Karl`s PC Help Forums

High Jack This Log
charles - 18-4-2008 at 11:57

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:40, on 18/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:PROGRA~1AVGAVG8avgfws8.exe
C:Program FilesDiskeeper CorporationDiskeeperDkService.exe
C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
C:Program FilesSpyware DoctorpctsAuxs.exe
C:PROGRA~1AVGAVG8avgam.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:Program FilesSpyware DoctorpctsSvc.exe
C:WINDOWSsystem32svchost.exe
C:PROGRA~1AVGAVG8avgemc.exe
C:WINDOWSExplorer.EXE
C:Program FilesMicrosoft IntelliType Protype32.exe
C:Program FilesMicrosoft IntelliPointpoint32.exe
C:WINDOWSsystem32spooldriversw32x863hpztsb06.exe
C:WINDOWSemMON.exe
C:Program FilesJavajre1.6.0_05binjusched.exe
C:Program FilesSpyware DoctorpctsTray.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:Program FilesMessengermsmsgs.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesThe Weather Channel FWDesktop WeatherDesktopWeather.exe
C:Program FilesGoogleGoogle UpdaterGoogleUpdater.exe
C:PROGRA~1MagenticbinMgApp.exe
C:PROGRA~1INCRED~1binIMApp.exe
C:PROGRA~1AVGAVG8avgscanx.exe
C:Program FilesAVGAVG8avgui.exe
C:Program FilesAVGAVG8avgscanx.exe
C:Program FilesInternet ExplorerIEXPLORE.EXE
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.mytalktalk.co.uk/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: (no name) - Software - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_05binssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:WINDOWSsystem32TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program filesgooglegoogletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier3.0.1225.9868swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar1.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:WINDOWSsystem32TwcToolbarIe7.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O4 - HKLM..Run: [type32] "C:Program FilesMicrosoft IntelliType Protype32.exe"
O4 - HKLM..Run: [NeroCheck] C:WINDOWSsystem32\NeroCheck.exe
O4 - HKLM..Run: [IntelliPoint] "C:Program FilesMicrosoft IntelliPointpoint32.exe"
O4 - HKLM..Run: [HPDJ Taskbar Utility] C:WINDOWSsystem32spooldriversw32x863hpztsb06.exe
O4 - HKLM..Run: [emMON] emMON.exe
O4 - HKLM..Run: [DiskeeperSystray] "C:Program FilesDiskeeper CorporationDiskeeperDkIcon.exe"
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_05binjusched.exe"
O4 - HKLM..Run: [ISTray] "C:Program FilesSpyware DoctorpctsTray.exe"
O4 - HKLM..Run: [Cleanator] C:Program FilesCleanatorCleanator.exe
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKCU..Run: [swg] C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
O4 - HKCU..Run: [Picasa Media Detector] C:Program FilesPicasa2PicasaMediaDetector
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [BitTorrent] "C:Program FilesBitTorrentbittorrent.exe" --force_start_minimized
O4 - HKCU..Run: [Magentic] C:PROGRA~1MagenticbinMagentic.exe /c
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [DW4] "C:Program FilesThe Weather Channel FWDesktop WeatherDesktopWeather.exe"
O4 - HKCU..Run: [IncrediMail] C:Program FilesIncrediMailbinIncMail.exe /c
O4 - Global Startup: Google Updater.lnk = C:Program FilesGoogleGoogle UpdaterGoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:Program FilesieSpelliespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:Program FilesieSpelliespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:Program FilesieSpelliespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:Program FilesieSpelliespell.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MI1933~1OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O10 - Unknown file in Winsock LSP: c:windowssystem32nwprovau.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgfws8.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:Program FilesDiskeeper CorporationDiskeeperDkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:Program FilesSpyware DoctorpctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:Program FilesSpyware DoctorpctsSvc.exe
O24 - Desktop Component 0: (no name) - http://www.gifworks.com/GWbackground.gif

--
End of file - 8613 bytes

Could sme one please check this for me ?


LSemmens - 18-4-2008 at 14:22

I'm not certain that Pancake keeps track of the other threads, Charles, so he may not be aware of the reason behind your HJT log, Can you fill him in on some background, too, I'd have a go, but I may miss some important detail.


charles - 18-4-2008 at 14:48

Quote:
Originally posted by LSemmens
I'm not certain that Pancake keeps track of the other threads, Charles, so he may not be aware of the reason behind your HJT log, Can you fill him in on some background, too, I'd have a go, but I may miss some important detail.


Well basically its that we think some scammer may have put something on the PC THAT COLLECTS MY BANKING INFO.
perhaps you could relay that to him,thanks


hawklord - 18-4-2008 at 19:12

hi,

go to add/remove programs and uninstall cleanator,
then navigate to C > program files and find and delete the file cleanator,

http://www.bleepingcomputer.com/startups/Cleanator.exe-21491.html

empty your recycle bin

open hijackthis and click on do a system scan only
check the boxes relevant to these lines

O2 - BHO: (no name) - Software - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

close all browser windows (including this one) and click on fix checked

then use this online scanner/remover from ewido (now grisoft), you will need to allow the install of an activeX control distributed by grisoft ltd,
leave all settings at default and clean everything it finds

http://www.ewido.net/en/onlinescan/

post back with a fresh hjt log


charles - 18-4-2008 at 19:20

Quote:
Originally posted by hawklord
hi,

go to add/remove programs and uninstall cleanator,
then navigate to C > program files and find and delete the file cleanator,

http://www.bleepingcomputer.com/startups/Cleanator.exe-21491.html

empty your recycle bin

open hijackthis and click on do a system scan only
check the boxes relevant to these lines

O2 - BHO: (no name) - Software - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

close all browser windows (including this one) and click on fix checked

then use this online scanner/remover from ewido (now grisoft), you will need to allow the install of an activeX control distributed by grisoft ltd,
leave all settings at default and clean everything it finds

http://www.ewido.net/en/onlinescan/

post back with a fresh hjt log



Thanks for that,do you think that the two files.......
......O2 - BHO: (no name) - Software - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
could be responsible for getting my info ?


hawklord - 18-4-2008 at 20:02

hi,

no, the 2 lines are not responsible,

when hijackthis shows 02 lines as missing then they are actually missing, but they still show in your registry,
when you 'fix' the 02 lines with hjt then you are removing the registry entries,
if you 'fix' an 02 line with a file then the file has to be manually removed as well


charles - 18-4-2008 at 21:37

Quote:
Originally posted by hawklord
hi,

no, the 2 lines are not responsible,

when hijackthis shows 02 lines as missing then they are actually missing, but they still show in your registry,
when you 'fix' the 02 lines with hjt then you are removing the registry entries,
if you 'fix' an 02 line with a file then the file has to be manually removed as well



Ihanks for that, have you any ideas of how they could get that info off my pc ?


charles - 18-4-2008 at 21:37

Quote:
Originally posted by hawklord
hi,

no, the 2 lines are not responsible,

when hijackthis shows 02 lines as missing then they are actually missing, but they still show in your registry,
when you 'fix' the 02 lines with hjt then you are removing the registry entries,
if you 'fix' an 02 line with a file then the file has to be manually removed as well



Ihanks for that, have you any ideas of how they could get that info off my pc ?


charles - 18-4-2008 at 21:37

Quote:
Originally posted by hawklord
hi,

no, the 2 lines are not responsible,

when hijackthis shows 02 lines as missing then they are actually missing, but they still show in your registry,
when you 'fix' the 02 lines with hjt then you are removing the registry entries,
if you 'fix' an 02 line with a file then the file has to be manually removed as well



Ihanks for that, have you any ideas of how they could get that info off my pc ?


John Barnes - 18-4-2008 at 22:20

As stated get rid of cleanator immediately just Googled it and it said it was dangerous as it logged key board and set of unknown processes (like getting your info)and sending it on to some scab.jmb


hawklord - 18-4-2008 at 22:49

hi,

there are quite a few ways to get info off a pc,

do you use mywebsearch, funwebproducts or smileycentral (for instant message smileys) ?
if not - open hjt, click on do a system scan only and check the box relevant to this line

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab

click on fix checked

some malware can hide from hjt, a way round this is to re-name hijackthis,
so rename hijackthis to fooled

also download this to C:, its called silentrunners, there is no install needed, just double click the file and click "yes" at the prompt, wait a few seconds and a text file will be created where you ran the script from (C:startup programs .....)

post a fresh fooled (hjt) log and the silentrunners log


hawklord - 18-4-2008 at 22:50

ooops - won't let me edit

silentrunners

http://www.silentrunners.org/


charles - 19-4-2008 at 08:34

Quote:
Originally posted by hawklord
hi,

there are quite a few ways to get info off a pc,

do you use mywebsearch, funwebproducts or smileycentral (for instant message smileys) ?
if not - open hjt, click on do a system scan only and check the box relevant to this line

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab

click on fix checked

some malware can hide from hjt, a way round this is to re-name hijackthis,
so rename hijackthis to fooled

also download this to C:, its called silentrunners, there is no install needed, just double click the file and click "yes" at the prompt, wait a few seconds and a text file will be created where you ran the script from (C:startup programs .....)

post a fresh fooled (hjt) log and the silentrunners log


Sounds a little complicated to a novice like me but I did check and fix those two unknown files, btw what has smiley central got to do with all this ?


charles - 19-4-2008 at 09:42

Hi jack log from drive D
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:12, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:PROGRA~1AVGAVG8avgfws8.exe
C:Program FilesDiskeeper CorporationDiskeeperDkService.exe
C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
C:Program FilesSpyware DoctorpctsAuxs.exe
C:PROGRA~1AVGAVG8avgam.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:Program FilesSpyware DoctorpctsSvc.exe
C:WINDOWSsystem32svchost.exe
C:PROGRA~1AVGAVG8avgemc.exe
C:WINDOWSExplorer.EXE
C:Program FilesMicrosoft IntelliType Protype32.exe
C:Program FilesMicrosoft IntelliPointpoint32.exe
C:WINDOWSsystem32spooldriversw32x863hpztsb06.exe
C:WINDOWSemMON.exe
C:Program FilesJavajre1.6.0_05binjusched.exe
C:Program FilesSpyware DoctorpctsTray.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:Program FilesMessengermsmsgs.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesThe Weather Channel FWDesktop WeatherDesktopWeather.exe
C:Program FilesGoogleGoogle UpdaterGoogleUpdater.exe
C:PROGRA~1MagenticbinMgApp.exe
C:Program FilesIncrediMailbinIMApp.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://mystart.incredimail.com/english
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_05binssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:WINDOWSsystem32TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program filesgooglegoogletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier3.0.1225.9868swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar1.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:WINDOWSsystem32TwcToolbarIe7.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O4 - HKLM..Run: [type32] "C:Program FilesMicrosoft IntelliType Protype32.exe"
O4 - HKLM..Run: [NeroCheck] C:WINDOWSsystem32\NeroCheck.exe
O4 - HKLM..Run: [IntelliPoint] "C:Program FilesMicrosoft IntelliPointpoint32.exe"
O4 - HKLM..Run: [HPDJ Taskbar Utility] C:WINDOWSsystem32spooldriversw32x863hpztsb06.exe
O4 - HKLM..Run: [emMON] emMON.exe
O4 - HKLM..Run: [DiskeeperSystray] "C:Program FilesDiskeeper CorporationDiskeeperDkIcon.exe"
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_05binjusched.exe"
O4 - HKLM..Run: [ISTray] "C:Program FilesSpyware DoctorpctsTray.exe"
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKCU..Run: [swg] C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
O4 - HKCU..Run: [Picasa Media Detector] C:Program FilesPicasa2PicasaMediaDetector
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [BitTorrent] "C:Program FilesBitTorrentbittorrent.exe" --force_start_minimized
O4 - HKCU..Run: [Magentic] C:PROGRA~1MagenticbinMagentic.exe /c
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [DW4] "C:Program FilesThe Weather Channel FWDesktop WeatherDesktopWeather.exe"
O4 - HKCU..Run: [IncrediMail] C:Program FilesIncrediMailbinIncMail.exe /c
O4 - Global Startup: Google Updater.lnk = C:Program FilesGoogleGoogle UpdaterGoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:Program FilesieSpelliespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:Program FilesieSpelliespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:Program FilesieSpelliespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:Program FilesieSpelliespell.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MI1933~1OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O10 - Unknown file in Winsock LSP: c:windowssystem32nwprovau.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgfws8.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:Program FilesDiskeeper CorporationDiskeeperDkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:Program FilesSpyware DoctorpctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:Program FilesSpyware DoctorpctsSvc.exe
O24 - Desktop Component 0: (no name) - http://www.gifworks.com/GWbackground.gif

--
End of file - 8280 bytes


charles - 19-4-2008 at 09:44

Quote:
Originally posted by hawklord
hi,

there are quite a few ways to get info off a pc,

do you use mywebsearch, funwebproducts or smileycentral (for instant message smileys) ?
if not - open hjt, click on do a system scan only and check the box relevant to this line

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15-3.cab

click on fix checked

some malware can hide from hjt, a way round this is to re-name hijackthis,
so rename hijackthis to fooled

also download this to C:, its called silentrunners, there is no install needed, just double click the file and click "yes" at the prompt, wait a few seconds and a text file will be created where you ran the script from (C:startup programs .....)

post a fresh fooled (hjt) log and the silentrunners log


How can I rename it fooled ?


hawklord - 19-4-2008 at 11:31

hi,

if you navigate to here

C:Program FilesTrend MicroHijackThisHijackThis.exe

and then right click on HijackThis.exe, choose rename from the options and type in the box fooled.exe then press enter, it will be called fooled.exe not HijackThis.exe but it will still be the same program and work as it should,

i notice from your log that you didn't use the online scanner from ewido, is there a reason ?

smiley central =

http://www.pchell.com/support/smileycentral.shtml

and the activeX (016-dpf line) clsid

http://castlecops.com/modules.php?name=ActiveX&query=1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB


charles - 19-4-2008 at 11:49

Quote:
Originally posted by hawklord
hi,

if you navigate to here

C:Program FilesTrend MicroHijackThisHijackThis.exe

and then right click on HijackThis.exe, choose rename from the options and type in the box fooled.exe then press enter, it will be called fooled.exe not HijackThis.exe but it will still be the same program and work as it should,

i notice from your log that you didn't use the online scanner from ewido, is there a reason ?

smiley central =

http://www.pchell.com/support/smileycentral.shtml

and the activeX (016-dpf line) clsid

http://castlecops.com/modules.php?name=ActiveX&query=1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB



Maybe a bit thick here but why do you keep mentioning Smiley Central ?


Quaver - 19-4-2008 at 11:56

Quote:
Originally posted by charles
Maybe a bit thick here but why do you keep mentioning Smiley Central ?

If you go to his link, you'll find out why.
Anyway, don't worry, I know Hawklord from another forum for years, and he's well respectedkewl_glasses


hawklord - 19-4-2008 at 12:00

Quote:
Originally posted by Quaver
Quote:
Originally posted by charles
Maybe a bit thick here but why do you keep mentioning Smiley Central ?

If you go to his link, you'll find out why.
Anyway, don't worry, I know Hawklord from another forum for years, and he's well respectedkewl_glasses


hi,

i've been rumbled twice now (srd as well)
yep - one and the same waveysmiley


hawklord - 19-4-2008 at 12:04

hi,

i know i am new, its the reason why i am posting links instead of explaining,
i am not known here


charles - 19-4-2008 at 12:21

Quote:
Originally posted by hawklord

i notice from your log that you didn't use the online scanner from ewido, is there a reason ?



Tried but it keeps taking me to AVG which I already have.


LSemmens - 19-4-2008 at 12:26

Right Click on HijackThis.exe and towards the bottom of the popup, you'll see a "Rename" Option. Type your new name in the label but ensure that you also include the ".exe" extension. So your new HijackThis.exe will look like "fooled.exe"


hawklord - 19-4-2008 at 12:44

Quote:
Originally posted by charles
Tried but it keeps taking me to AVG which I already have.


this link ?

http://www.ewido.net/en/onlinescan/


LSemmens - 19-4-2008 at 12:56

Thread drift alert

It may well be worth posting something about yourself in the Welcome Forum, hawklord, just so the rest of us can get up to speed on you. As you've probably already noticed, our "resident expert" is Pancake, and, as he lives in OZ, is not always on when people need assistance, so, the more, the merrier.


charles - 19-4-2008 at 14:32

Quote:
Originally posted by LSemmens
Right Click on HijackThis.exe and towards the bottom of the popup, you'll see a "Rename" Option. Type your new name in the label but ensure that you also include the ".exe" extension. So your new HijackThis.exe will look like "fooled.exe"


Have done thatwaveysmiley


charles - 19-4-2008 at 15:25

Quote:
Originally posted by hawklord
Quote:
Originally posted by charles
Tried but it keeps taking me to AVG which I already have.


this link ?

http://www.ewido.net/en/onlinescan/



Have now done that,29 infections found and removed, what now boss ?


hawklord - 19-4-2008 at 15:49

hi,

the reason i wanted you to do the anti-spyware scan is because malware comes in different catagories, a virus will be picked up by an anti-virus, adware/spyware will be picked up by an anti-spyware program, some will pick up both (spybot picks up some trojans and so does avg anti-virus),
so its good practice to use a range of scanners as each does its own thing,

so can you download this (i know i've asked before)

http://www.silentrunners.org/

all you need to do is double click the file and click 'yes' at the prompt, wait about 30 secs and a message will pop-up saying the file is done,
the text file that has been created will be called 'startup programs.......',
can you c+p the contents here (or attach) and i'll have a nosy through,
it will give me a list of various startup programs that are not detected by hijackthis (or even looked for)


charles - 19-4-2008 at 16:10

Silent Runners Report.

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCUSoftwareMicrosoftWindowsCurrentVersionRun {++}
"swg" = "C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe" ["Google Inc."]
"Picasa Media Detector" = "C:Program FilesPicasa2PicasaMediaDetector" ["Google Inc."]
"MSMSGS" = ""C:Program FilesMessengermsmsgs.exe" /background" [MS]
"BitTorrent" = ""C:Program FilesBitTorrentbittorrent.exe" --force_start_minimized" [file not found]
"Magentic" = "C:PROGRA~1MagenticbinMagentic.exe /c" [empty string]
"ctfmon.exe" = "C:WINDOWSsystem32ctfmon.exe" [MS]
"DW4" = ""C:Program FilesThe Weather Channel FWDesktop WeatherDesktopWeather.exe"" ["The Weather Channel Interactive"]
"IncrediMail" = "C:Program FilesIncrediMailbinIncMail.exe /c" ["IncrediMail, Ltd."]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun {++}
"type32" = ""C:Program FilesMicrosoft IntelliType Protype32.exe"" [MS]
"NeroCheck" = "C:WINDOWSsystem32\NeroCheck.exe" ["Ahead Software Gmbh"]
"IntelliPoint" = ""C:Program FilesMicrosoft IntelliPointpoint32.exe"" [MS]
"HPDJ Taskbar Utility" = "C:WINDOWSsystem32spooldriversw32x863hpztsb06.exe" ["HP"]
"emMON" = "emMON.exe" ["eMPIA Technology, Inc."]
"DiskeeperSystray" = ""C:Program FilesDiskeeper CorporationDiskeeperDkIcon.exe"" ["Diskeeper Corporation"]
"SunJavaUpdateSched" = ""C:Program FilesJavajre1.6.0_05binjusched.exe"" ["Sun Microsystems, Inc."]
"ISTray" = ""C:Program FilesSpyware DoctorpctsTray.exe"" ["PCTools"]
"Adobe Reader Speed Launcher" = ""C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"" ["Adobe Systems Incorporated"]
"AVG8_TRAY" = "C:PROGRA~1AVGAVG8avgtray.exe" ["AVG Technologies CZ,s.r.o."]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
InProcServer32(Default) = "C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}(Default) = "WormRadar.com IESiteBlocker.NavFilter"
-> {HKLM...CLSID} = "AVG Safe Search"
InProcServer32(Default) = "C:Program FilesAVGAVG8avgssie.dll" ["AVG Technologies CZ, s.r.o."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
InProcServer32(Default) = "C:Program FilesJavajre1.6.0_05binssv.dll" ["Sun Microsystems, Inc."]
{A057A204-BACC-4D26-9990-79A187E2698E}(Default) = (no title provided)
-> {HKLM...CLSID} = "AVGTOOLBAR"
InProcServer32(Default) = "C:PROGRA~1AVGAVG8AVGTOO~1.DLL" ["AVG, Inc. "]
{AA1F9DDB-E605-4ba6-81D4-E427DEE012AD}(Default) = (no title provided)
-> {HKLM...CLSID} = "TwcToolbarBhoApp Class"
InProcServer32(Default) = "C:WINDOWSsystem32TwcToolbarBho.dll" [null data]
{AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
InProcServer32(Default) = "c:program filesgooglegoogletoolbar1.dll" ["Google Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
InProcServer32(Default) = "C:Program FilesGoogleGoogleToolbarNotifier3.0.1225.9868swg.dll" ["Google Inc."]

HKLMSOFTWAREMicrosoftWindowsCurrentVersionShell ExtensionsApproved
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
InProcServer32(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
InProcServer32(Default) = "C:WINDOWSsystem32hticons.dll" ["Hilgraeve, Inc."]
"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare Objects"
InProcServer32(Default) = "nwprovau.dll" [MS]
"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare UNC Folder Menu"
InProcServer32(Default) = "nwprovau.dll" [MS]
"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare Hood Verbs"
InProcServer32(Default) = "nwprovau.dll" [MS]
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Zooming Property Page"
InProcServer32(Default) = ""C:Program FilesMicrosoft IntelliType Proitcplzm.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Scrolling Property Page"
InProcServer32(Default) = ""C:Program FilesMicrosoft IntelliType Proitcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Key Settings Property Page"
InProcServer32(Default) = ""C:Program FilesMicrosoft IntelliType Proitcplkey.dll"" [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Wireless Control Panel Property Page"
InProcServer32(Default) = ""C:Program FilesMicrosoft IntelliType Proitcplwir.dll"" [MS]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "Wireless Property Page"
InProcServer32(Default) = ""C:Program FilesMicrosoft IntelliPointipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {HKLM...CLSID} = "Wheel Property Page"
InProcServer32(Default) = ""C:Program FilesMicrosoft IntelliPointipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {HKLM...CLSID} = "Activities Property Page"
InProcServer32(Default) = ""C:Program FilesMicrosoft IntelliPointipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {HKLM...CLSID} = "Buttons Property Page"
InProcServer32(Default) = ""C:Program FilesMicrosoft IntelliPointipcplbtn.dll"" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Outlook"
InProcServer32(Default) = "C:PROGRA~1MI1933~1OFFICE11MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
InProcServer32(Default) = "C:PROGRA~1MI1933~1OFFICE11OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:Program FilesMicrosoft OfficeOFFICE11msohev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
InProcServer32(Default) = "C:Program FilesAVGAVG8avgse.dll" ["AVG Technologies CZ, s.r.o."]

HKLMSYSTEMCurrentControlSetControlLsa
<<!>> "Authentication Packages" = "msv1_0"|"nwprovau"

HKLMSOFTWAREClassesPROTOCOLSFilter
<<!>> text/xmlCLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:Program FilesCommon FilesMicrosoft SharedOFFICE11MSOXMLMF.DLL" [MS]

HKLMSOFTWAREClassesFoldershellexColumnHandlers
{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
InProcServer32(Default) = "C:Program FilesCommon FilesAdobeAcrobatActiveXPDFShell.dll" ["Adobe Systems, Inc."]

HKLMSOFTWAREClasses*shellexContextMenuHandlers
AVG8 Shell Extension(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
InProcServer32(Default) = "C:Program FilesAVGAVG8avgse.dll" ["AVG Technologies CZ, s.r.o."]

HKLMSOFTWAREClassesFoldershellexContextMenuHandlers
AVG8 Shell Extension(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
InProcServer32(Default) = "C:Program FilesAVGAVG8avgse.dll" ["AVG Technologies CZ, s.r.o."]
NetWareUNCMenu(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"
-> {HKLM...CLSID} = "NetWare UNC Folder Menu"
InProcServer32(Default) = "nwprovau.dll" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCUSoftwareMicrosoftInternet ExplorerDesktopGeneral
"Wallpaper" = "C:WINDOWSsystem32configsystemprofileLocal SettingsApplication DataMagenticRuntimeMagentic Wallpaper.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCUControl PanelDesktop
"Wallpaper" = "C:Documents and SettingsAdministratorLocal SettingsApplication DataMagenticRuntimeMagentic Wallpaper.bmp"

Active Desktop web content (hidden if disabled):

HKCUSoftwareMicrosoftInternet ExplorerDesktopComponents
"FriendlyName" = ""
"Source" = "http://www.gifworks.com/GWbackground.gif"
"SubscribedURL" = "http://www.gifworks.com/GWbackground.gif"


Enabled Screen Saver:
---------------------

HKCUControl PanelDesktop
"SCRNSAVE.EXE" = "C:WINDOWSsystem32MAGENT~1.SCR" (Magentic Screensaver.scr) ["IncrediMail LTD."]


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:Documents and SettingsAll UsersStart MenuProgramsStartup
"Google Updater" -> shortcut to: "C:Program FilesGoogleGoogle UpdaterGoogleUpdater.exe -systray -startup" ["Google"]


Enabled Scheduled Tasks:
------------------------

"AdwareAlert Scheduled Scan" -> launches: "C:Program FilesAdwareAlertAdwareAlert.exe scheduled" [file not found]
"ErrorSmart Scheduled Scan" -> launches: "C:Program FilesErrorSmartErrorSmart.exe scheduled" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLMSYSTEMCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_Entries {++}
000000000001LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000002LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]
000000000003LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000004LibraryPath = "%SystemRoot%System32nwprovau.dll" [MS]

Transport Service Providers

HKLMSYSTEMCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries {++}
0000000000##PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%system32mswsock.dll [MS], 01 - 22
%SystemRoot%system32rsvpsp.dll [MS], 23 - 24


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCUSoftwareMicrosoftInternet ExplorerToolbarWebBrowser
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
InProcServer32(Default) = "c:program filesgooglegoogletoolbar1.dll" ["Google Inc."]
"{A057A204-BACC-4D26-9990-79A187E2698E}"
-> {HKLM...CLSID} = "AVGTOOLBAR"
InProcServer32(Default) = "C:PROGRA~1AVGAVG8AVGTOO~1.DLL" ["AVG, Inc. "]

HKLMSOFTWAREMicrosoftInternet ExplorerToolbar
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
InProcServer32(Default) = "c:program filesgooglegoogletoolbar1.dll" ["Google Inc."]
"{2E5E800E-6AC0-411E-940A-369530A35E43}" = (no title provided)
-> {HKLM...CLSID} = "The Weather Channel Toolbar"
InProcServer32(Default) = "C:WINDOWSsystem32TwcToolbarIe7.dll" [null data]
"{A057A204-BACC-4D26-9990-79A187E2698E}" = (no title provided)
-> {HKLM...CLSID} = "AVGTOOLBAR"
InProcServer32(Default) = "C:PROGRA~1AVGAVG8AVGTOO~1.DLL" ["AVG, Inc. "]


hawklord - 19-4-2008 at 16:47

hi,

not much going on there :)

can you go to add/remove programs and uninstall AdwareAlert (if its there)

then navigate to here

C:Program FilesAdwareAlert

right click and delete the folder AdwareAlert (if its there)

empty your recycle bin

post a fresh fooled ? hjt ? log


charles - 19-4-2008 at 17:11

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:09:19, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:PROGRA~1AVGAVG8avgfws8.exe
C:Program FilesDiskeeper CorporationDiskeeperDkService.exe
C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
C:Program FilesSpyware DoctorpctsAuxs.exe
C:PROGRA~1AVGAVG8avgam.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:Program FilesSpyware DoctorpctsSvc.exe
C:WINDOWSsystem32svchost.exe
C:PROGRA~1AVGAVG8avgemc.exe
C:WINDOWSExplorer.EXE
C:Program FilesMicrosoft IntelliType Protype32.exe
C:Program FilesMicrosoft IntelliPointpoint32.exe
C:WINDOWSsystem32spooldriversw32x863hpztsb06.exe
C:WINDOWSemMON.exe
C:Program FilesJavajre1.6.0_05binjusched.exe
C:Program FilesSpyware DoctorpctsTray.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:Program FilesMessengermsmsgs.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesThe Weather Channel FWDesktop WeatherDesktopWeather.exe
C:Program FilesGoogleGoogle UpdaterGoogleUpdater.exe
C:PROGRA~1MagenticbinMgApp.exe
C:Program FilesIncrediMailbinIMApp.exe
C:WINDOWSsystem32wuauclt.exe
C:Program FilesTrend Microfooled.exeHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://mystart.incredimail.com/english
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_05binssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:WINDOWSsystem32TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program filesgooglegoogletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier3.0.1225.9868swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar1.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:WINDOWSsystem32TwcToolbarIe7.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O4 - HKLM..Run: [type32] "C:Program FilesMicrosoft IntelliType Protype32.exe"
O4 - HKLM..Run: [NeroCheck] C:WINDOWSsystem32\NeroCheck.exe
O4 - HKLM..Run: [IntelliPoint] "C:Program FilesMicrosoft IntelliPointpoint32.exe"
O4 - HKLM..Run: [HPDJ Taskbar Utility] C:WINDOWSsystem32spooldriversw32x863hpztsb06.exe
O4 - HKLM..Run: [emMON] emMON.exe
O4 - HKLM..Run: [DiskeeperSystray] "C:Program FilesDiskeeper CorporationDiskeeperDkIcon.exe"
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_05binjusched.exe"
O4 - HKLM..Run: [ISTray] "C:Program FilesSpyware DoctorpctsTray.exe"
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKCU..Run: [swg] C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
O4 - HKCU..Run: [Picasa Media Detector] C:Program FilesPicasa2PicasaMediaDetector
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [BitTorrent] "C:Program FilesBitTorrentbittorrent.exe" --force_start_minimized
O4 - HKCU..Run: [Magentic] C:PROGRA~1MagenticbinMagentic.exe /c
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [DW4] "C:Program FilesThe Weather Channel FWDesktop WeatherDesktopWeather.exe"
O4 - HKCU..Run: [IncrediMail] C:Program FilesIncrediMailbinIncMail.exe /c
O4 - Global Startup: Google Updater.lnk = C:Program FilesGoogleGoogle UpdaterGoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:Program FilesieSpelliespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:Program FilesieSpelliespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:Program FilesieSpelliespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:Program FilesieSpelliespell.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MI1933~1OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O10 - Unknown file in Winsock LSP: c:windowssystem32nwprovau.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgfws8.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:Program FilesDiskeeper CorporationDiskeeperDkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:Program FilesSpyware DoctorpctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:Program FilesSpyware DoctorpctsSvc.exe
O24 - Desktop Component 0: (no name) - http://www.gifworks.com/GWbackground.gif

--
End of file - 8284 bytes


Hi is that what you want?


charles - 19-4-2008 at 17:11

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:09:19, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:PROGRA~1AVGAVG8avgfws8.exe
C:Program FilesDiskeeper CorporationDiskeeperDkService.exe
C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
C:Program FilesSpyware DoctorpctsAuxs.exe
C:PROGRA~1AVGAVG8avgam.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:Program FilesSpyware DoctorpctsSvc.exe
C:WINDOWSsystem32svchost.exe
C:PROGRA~1AVGAVG8avgemc.exe
C:WINDOWSExplorer.EXE
C:Program FilesMicrosoft IntelliType Protype32.exe
C:Program FilesMicrosoft IntelliPointpoint32.exe
C:WINDOWSsystem32spooldriversw32x863hpztsb06.exe
C:WINDOWSemMON.exe
C:Program FilesJavajre1.6.0_05binjusched.exe
C:Program FilesSpyware DoctorpctsTray.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:Program FilesMessengermsmsgs.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesThe Weather Channel FWDesktop WeatherDesktopWeather.exe
C:Program FilesGoogleGoogle UpdaterGoogleUpdater.exe
C:PROGRA~1MagenticbinMgApp.exe
C:Program FilesIncrediMailbinIMApp.exe
C:WINDOWSsystem32wuauclt.exe
C:Program FilesTrend Microfooled.exeHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://mystart.incredimail.com/english
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_05binssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:WINDOWSsystem32TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program filesgooglegoogletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier3.0.1225.9868swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar1.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:WINDOWSsystem32TwcToolbarIe7.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O4 - HKLM..Run: [type32] "C:Program FilesMicrosoft IntelliType Protype32.exe"
O4 - HKLM..Run: [NeroCheck] C:WINDOWSsystem32\NeroCheck.exe
O4 - HKLM..Run: [IntelliPoint] "C:Program FilesMicrosoft IntelliPointpoint32.exe"
O4 - HKLM..Run: [HPDJ Taskbar Utility] C:WINDOWSsystem32spooldriversw32x863hpztsb06.exe
O4 - HKLM..Run: [emMON] emMON.exe
O4 - HKLM..Run: [DiskeeperSystray] "C:Program FilesDiskeeper CorporationDiskeeperDkIcon.exe"
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_05binjusched.exe"
O4 - HKLM..Run: [ISTray] "C:Program FilesSpyware DoctorpctsTray.exe"
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKCU..Run: [swg] C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
O4 - HKCU..Run: [Picasa Media Detector] C:Program FilesPicasa2PicasaMediaDetector
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [BitTorrent] "C:Program FilesBitTorrentbittorrent.exe" --force_start_minimized
O4 - HKCU..Run: [Magentic] C:PROGRA~1MagenticbinMagentic.exe /c
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [DW4] "C:Program FilesThe Weather Channel FWDesktop WeatherDesktopWeather.exe"
O4 - HKCU..Run: [IncrediMail] C:Program FilesIncrediMailbinIncMail.exe /c
O4 - Global Startup: Google Updater.lnk = C:Program FilesGoogleGoogle UpdaterGoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:Program FilesieSpelliespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:Program FilesieSpelliespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:Program FilesieSpelliespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:Program FilesieSpelliespell.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MI1933~1OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O10 - Unknown file in Winsock LSP: c:windowssystem32nwprovau.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgfws8.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:Program FilesDiskeeper CorporationDiskeeperDkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:Program FilesSpyware DoctorpctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:Program FilesSpyware DoctorpctsSvc.exe
O24 - Desktop Component 0: (no name) - http://www.gifworks.com/GWbackground.gif

--
End of file - 8284 bytes


Hi is that what you want?


charles - 19-4-2008 at 17:11

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:09:19, on 19/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:PROGRA~1AVGAVG8avgfws8.exe
C:Program FilesDiskeeper CorporationDiskeeperDkService.exe
C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
C:Program FilesSpyware DoctorpctsAuxs.exe
C:PROGRA~1AVGAVG8avgam.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
C:Program FilesSpyware DoctorpctsSvc.exe
C:WINDOWSsystem32svchost.exe
C:PROGRA~1AVGAVG8avgemc.exe
C:WINDOWSExplorer.EXE
C:Program FilesMicrosoft IntelliType Protype32.exe
C:Program FilesMicrosoft IntelliPointpoint32.exe
C:WINDOWSsystem32spooldriversw32x863hpztsb06.exe
C:WINDOWSemMON.exe
C:Program FilesJavajre1.6.0_05binjusched.exe
C:Program FilesSpyware DoctorpctsTray.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:Program FilesMessengermsmsgs.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesThe Weather Channel FWDesktop WeatherDesktopWeather.exe
C:Program FilesGoogleGoogle UpdaterGoogleUpdater.exe
C:PROGRA~1MagenticbinMgApp.exe
C:Program FilesIncrediMailbinIMApp.exe
C:WINDOWSsystem32wuauclt.exe
C:Program FilesTrend Microfooled.exeHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://mystart.incredimail.com/english
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_05binssv.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:WINDOWSsystem32TwcToolbarBho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:program filesgooglegoogletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier3.0.1225.9868swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:program filesgooglegoogletoolbar1.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:WINDOWSsystem32TwcToolbarIe7.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O4 - HKLM..Run: [type32] "C:Program FilesMicrosoft IntelliType Protype32.exe"
O4 - HKLM..Run: [NeroCheck] C:WINDOWSsystem32\NeroCheck.exe
O4 - HKLM..Run: [IntelliPoint] "C:Program FilesMicrosoft IntelliPointpoint32.exe"
O4 - HKLM..Run: [HPDJ Taskbar Utility] C:WINDOWSsystem32spooldriversw32x863hpztsb06.exe
O4 - HKLM..Run: [emMON] emMON.exe
O4 - HKLM..Run: [DiskeeperSystray] "C:Program FilesDiskeeper CorporationDiskeeperDkIcon.exe"
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_05binjusched.exe"
O4 - HKLM..Run: [ISTray] "C:Program FilesSpyware DoctorpctsTray.exe"
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKCU..Run: [swg] C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
O4 - HKCU..Run: [Picasa Media Detector] C:Program FilesPicasa2PicasaMediaDetector
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [BitTorrent] "C:Program FilesBitTorrentbittorrent.exe" --force_start_minimized
O4 - HKCU..Run: [Magentic] C:PROGRA~1MagenticbinMagentic.exe /c
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [DW4] "C:Program FilesThe Weather Channel FWDesktop WeatherDesktopWeather.exe"
O4 - HKCU..Run: [IncrediMail] C:Program FilesIncrediMailbinIncMail.exe /c
O4 - Global Startup: Google Updater.lnk = C:Program FilesGoogleGoogle UpdaterGoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_05binssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:Program FilesieSpelliespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:Program FilesieSpelliespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:Program FilesieSpelliespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:Program FilesieSpelliespell.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MI1933~1OFFICE11REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O10 - Unknown file in Winsock LSP: c:windowssystem32nwprovau.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgfws8.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:Program FilesDiskeeper CorporationDiskeeperDkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:Program FilesSpyware DoctorpctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:Program FilesSpyware DoctorpctsSvc.exe
O24 - Desktop Component 0: (no name) - http://www.gifworks.com/GWbackground.gif

--
End of file - 8284 bytes


Hi is that what you want?


charles - 19-4-2008 at 17:12

What is this ???

O10 - Unknown file in Winsock LSP: c:windowssystem32nwprovau.dll


hawklord - 19-4-2008 at 17:33

Quote:
Originally posted by charles
What is this ???

O10 - Unknown file in Winsock LSP: c:windowssystem32nwprovau.dll


nothing to worry about

http://www.castlecops.com/lsp-255.html

hijackthis can be a bit ..... can't think of the right word,
it only lists things that seem out of place, it has no idea whether they are dangerous or not - it just knows they are there by reading the registry at certain places,

any questions before we wrap up ?


charles - 19-4-2008 at 18:21

Quote:
Originally posted by hawklord
Quote:
Originally posted by charles
What is this ???

O10 - Unknown file in Winsock LSP: c:windowssystem32nwprovau.dll


nothing to worry about

http://www.castlecops.com/lsp-255.html

hijackthis can be a bit ..... can't think of the right word,
it only lists things that seem out of place, it has no idea whether they are dangerous or not - it just knows they are there by reading the registry at certain places,

any questions before we wrap up ?


I really appreciate your help, my only questions , do you think we may have got rid of whatever it was getting my banking info, and would you reccomend a reformat?


hawklord - 19-4-2008 at 19:07

hi,

i can't really see evidence of a keylogger,
cleanator is just a rogue anti-spyware program that gives false positives to get you to buy it,
the smileycentral issue is just an application that tracks your web usage not your keys,
all the rest were just bits lying around,

as a final precaution though - you have avg 8,

can you update it and run all the scans you can - including the rootkit scan and let me know what happens (i use avg free, but i am not familiar with v8 and don't know whether there are separate scans)


John Barnes - 19-4-2008 at 21:53

I was quoting it being some sort of report back tool due to Google saying it was. It did say it was a dangerous exe to have on the system jmb