View Full Version : virus hjthis log
George Hallam
03-31-2007, 11:29 AM
hey i keep getting 100% of explorer being used and over 2gb of pf usage and it just stops my computer running
Logfile of HijackThis v1.99.1
Scan saved at 6:25:15 PM, on 3/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\george\Desktop\Downloads & Patches\VundoFix.exe
C:\Documents and Settings\george\Desktop\Downloads & Patches\Litle virus softwares\Hijack this\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcDmYReEEaH4 pVbm8/C96e+Bz3H5tfs1hXNXlaSbyVF6d1Qv2IJlC/AN8dMdH/d7XP76JjChckEjdxER/XVhUX0PWn1mfvYEboZ12hRcJt+OA3UYDcPHCAJ/qqV6iRQfBpyX58ucwUo9HCQ9iDv2tSvN0iUEKIFYYwj
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: Download with &WebDownloader - c:\documents and settings\george\desktop\downloads & patches\WebDownload_IE.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: MS&N Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ua_lsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775F} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlabsli.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
Budfred
03-31-2007, 12:52 PM
I don't see anything to explain your problem... However, this looks suspicious unless you set it:
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
Try this:
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall...
Also, are you running a firewall??
George Hallam
04-01-2007, 05:07 AM
i am running virus software off and on i have been trying different ones what do you recommend
and heres my log
C:\DOCUME~1\george\Desktop\internet.lnk
C:\install.log
((((((((((((((((((((((((((((((( Files Created from 2007-02-28 to 2007-03-31 ))))))))))))))))))))))))))))))))))
2007-03-31 18:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Spybot - Search & Destroy
2007-03-31 18:24 <DIR> d-------- C:\VundoFix Backups
2007-03-31 18:23 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-31 18:23 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-31 18:23 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-31 18:23 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-31 18:23 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-31 18:23 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-31 18:23 1,438 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-28 21:27 <DIR> d-------- C:\DOCUME~1\george\APPLIC~1\Kerio
2007-03-28 21:25 59,392 --a------ C:\WINDOWS\system32\drivers\kvpndrv.sys
2007-03-27 18:19 95,744 --a------ C:\WINDOWS\system\atl80.dll
2007-03-27 15:01 <DIR> d-------- C:\Program Files\Universal
2007-03-22 15:26 <DIR> d-------- C:\Program Files\Activision
2007-03-22 15:23 58,880 --a------ C:\WINDOWS\system\atl.dll
2007-03-22 07:49 614,400 --a------ C:\WINDOWS\system\msvcr80.dll
2007-03-20 20:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Age of Empires 3
2007-03-18 15:58 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-03-18 15:58 <DIR> d-------- C:\DOCUME~1\george\APPLIC~1\AdobeUM
2007-03-18 15:58 <DIR> d-------- C:\DOCUME~1\george\APPLIC~1\Adobe
2007-03-18 09:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Adobe
2007-03-18 09:52 <DIR> d-------- C:\WINDOWS\Cache
2007-03-17 06:52 5,632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys
2007-03-17 06:52 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2007-03-17 06:52 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys
2007-03-17 06:51 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2007-03-17 06:50 <DIR> d-------- C:\Program Files\Futuremark
2007-03-10 13:25 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-03-10 13:25 <DIR> d-------- C:\DOCUME~1\george\APPLIC~1\Command & Conquer 3 Tiberium Wars Demo
2007-03-08 21:44 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-06 19:49 1,580 --ah----- C:\hpothb07.dat
2007-03-06 19:48 <DIR> d-------- C:\DOCUME~1\george\APPLIC~1\Hewlett-Packard
2007-03-06 16:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Ahead
2007-03-06 15:53 <DIR> d-------- C:\Program Files\Serious Sam 2
2007-03-06 07:43 <DIR> d-------- C:\Program Files\Doom 3
2007-03-05 21:44 12,244,719 --------- C:\AVG7QT.DAT
2007-03-05 20:31 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-03-05 16:31 <DIR> d---s---- C:\Program Files\Xfire
2007-03-05 16:31 <DIR> d-------- C:\DOCUME~1\george\APPLIC~1\Xfire
2007-03-05 16:30 <DIR> d-------- C:\Program Files\Serious Sam 2 Demo
2007-03-04 20:56 <DIR> d-------- C:\Program Files\RivaTuner v2.0 Final Release
2007-03-04 19:56 <DIR> d-------- C:\Program Files\MSN Messenger
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))
2007-03-31 21:46 -------- d-------- C:\DOCUME~1\george\APPLIC~1\azureus
2007-03-31 19:26 -------- d-------- C:\Program Files\microsoft games
2007-03-28 21:25 -------- d--h----- C:\Program Files\installshield installation information
2007-03-27 18:11 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-03-26 02:59 -------- d-------- C:\Program Files\messenger
2007-03-25 14:52 -------- d-------- C:\Program Files\limewire
2007-03-23 21:47 -------- d-------- C:\Program Files\itunes
2007-03-23 21:47 -------- d-------- C:\Program Files\ipod
2007-03-22 21:08 -------- d-------- C:\Program Files\gamespy arcade
2007-03-18 09:53 -------- d-------- C:\Program Files\ubisoft
2007-03-17 06:52 86016 --a------ C:\WINDOWS\system32\openal32.dll
2007-03-17 06:52 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-03-11 17:16 -------- d-------- C:\Program Files\autocad 2005
2007-03-10 13:22 -------- d-------- C:\Program Files\electronic arts
2007-03-09 19:29 -------- d-------- C:\Program Files\quicktime
2007-03-09 19:28 -------- d-------- C:\Program Files\apple software update
2007-03-06 16:59 -------- d-------- C:\DOCUME~1\george\APPLIC~1\ahead
2007-03-05 20:13 -------- d-------- C:\Program Files\ea games
2007-03-02 07:40 -------- d-------- C:\Program Files\croteam
2007-03-01 17:17 -------- d-------- C:\DOCUME~1\george\APPLIC~1\bittorrent
2007-02-26 18:54 -------- d-------- C:\Program Files\bittorrent
2007-02-26 15:25 -------- d-------- C:\Program Files\eidos interactive
2007-02-24 20:16 -------- d-------- C:\Program Files\java
2007-02-24 02:56 -------- d-------- C:\Program Files\nero
2007-02-24 02:55 -------- d-------- C:\Program Files\ahead
2007-02-24 02:54 33920 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-02-21 19:53 -------- d-------- C:\Program Files\vrkitchen version 7 trial
2007-02-20 07:49 -------- d-------- C:\Program Files\azureus
2007-02-17 19:26 -------- d-------- C:\Program Files\opera75
2007-02-17 06:33 -------- d-------- C:\Program Files\daemon tools
2007-02-14 01:40 -------- d-------- C:\DOCUME~1\george\APPLIC~1\iolo
2007-02-14 01:29 -------- d-------- C:\Program Files\iolo
2007-02-14 01:29 -------- d-------- C:\Program Files\Common Files\authentium
2007-02-13 17:49 -------- d-------- C:\Program Files\alwil software
2007-02-11 19:07 -------- d-------- C:\Program Files\Common Files\systemrequirementslab
2007-02-10 00:55 -------- d-------- C:\Program Files\Common Files\systemrequirementslabsli
2007-02-09 21:24 -------- d-------- C:\Program Files\microsoft windows vista upgrade advisor
2007-02-09 21:23 -------- d-------- C:\Program Files\xml notepad 2007
2007-02-06 07:34 6656 --a------ C:\WINDOWS\system32\haspvdd.dll
2007-02-06 07:34 47616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys
2007-02-06 07:34 383 --a------ C:\WINDOWS\system32\haspdos.sys
2007-02-06 07:33 -------- d-------- C:\Program Files\autodesk
2007-02-03 16:49 98304 --a------ C:\WINDOWS\system32\cmdlineext.dll
2007-02-02 16:46 -------- d-------- C:\Program Files\lavasoft
2007-02-02 16:44 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-01-29 20:11 -------- d-------- C:\Program Files\windows live toolbar
2007-01-29 19:01 262 --a------ C:\DOCUME~1\george\APPLIC~1\winsscookie.txt
2007-01-28 23:19 -------- d-------- C:\Program Files\tgtsoft
2007-01-28 20:54 -------- d-------- C:\DOCUME~1\george\APPLIC~1\google
2007-01-28 20:53 -------- d-------- C:\Program Files\google
2007-01-25 15:39 20458 --a------ C:\WINDOWS\hpoins01.dat
2007-01-23 16:39 50504 --a------ C:\DOCUME~1\george\APPLIC~1\gdipfontcachev1.dat
2007-01-17 21:24 147456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-01-17 21:24 0 --a------ C:\WINDOWS\system32\taskkill.exe
2007-01-15 20:32 689280 --a------ C:\WINDOWS\system32\aswboot.exe
2007-01-15 20:23 90112 --a------ C:\WINDOWS\system32\avastss.scr
2007-01-13 16:03 356352 --a------ C:\WINDOWS\esellerateengine.dll
2007-01-10 15:19 942 --a------ C:\WINDOWS\system32\sdbackup.reg
2007-01-09 16:07 73728 --a------ C:\WINDOWS\alcfdrtm.exe
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-01 17:18 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-01-01 16:27 0 -rahs---- C:\MSDOS.SYS
2007-01-01 16:27 0 -rahs---- C:\IO.SYS
2007-01-01 16:27 0 --a------ C:\CONFIG.SYS
2007-01-01 16:27 0 --a------ C:\AUTOEXEC.BAT
2007-01-01 16:24 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
Budfred
04-01-2007, 07:49 AM
i am running virus software off and on i have been trying different ones what do you recommend
What does this mean??
Where is the rest of your log??
George Hallam
04-01-2007, 08:11 AM
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig .exe /auto"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
"backup"="C:\\WINDOWS\\pss\\AutoCAD Startup Accelerator.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\AUTODE~1\\ACSTAR~1.EXE "
"item"="AutoCAD Startup Accelerator"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
"backup"="C:\\WINDOWS\\pss\\Logitech SetPoint.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\SetPoint\\KEM.exe "
"item"="Logitech SetPoint"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^RtlWake.lnk]
"backup"="C:\\WINDOWS\\pss\\RtlWake.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\BELKIN~1\\BELKIN~1\\RtlWake.exe "
"item"="RtlWake"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Slim Multimedia Keyboard.lnk]
"backup"="C:\\WINDOWS\\pss\\Slim Multimedia Keyboard.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SLIMMU~1\\MagicKey.exe "
"item"="Slim Multimedia Keyboard"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^george^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\LimeWire\\LimeWire.exe -startup"
"item"="LimeWire On Startup"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^george^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
"backup"="C:\\WINDOWS\\pss\\OneNote 2007 Screen Clipper and Launcher.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office12\\ONENOTEM.EXE /tsr"
"item"="OneNote 2007 Screen Clipper and Launcher"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^george^Start Menu^Programs^Startup^Xfire.lnk]
"path"="C:\\Documents and Settings\\george\\Start Menu\\Programs\\Startup\\Xfire.lnk"
"backup"="C:\\WINDOWS\\pss\\Xfire.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Xfire\\Xfire.exe "
"item"="Xfire"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgas"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCMTR"
"hkey"="HKLM"
"command"="ALCMTR.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ashDisp"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bittorrent"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GrooveMonitor"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHALMNPR"
"hkey"="HKLM"
George Hallam
04-01-2007, 08:12 AM
"command"="KHALMNPR.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="C:\\Program Files\\Messenger\\msmsgs.exe /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvchost]
"item"="nvchost"
"hkey"="HKLM"
"key"="Run"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDLL32"
"hkey"="HKLM"
"command"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneCareUI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winssnotify"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RTHDCPL"
"hkey"="HKLM"
"command"="RTHDCPL.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\shdef]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="shdef"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SkyTel"
"hkey"="HKLM"
"command"="SkyTel.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SsAAD"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SvcManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svhots3"
"hkey"="HKLM"
"command"="svhots3.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Update]
"item"="scvhost"
"hkey"="HKLM"
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zlclient"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=dword:00000002
"vsmon"=dword:00000002
"SSScsiSV"=dword:00000003
"SPTISRV"=dword:00000003
"PACSPTISVR"=dword:00000003
"ose"=dword:00000003
"odserv"=dword:00000003
"msfwsvc"=dword:00000002
"MSCSPTISRV"=dword:00000003
"Microsoft Office Groove Audit Service"=dword:00000003
"iPod Service"=dword:00000003
"IDriverT"=dword:00000003
"Autodesk Licensing Service"=dword:00000003
"OneCareMP"=dword:00000002
"NVSvc"=dword:00000002
"winss"=dword:00000002
"aswUpdSv"=dword:00000002
"avast! Web Scanner"=dword:00000003
"avast! Mail Scanner"=dword:00000003
"avast! Antivirus"=dword:00000002
"Avg7UpdSvc"=dword:00000002
"Avg7Alrt"=dword:00000002
"dvpapi"=dword:00000002
"ioloDMV"=dword:00000002
"NBService"=dword:00000003
"Microsoft Corporation"=dword:00000002
"AVG Anti-Spyware Guard"=dword:00000002
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"DisableRegistryTools"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ http://www.pcguide.com/vb
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
[HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{d009219f-cb47-11db-87d5-0030bd4f7e2c}]
Shell\AutoRun\command G:\AutoRun.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\r oot\LEGACY_IPOD_SERVICE
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\dfrg.job
C:\WINDOWS\tasks\MP Scheduled Quick Scan.job
************************************************** ******************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
************************************************** ******************
Completion time: 07-03-31 21:46:30
George Hallam
04-01-2007, 08:13 AM
soz bout not posting everything was half asleep when read it lol i didnt mean running virus software off and on i meant i have been trying different firewalls
Budfred
04-01-2007, 06:14 PM
It looks like you may have a serious problem here... Please do this:
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
And also this:
* Click here (http://support.f-secure.com/enu/home/ols.shtml) to use the F-Secure Online Scanner
Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here (http://support.f-secure.com/enu/home/ols-faq.shtml).
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.
Powered by vBulletin® Version 4.2.0 Copyright © 2013 vBulletin Solutions, Inc. All rights reserved.