com O1 - Hosts: 1.1.1.1 my-etrust.com O1 - Hosts: 1.1.1.1 www.my-etrust.com O1 - Hosts: 1.1.1.1 nai.com O1 - Hosts: 1.1.1.1 www.nai.com O1 - Hosts: 1.1.1.1 networkassociates.com O1 - Hosts: 1.1.1.1 secure.nai.com O1 - Hosts: 1.1.1.1 securityresponse.symantec.com O1 - Hosts: 1.1.1.1 service1.symantec.com O1 - Hosts: 1.1.1.1 sophos.com O1 - Hosts: 1.1.1.1 www.sophos.com O1 - Hosts: 1.1.1.1 support.microsoft.com O1 - Hosts: 1.1.1.1 symantec.com O1 - Hosts: 1.1.1.1 www.symantec.com O1 - Hosts: 1.1.1.1 update.symantec.com O1 - Hosts: 1.1.1.1 updates.symantec.com O1 - Hosts: 1.1.1.1 us.mcafee.com O1 - Hosts: 1.1.1.1 vil.nai.com O1 - Hosts: 1.1.1.1 viruslist.com O1 - Hosts: 1.1.1.1 www.viruslist.com O1 - Hosts: 1.1.1.1 grisoft.com O1 - Hosts: 1.1.1.1 www.grisoft.com O1 - Hosts: 1.1.1.1 free.grisoft.com O1 - Hosts: 1.1.1.1 trendmicro.com O1 - Hosts: 1.1.1.1 housecall.trendmicro.com O1 - Hosts: 1.1.1.1 www.trendmicro.com O1 - Hosts: 1.1.1.1 pandasoftware.com O1 - Hosts: 1.1.1.1 www.pandasoftware.com O1 - Hosts: 1.1.1.1 usa.kaspersky.com O1 - Hosts: 1.1.1.1 ewido.net O1 - Hosts: 1.1.1.1 www.ewido.net O1 - Hosts: 1.1.1.1 zonelabs.com O1 - Hosts: 1.1.1.1 www.zonelabs.com O1 - Hosts: 1.1.1.1 bitdefender.com O1 - Hosts: 1.1.1.1 www.bitdefender.com O1 - Hosts: 1.1.1.1 download.bitdefender.com O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com O1 - Hosts: 1.1.1.1 spywareinfo.com O1 - Hosts: 1.1.1.1 www.spywareinfo.com O1 - Hosts: 1.1.1.1 merijn.org O1 - Hosts: 1.1.1.1 www.merijn.org O1 - Hosts: 1.1.1.1 sysinternals.com O1 - Hosts: 1.1.1.1 www.sysinternals.com O1 - Hosts: 1.1.1.1 onguardonline.gov O1 - Hosts: 1.1.1.1 www.onguardonline.gov O1 - Hosts: 1.1.1.1 avast.com O1 - Hosts: 1.1.1.1 www.avast.com O1 - Hosts: 1.1.1.1 safety.live.com O1 - Hosts: 1.1.1.1 www.paretologic.com O1 - Hosts: 1.1.1.1 paretologic.com O1 - Hosts: 1.1.1.1 virusscan.jotti.org O1 - Hosts: 1.1.1.1 services.google.com O1 - Hosts: 1.1.1.1 www.webroot.com O1 - Hosts: 1.1.1.1 webroot.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {15C3AB44-34A5-4C71-A33B-6CE3379AAA9D} - C:\WINDOWS\system32\tyfh.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing) O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [EPSON Stylus CX6400_1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P21 "EPSON Stylus CX6400_1" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [EPSON Stylus CX6400 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P28 "EPSON Stylus CX6400 (Copy 1)" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [LIVEARMYEACHSITE] C:\Documents and Settings\All Users\Application Data\Soaprulelivearmy\okay draw.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T1dORVI\command.exe (file missing) O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following: [*]Restart your computer [*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; [*]Instead of Windows loading as normal, the Advanced Options Menu should appear; [*]Select the first option, to run Windows in Safe Mode, then press Enter. [*]Choose your usual account. [*] Open the extracted SDFix folder and double click RunThis.bat to start the script. [*] Type Y to begin the cleanup process. [*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. [*] Press any Key and it will restart the PC. [*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. [*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Here is the SDFIX log and the Hijack this report Thanks for your help SDFix: Version 1.74 Run by Administrator - Thu 03/22/2007 - 18:15:08.77 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Name: COM+ Messages ImagePath: "C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 COM+ Messages Deleted Restoring Windows Registry Entries Restoring Default Hosts File Rebooting... Normal Mode: Checking Files: Below files will be copied to Backups folder then removed: C:\WINDOWS\SYSTEM32\34V6RI~1.HTM - Deleted C:\WINDOWS\SYSTEM32\97A19K~1.HTM - Deleted C:\WINDOWS\SYSTEM32\C7NFT3~1.HTM - Deleted C:\WINDOWS\system32\msnav32.ax - Deleted C:\WINDOWS\system32\netstat.com - Deleted C:\WINDOWS\system32\taskkill.com - Deleted C:\WINDOWS\system32\unsvchosts.lzma - Deleted ADS Check: C:\WINDOWS\system32 No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019" "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater" "C:\\Program Files\\iMesh\\Client\\iMeshClient.exe"="C:\\Program Files\\iMesh\\Client\\iMeshClient.exe:*:Enabled:iMesh Premium" "C:\\Program Files\\GigaByte\\VGA Utility Manager\\G-vga.exe"="C:\\Program Files\\GigaByte\\VGA Utility Manager\\G-vga.exe:*isabled:Menu" "C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui" "C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application" "C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE:*isabled:SAgent4" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa" "C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server" "C:\\Program Files\\iMesh\\iMesh5\\iMesh.exe"="C:\\Program Files\\iMesh\\iMesh5\\iMesh.exe:*:Enabled:iMesh 5" "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" "C:\\Program Files\\p2pnetworks\\p2pnetworks.exe"="C:\\Program Files\\p2pnetworks\\p2pnetworks.exe:*:Enabled2PNetworks" "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" "C:\\Documents and Settings\\Owner\\Desktop\\LimeWire\\LimeWire.exe"="C:\\Documents and Settings\\Owner\\Desktop\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019" "C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" Remaining Files: --------------- Backups Folder: - C:\SDFix\backups\backups.zip Checking For Files with Hidden Attributes : C:\Documents and Settings\Owner\My Documents\a?sembly\regedit.exe C:\Documents and Settings\Owner\My Documents\??mbols\r?gsvr32.exe C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe C:\Program Files\DreamQuest\Free Euchre\DQUninstall.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\inxhjsx\csrss.exe C:\WINDOWS\system32\xlfjnmcbw\winlogon.exe C:\WINDOWS\system32\config\default.tmp.LOG C:\WINDOWS\system32\config\software.tmp.LOG C:\WINDOWS\system32\config\system.tmp.LOG Finished Logfile of HijackThis v1.99.1 Scan saved at 6:40:25 PM, on 3/22/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5700.0006) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\temp\Hijack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O1 - Hosts: 1.1.1.1 f-secure.com O1 - Hosts: 1.1.1.1 www.f-secure.com O1 - Hosts: 1.1.1.1 ftp.f-secure.com O1 - Hosts: 1.1.1.1 ftp.sophos.com O1 - Hosts: 1.1.1.1 liveupdate.symantec.com O1 - Hosts: 1.1.1.1 customer.symantec.com O1 - Hosts: 1.1.1.1 dispatch.mcafee.com O1 - Hosts: 1.1.1.1 download.mcafee.com O1 - Hosts: 1.1.1.1 rads.mcafee.com O1 - Hosts: 1.1.1.1 mast.mcafee.com O1 - Hosts: 1.1.1.1 my-etrust.com O1 - Hosts: 1.1.1.1 www.my-etrust.com O1 - Hosts: 1.1.1.1 nai.com O1 - Hosts: 1.1.1.1 www.nai.com O1 - Hosts: 1.1.1.1 networkassociates.com O1 - Hosts: 1.1.1.1 secure.nai.com O1 - Hosts: 1.1.1.1 securityresponse.symantec.com O1 - Hosts: 1.1.1.1 service1.symantec.com O1 - Hosts: 1.1.1.1 sophos.com O1 - Hosts: 1.1.1.1 www.sophos.com O1 - Hosts: 1.1.1.1 support.microsoft.com O1 - Hosts: 1.1.1.1 symantec.com O1 - Hosts: 1.1.1.1 www.symantec.com O1 - Hosts: 1.1.1.1 update.symantec.com O1 - Hosts: 1.1.1.1 updates.symantec.com O1 - Hosts: 1.1.1.1 us.mcafee.com O1 - Hosts: 1.1.1.1 vil.nai.com O1 - Hosts: 1.1.1.1 viruslist.com O1 - Hosts: 1.1.1.1 www.viruslist.com O1 - Hosts: 1.1.1.1 grisoft.com O1 - Hosts: 1.1.1.1 www.grisoft.com O1 - Hosts: 1.1.1.1 free.grisoft.com O1 - Hosts: 1.1.1.1 trendmicro.com O1 - Hosts: 1.1.1.1 housecall.trendmicro.com O1 - Hosts: 1.1.1.1 www.trendmicro.com O1 - Hosts: 1.1.1.1 pandasoftware.com O1 - Hosts: 1.1.1.1 www.pandasoftware.com O1 - Hosts: 1.1.1.1 usa.kaspersky.com O1 - Hosts: 1.1.1.1 ewido.net O1 - Hosts: 1.1.1.1 www.ewido.net O1 - Hosts: 1.1.1.1 zonelabs.com O1 - Hosts: 1.1.1.1 www.zonelabs.com O1 - Hosts: 1.1.1.1 bitdefender.com O1 - Hosts: 1.1.1.1 www.bitdefender.com O1 - Hosts: 1.1.1.1 download.bitdefender.com O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com O1 - Hosts: 1.1.1.1 spywareinfo.com O1 - Hosts: 1.1.1.1 www.spywareinfo.com O1 - Hosts: 1.1.1.1 merijn.org O1 - Hosts: 1.1.1.1 www.merijn.org O1 - Hosts: 1.1.1.1 sysinternals.com O1 - Hosts: 1.1.1.1 www.sysinternals.com O1 - Hosts: 1.1.1.1 onguardonline.gov O1 - Hosts: 1.1.1.1 www.onguardonline.gov O1 - Hosts: 1.1.1.1 avast.com O1 - Hosts: 1.1.1.1 www.avast.com O1 - Hosts: 1.1.1.1 safety.live.com O1 - Hosts: 1.1.1.1 www.paretologic.com O1 - Hosts: 1.1.1.1 paretologic.com O1 - Hosts: 1.1.1.1 virusscan.jotti.org O1 - Hosts: 1.1.1.1 services.google.com O1 - Hosts: 1.1.1.1 www.webroot.com O1 - Hosts: 1.1.1.1 webroot.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {45C6AA44-33A0-4D21-A33B-6CE3379AA8CE} - C:\WINDOWS\system32\jxqup.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing) O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [EPSON Stylus CX6400_1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P21 "EPSON Stylus CX6400_1" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [EPSON Stylus CX6400 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P28 "EPSON Stylus CX6400 (Copy 1)" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [LIVEARMYEACHSITE] C:\Documents and Settings\All Users\Application Data\Soaprulelivearmy\okay draw.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T1dORVI\command.exe (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
Run HijackThis. Click the Misc Tools button. Click the Uninstall Manager button. Then the Save List button. Save that list to your Desktop and post the contents of it please.
Here is the uninstall list Thanks Adobe Flash Player 9 ActiveX Adobe Reader 7.0.5 Language Support Adobe Reader 7.0.8 Adobe Shockwave Player Adobe® Photoshop® Album Starter Edition 3.0 Apple Software Update CCHelp CCScore Click'N Design 3D (V5) Command DownloadManager Easy CD & DVD Creator 6 EPSON CardMonitor EPSON Copy Utility EPSON Photo Print EPSON PhotoStarter3.0 EPSON Printer Software EPSON Scan EPSON Smart Panel ESSAdpt ESSANUP ESSBrwr ESSCAM ESSCDBK ESScore ESSCT ESSEMAIL ESSgui ESShelp ESSini ESSPCD ESSSONIC ESSvpaht ESSvpot ewido anti-spyware 4.0 Form Fill (Windows Live Toolbar) Google Toolbar for Firefox HijackThis 1.99.1 HLPCCTR HLPIndex HLPSFO Hotfix for Windows Media Format SDK (KB902344) Hotfix for Windows XP (KB896344) Hotfix for Windows XP (KB915865) iTunes J2SE Runtime Environment 5.0 Update 11 Kodak EasyShare software KSU LimeWire 4.12.11 McAfee SecurityCenter McAfee VirusScan Messenger Plus! 3 Messenger Plus! Live & Sponsor (CiD) Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Hotfix (KB886903) Microsoft .NET Framework 2.0 Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Excel Viewer 97 Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Word Viewer 2003 Microsoft PowerPoint Viewer 97 Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348) Nero Media Player Nero OEM NeroVision Express 2 Network Monitor Notification Utility Notifier NVIDIA Drivers NVIDIA nForce Utilities NVIDIA Windows 2000/XP nForce Drivers OfotoXMI OTtBP OTtBPSDK Outerinfo Outerinfo Pacific Poker PCDLNCH PowerDVD PrintMaster QuickTax 2005 QuickTax 2006 QuickTime Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB908531) Security Update for Windows XP (KB911280) Security Update for Windows XP (KB911562) Security Update for Windows XP (KB911567) Security Update for Windows XP (KB911927) Security Update for Windows XP (KB912812) Security Update for Windows XP (KB912919) Security Update for Windows XP (KB913446) Security Update for Windows XP (KB913580) Security Update for Windows XP (KB914389) Security Update for Windows XP (KB916281) Security Update for Windows XP (KB917344) Security Update for Windows XP (KB917953) Security Update for Windows XP (KB918439) SFR SFR2 SoftV92 Data Fax Modem Tabbed Browsing (Windows Live Toolbar) Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB900485) Update for Windows XP (KB900930) Update for Windows XP (KB910437) URGE USB Driver for Panasonic DVC VCAMCEN VPRINTOL WebDP 2.07 Windows Genuine Advantage v1.3.0254.0 Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Live Messenger Windows Live Outlook Toolbar (Windows Live Toolbar) Windows Live Sign-in Assistant Windows Live Toolbar Windows Live Toolbar Windows Live Toolbar Feed Detector (Windows Live Toolbar) Windows Live Toolbar MSN Extension (Windows Live Toolbar) Windows Media Connect Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 Windows XP Hotfix - KB834707 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB887797 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888240 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 Windows XP Related WordPerfect Office 11
Print this out for reference during the fix as for part of it you will be in Sffe Mode and Unable to access this site. Click Start>Run type in appwiz.cpl and hit Enter. From the list uninstall the following: Command ewido anti-spyware 4.0 Messenger Plus! 3 Messenger Plus! Live & Sponsor (CiD) Network Monitor Outerinfo Outerinfo Ewido has been bought by AVG... so your copy of that is outdated. Messenger Plus! 3 with the sponsor installs adware. If you like Messenger Plus! you can reinstall it later WITHOUT the Sponsor after we have your system cleaned up. Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop. Don't run it yet. Download AVG Anti-Spyware. Install it and update the program. Don't scan with it yet. Run and scan with HijackThis and place checks beside the following: R3 - Default URLSearchHook is missing O1 - Hosts: 1.1.1.1 f-secure.com O1 - Hosts: 1.1.1.1 www.f-secure.com O1 - Hosts: 1.1.1.1 FTP.f-secure.com O1 - Hosts: 1.1.1.1 FTP.sophos.com O1 - Hosts: 1.1.1.1 liveupdate.symantec.com O1 - Hosts: 1.1.1.1 customer.symantec.com O1 - Hosts: 1.1.1.1 dispatch.mcafee.com O1 - Hosts: 1.1.1.1 download.mcafee.com O1 - Hosts: 1.1.1.1 rads.mcafee.com O1 - Hosts: 1.1.1.1 mast.mcafee.com O1 - Hosts: 1.1.1.1 my-etrust.com O1 - Hosts: 1.1.1.1 www.my-etrust.com O1 - Hosts: 1.1.1.1 nai.com O1 - Hosts: 1.1.1.1 www.nai.com O1 - Hosts: 1.1.1.1 networkassociates.com O1 - Hosts: 1.1.1.1 secure.nai.com O1 - Hosts: 1.1.1.1 securityresponse.symantec.com O1 - Hosts: 1.1.1.1 service1.symantec.com O1 - Hosts: 1.1.1.1 sophos.com O1 - Hosts: 1.1.1.1 www.sophos.com O1 - Hosts: 1.1.1.1 support.microsoft.com O1 - Hosts: 1.1.1.1 symantec.com O1 - Hosts: 1.1.1.1 www.symantec.com O1 - Hosts: 1.1.1.1 update.symantec.com O1 - Hosts: 1.1.1.1 updates.symantec.com O1 - Hosts: 1.1.1.1 us.mcafee.com O1 - Hosts: 1.1.1.1 vil.nai.com O1 - Hosts: 1.1.1.1 viruslist.com O1 - Hosts: 1.1.1.1 www.viruslist.com O1 - Hosts: 1.1.1.1 grisoft.com O1 - Hosts: 1.1.1.1 www.grisoft.com O1 - Hosts: 1.1.1.1 free.grisoft.com O1 - Hosts: 1.1.1.1 trendmicro.com O1 - Hosts: 1.1.1.1 housecall.trendmicro.com O1 - Hosts: 1.1.1.1 www.trendmicro.com O1 - Hosts: 1.1.1.1 pandasoftware.com O1 - Hosts: 1.1.1.1 www.pandasoftware.com O1 - Hosts: 1.1.1.1 usa.kaspersky.com O1 - Hosts: 1.1.1.1 ewido.net O1 - Hosts: 1.1.1.1 www.ewido.net O1 - Hosts: 1.1.1.1 zonelabs.com O1 - Hosts: 1.1.1.1 www.zonelabs.com O1 - Hosts: 1.1.1.1 bitdefender.com O1 - Hosts: 1.1.1.1 www.bitdefender.com O1 - Hosts: 1.1.1.1 download.bitdefender.com O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com O1 - Hosts: 1.1.1.1 spywareinfo.com O1 - Hosts: 1.1.1.1 www.spywareinfo.com O1 - Hosts: 1.1.1.1 merijn.org O1 - Hosts: 1.1.1.1 www.merijn.org O1 - Hosts: 1.1.1.1 sysinternals.com O1 - Hosts: 1.1.1.1 www.sysinternals.com O1 - Hosts: 1.1.1.1 onguardonline.gov O1 - Hosts: 1.1.1.1 www.onguardonline.gov O1 - Hosts: 1.1.1.1 avast.com O1 - Hosts: 1.1.1.1 www.avast.com O1 - Hosts: 1.1.1.1 safety.live.com O1 - Hosts: 1.1.1.1 www.paretologic.com O1 - Hosts: 1.1.1.1 paretologic.com O1 - Hosts: 1.1.1.1 virusscan.jotti.org O1 - Hosts: 1.1.1.1 services.google.com O1 - Hosts: 1.1.1.1 www.webroot.com O1 - Hosts: 1.1.1.1 webroot.com O2 - BHO: (no name) - {45C6AA44-33A0-4D21-A33B-6CE3379AA8CE} - C:\WINDOWS\system32\jxqup.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing) O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T1dORVI\command.exe (file missing) O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) Close all open browsers/windows and click the Fix button. Reboot your computer in Safe Mode. [*]If the computer is running, shut down Windows, and then turn off the power. [*]Wait 30 seconds, and then turn the computer on. [*]Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. [*]Ensure that the Safe Mode option is selected. [*]Press Enter. The computer then begins to start in Safe mode. [*]Login on your usual account. Enable the viewing of Hidden files follow these steps: [*]Close all programs so that you are at your desktop. [*]Double-click on the My Computer icon (or click Start, then select My Computer) [*]Select the Tools menu and click Folder Options. [*]After the new window appears select the View tab. [*]Put a checkmark in the checkbox labeled Display the contents of system folders. [*]Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. [*]Remove the checkmark from the checkbox labeled Hide file extensions for known file types. [*]Remove the checkmark from the checkbox labeled Hide protected operating system files. [*]Press the Apply button and then the OK button and shutdown My Computer. Search for and delete these Folders: C:\Program Files\webHancer C:\WINDOWS\T1dORVI C:\Program Files\Network Monitor Search for and delete this File: C:\WINDOWS\system32\tyfh.dl Double-click ATF Cleaner.exe to open it. Under Main choose: Windows Temp Current User Temp All Users Temp Cookies Temporary Internet Files Prefetch Java Cache *The other boxes are optional* Then click the Empty Selected button. If you use Firefox: Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. If you use Opera: Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. Click Exit on the Main menu to close the program. Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan. [*]Click on Scanner on the toolbar. [*]Click on the Settings tab. [*]Under How to act? [*]Click on Recommended Action and choose Quarantine from the popup menu. [*]Under How to scan? [*]All checkboxes should be ticked. [*]Under Possibly unwanted software: [*]All checkboxes should be ticked. [*]Under Reports: [*]Select Automatically generate report after every scan and uncheck Only if threats were found. [*]Under What to scan? [*]Select Scan every file. [*]Click on the Scan tab. [*]Click on Complete System Scan to start the scan process. [*]Let the program scan the machine. [*]When the scan has finished, follow the instructions below. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button. [*]Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2) [*]At the bottom of the window click on the Apply all Actions button. (3) [*]When done, click the Save Scan Report button. (4) [*]Click the Save Report as button. [*]Save the report to your Desktop. [*]Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes. Post the AVG log and a new HijackThis log in your next reply please.
Hi there, thanks for your help I followed the instructions and got some errors: Couldn't remove Command, can't find C:WINDEOWS/T1Dorvi/nyxilpk.vbs Couldn't remove Network monitor, got message :can't find C:WINDOWS/Uninstall_nmon.vbs AVG - Does seem to have the same screen as what you send me, got message : couldn't find how to do the report I have version 7.5.446 VIRUS 268.18.17.732 I'm also seeing some message about IPWINS ? what is IPWINS ? Now that I restart, I'm getting about 5 messages about files not found, do I have to clean the registry ? Let me know what is next, thanks so much for your help ! I attached a HIJACK file..... Logfile of HijackThis v1.99.1 Scan saved at 5:35:34 PM, on 3/24/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5700.0006) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\asuskbservice.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\drivers\KodakCCS.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mctskshd.exe c:\PROGRA~1\mcafee.com\vso\OasClnt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe c:\program files\mcafee.com\vso\mcvsshld.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\sstray.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe c:\program files\mcafee.com\agent\mcagent.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Ipwindows\ipwins.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\temp\Hijack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ F3 - REG:win.ini: load=C:\WINDOWS\system32\inxhjsx\csrss.exe F3 - REG:win.ini: run=C:\WINDOWS\system32\inxhjsx\csrss.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [EPSON Stylus CX6400_1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P21 "EPSON Stylus CX6400_1" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [EPSON Stylus CX6400 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P28 "EPSON Stylus CX6400 (Copy 1)" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe O4 - Startup: csrss.lnk = ? O4 - Startup: winlogon.lnk = ? O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?d0eca49b080e41f786bc12a63f5bd039 O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?d0eca49b080e41f786bc12a63f5bd039 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: www.adobe.com O15 - Trusted Zone: http://www.ewido.net O15 - Trusted Zone: http://www.google.ca O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T1dORVI\command.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
Don't worry about the error messages for now. The infections are complaining because you are killing them off. We'll deal with the messages later. Please download Delcmdservice.zip to your Desktop. [*]Now, unpack delcmdservice-folder to you desktop. (Click here for information for how to unpacking files) [*]Open the delcmdservice-folder on your desktop and double-click on DelReg.bat, a DOS-window will open and rapidly close - this is normal - [*]Now close thedelcmdservice-folder Please Download MsnVirRem.exe to your desktop from one of the following mirrors. [*]Mirror 1 [*]Mirror 2 [*]Mirror 3 [*]First close any other programs you have running as this will require a reboot [*]Double click MsnVirRem.exe to run it [*]Once open, click the button labeled "Search and Destroy" <<Your computer will now be scanned for Infected Files>> [*]When scanning is finished, you will be prompted to reboot only if infected. Click OK [*]Now click the "REBOOT" Button. [*]After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue. [*]A Message should popup from MsnVirRem if not, double click the program again and it will finish Please Post the contents of C:\msnvirrem.log along with a fresh HijackThis log
Here is the two logs Please note that my computer didn't shut down with the Reboot, after 15 minutes, I had to force the reboot manually. MsnVirRem Log by Skate_Punk_21 Fix running from: C:\temp\MSNVIRREM 3/25/2007 9:56:39 AM ---Infection Files Found--- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\csrss.lnk C:\WINDOWS\system32\taskkill.com C:\WINDOWS\system32\netstat.com Rebooting... Fixing Registry Permissions... Editing Registry... Fixing Host File... **Fix Complete!** Hijack log ... Logfile of HijackThis v1.99.1 Scan saved at 10:35:19 AM, on 3/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5700.0006) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\asuskbservice.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\drivers\KodakCCS.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mctskshd.exe c:\PROGRA~1\mcafee.com\vso\OasClnt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe c:\program files\mcafee.com\vso\mcvsshld.exe c:\program files\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\sstray.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\Ipwindows\ipwins.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\temp\Hijack\HijackThis.exe Thanks again
Here you go... Logfile of HijackThis v1.99.1 Scan saved at 3:19:36 PM, on 3/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5700.0006) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\asuskbservice.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\drivers\KodakCCS.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\sstray.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe C:\Program Files\McAfee.com\VSO\mcvsshld.exe C:\Program Files\McAfee.com\VSO\oasclnt.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Ipwindows\ipwins.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\temp\Hijack\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [EPSON Stylus CX6400_1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P21 "EPSON Stylus CX6400_1" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [EPSON Stylus CX6400 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P28 "EPSON Stylus CX6400 (Copy 1)" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe O4 - Startup: winlogon.lnk = ? O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?d0eca49b080e41f786bc12a63f5bd039 O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?d0eca49b080e41f786bc12a63f5bd039 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: www.adobe.com O15 - Trusted Zone: http://www.ewido.net O15 - Trusted Zone: http://www.google.ca O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T1dORVI\command.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
Print this out for reference during the fix. Please download Brute Force Uninstaller to your desktop. [*]Right click the BFU folder on your desktop, and choose Extract All [*]Click "Next" [*]In the box to choose where to extract the files to, [*]Click "Browse" [*]Click on the + sign next to "My Computer" [*]Click on "Local Disk ( C: ) or whatever your primary drive is [*]Click "Make New Folder" [*]Type in BFU [*]Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish". RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover. Save it in the same folder you made earlier (c:\BFU). Don't do anything with it yet. Run and scan with HijackThis and place checks beside the following: O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\T1dORVI\command.exe (file missing) Close all open windows/browsers and click the Fix button. Click Start>Run and type in cmd and hit Enter. From the command prompt type: sc stop cmdService and hit Enter. Then type: sc delete cmdService and hit Enter. Close the command box. Then, please go to Start>My Computer and navigate to the C:\BFU folder. [*] Start the Brute Force Uninstaller by doubleclicking BFU.exe [*] Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu [*] Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.) [*]Wait for the complete script execution box to pop up and press OK. [*]Press exit to terminate the BFU program. Reboot and post a new HijackThis log please.
Here is the latest one... Logfile of HijackThis v1.99.1 Scan saved at 9:34:13 PM, on 3/26/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5700.0006) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\asuskbservice.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\drivers\KodakCCS.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mctskshd.exe c:\PROGRA~1\mcafee.com\vso\OasClnt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe c:\program files\mcafee.com\vso\mcvsshld.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\WINDOWS\system32\sstray.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe c:\program files\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [Registry Toolkit] C:\Program Files\Registry Toolkit\RegToolkit.exe /scan O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [EPSON Stylus CX6400_1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P21 "EPSON Stylus CX6400_1" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [EPSON Stylus CX6400 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P28 "EPSON Stylus CX6400 (Copy 1)" /O6 "USB001" /M "Stylus CX6400" O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 O4 - Startup: winlogon.lnk = ? O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?d0eca49b080e41f786bc12a63f5bd039 O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?d0eca49b080e41f786bc12a63f5bd039 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: www.adobe.com O15 - Trusted Zone: http://www.ewido.net O15 - Trusted Zone: http://www.google.ca O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: ASUSKeyboardService - ASUSTeK COMPUTER INC. - C:\WINDOWS\asuskbservice.exe O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
I'm impress, it's going very well, internet is fast and login/logoff is also quick. One quick thing, when I go to internet, it opens Google like I want, however it also tries to open another tab but can't find the site (not sure what site it's trying to access). I now have to close that one tab. Thanks so much !!!
This is with IE that its happening? Also... are you still getting those errors about files not being there that you were before?
In IE click the Tools Menu then Internet Options. In the General section click the Settings button by the Tabs entry. Click beside(to activate) Open only the first home page when Internet Explorer starts. See if that helps.
