1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

backup virus copies

Discussion in 'Windows - Virus and spyware problems' started by ravens1, Nov 21, 2006.

  1. ravens1

    ravens1 Regular member

    Joined:
    Aug 26, 2006
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    26
    I ran scans with AVG free over about 2 weeks. Once again my computer seems to be infected. I took my pc to a computer store who didnt reformat, but remove ad-aware and viruses.

    So, now i have 33 files in my avg virus vault. Every virus is almost exactly the same. About 32/33 are 696KB, and are random names, which all end in .dll . so random names are like sojbno.dll, uiwvbd.dll . Again, 32/33 are: Trojan Horse Generic2.IKG, also trojan Horse PSW.Generic2.RFG . They are all backup copies. Every virus file is placed in different folders. My question is how to find the main virus file creating all these little viruses, and can i delete them because they are .dll.
     
  2. ravens1

    ravens1 Regular member

    Joined:
    Aug 26, 2006
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    26
  3. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,328
    Likes Received:
    0
    Trophy Points:
    66
    One of those(PSW.Generic2.RFG) is a password stealing trojan. I strongly recommend you change all your online account passwords, including all bank and financial accounts, from a clean computer of course.

    Please post your HjT log so I can see the problem regenerating the files.
     
    Last edited: Nov 22, 2006
  4. ravens1

    ravens1 Regular member

    Joined:
    Aug 26, 2006
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    26
    I have done Hijack this logs before and saved them, but after i run a scan and click save log, it doesn't prompt me where i want to save it to. Ive checked everywhere on my hd.
     
  5. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,328
    Likes Received:
    0
    Trophy Points:
    66
    It doesn't prompt you where to save because it is automatically saved when it opens. It will be in the same folder your HijackThis.exe is located.
     
  6. ravens1

    ravens1 Regular member

    Joined:
    Aug 26, 2006
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    26
    i moved hijack this to a separate folder and saved a log file but the log didnt show up. I think what is creating these viruses is: Win32/spy.VBstat.H trojan
     
  7. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,328
    Likes Received:
    0
    Trophy Points:
    66
    Go here to download the trial version of [bold]AVG Anti-spyware[/bold].

    Install and open AVGAS.
    Click "[bold]Update[/bold]" then click "[bold]Start update[/bold]".
    After updating, close AVGAS.
    [bold]Note[/bold]: Print or copy these instructions to Notepad and save them. You will be in safe mode and can't access the internet.
    Restart your computer in safe mode(press [bold]F8[/bold] upon boot, select "[bold]Safe Mode[/bold]" from menu and press [bold]Enter[/bold]).
    Open AVGAS and click "[bold]Scanner[/bold]".
    Click "[bold]Complete System Scan[/bold]".
    When it finishes scanning, set all items to "[bold]Quarantine[/bold]".
    Click "[bold]Apply All Actions[/bold]".
    Click "[bold]Save Report[/bold]" and save it to the desktop.

    Post back with the AVGAS report and a HijackThis(if possible).
     
  8. ravens1

    ravens1 Regular member

    Joined:
    Aug 26, 2006
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    26
    I visited this post because for some reason my icons changed. Like Adobe reader changed into a notepad symbol, etc.

    I read your post, but ive always had trouble booting into safe mode. i properly shut off my pc, get the screen then select safemode. From there white words (names of files, folders) start scolling on my screen. Then my pc makes a sound and restarts.

    I have avgas but when i scan all it comes up with is tracking cookies. My avgav has now 44 trojans in it. I think the virus that is causing these problems is Win32/spy.VBstat.H Trojan, because i get access denied when trying to rename, delete, & quarantine.

    Another problem is ill be using firefox and this blank popup comes up. The url is just random letters and numbers, and all blank.

    Also, since i got my pc fixed i will be using Firefox, then my start bar, icons and everything in the background disappears, but still enabling me to use Firefox. Like ill minimize Firefox and all thats there is my background.

    For awhile i haven't downloaded anything!, but new Trojans appear. They aren't a random name. Like Win32/spy (something)


    Thanks for all your help.
     
    Last edited: Nov 29, 2006
  9. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,328
    Likes Received:
    0
    Trophy Points:
    66
    Okay, I'd really like to see your HijackThis log.

    Do a system scan and save a logfile. When Notepad opens with the log, copy/paste it immediately into your reply box. Don't worry about trying to save it.
     
  10. ravens1

    ravens1 Regular member

    Joined:
    Aug 26, 2006
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    26
    Id like to post the log file but right after i scan, then i click save, and it saves. where?, i dont know. Ive checked every folder on my hd. It doesnt open with notepad right away so i can copy and paste.
     
  11. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,328
    Likes Received:
    0
    Trophy Points:
    66
    Are you clicking "Do a system scan only" or "Do a system scan and save a logfile"?

    You need to click "Do a system scan and save a log file". And then, after the scan is complete Notepad will launch. Then copy/paste the results.


    If Notepad doesn't open automatically with the log uninstall HijackThis via Add/Remove Programs.
    Re-download HijackThis.
    Create a folder in C:\ named HjT
    Unzip the HijackThis file there.
    Then, "Do a system scan and save a log file".
    Notepad should open automatically. If it does not, the log file will be located as C:\HjT\HijackThis.txt
     
  12. ravens1

    ravens1 Regular member

    Joined:
    Aug 26, 2006
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    26
    My computer seems to be getting much worse. I opened mozilla and 54 ie popups cam up...

    Also for Hjt, all there is is scan. After the scan there is save log. Thats all. My pc doesnt start in safemode.. and i think that viruses are removed in safemode...
     
    Last edited: Nov 30, 2006
  13. ravens1

    ravens1 Regular member

    Joined:
    Aug 26, 2006
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    26
    i downloaded a different version.


    Logfile of HijackThis v1.99.1
    Scan saved at 4:11:44 PM, on 11/30/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\ZoneLabs\isafe.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Hjt\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {38E77F06-89FC-44f5-B3AB-11DDEB791947} - (no file)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140209414083
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146943814406
    O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
    O16 - DPF: {FBAA44A9-2AF3-450D-9881-BFE7BE67D852} - http://www.geoplayer.com/downloads/GeoPlayerX.cab
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  14. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,328
    Likes Received:
    0
    Trophy Points:
    66
    Now I know your problems. Just needed the HjT log. :)

    Download VundoFix to your desktop.

    Double-click [bold]VundoFix.exe[/bold] to run it.
    Click "[bold]Scan for Vundo[/bold]".
    Once it's done scanning, click "[bold]Remove Vundo[/bold]".
    You will receive a prompt asking if you want to remove the files, click [bold]YES[/bold].
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will reboot your computer, click [bold]OK[/bold].

    [bold]Note[/bold]: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    Post the contents of C:\vundofix.txt along with a new HijackThis log.
     
    Last edited: Nov 30, 2006
  15. ravens1

    ravens1 Regular member

    Joined:
    Aug 26, 2006
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    26
    Here it is:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:26:37 PM, on 12/1/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\WINDOWS\system32\ZoneLabs\isafe.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Hjt\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {38E77F06-89FC-44f5-B3AB-11DDEB791947} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\fybdsiyd.dll
    O2 - BHO: (no name) - {38E77F01-89FC-44f5-B3AB-11DDEB791947} - (no file)
    O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
    O2 - BHO: (no name) - {69A51048-7C28-47E0-A4AC-D37F8A17CD20} - C:\WINDOWS\awveuala.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140209414083
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146943814406
    O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
    O16 - DPF: {FBAA44A9-2AF3-450D-9881-BFE7BE67D852} - http://www.geoplayer.com/downloads/GeoPlayerX.cab
    O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
    O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



    thanks again for your help!!! :)
     
    Last edited: Dec 1, 2006
  16. ravens1

    ravens1 Regular member

    Joined:
    Aug 26, 2006
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    26
    Last edited: Dec 1, 2006
  17. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,328
    Likes Received:
    0
    Trophy Points:
    66
    Go to Add/Remove Programs and uninstall:
    VSAdd-in

    Delete this folder:
    C:\Program Files\VSAdd-in

    Then, run a scan only with HijackThis, check these(if there):

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/frontiersidebar.jsp?p=CI
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - URLSearchHook: (no name) - {38E77F06-89FC-44f5-B3AB-11DDEB791947} - (no file)
    O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\fybdsiyd.dll
    O2 - BHO: (no name) - {38E77F01-89FC-44f5-B3AB-11DDEB791947} - (no file)
    O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
    O2 - BHO: (no name) - {69A51048-7C28-47E0-A4AC-D37F8A17CD20} - C:\WINDOWS\awveuala.dll (file missing)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
    O20 - Winlogon Notify: winzzc32 - winzzc32.dll (file missing)


    Close all windows except HijackThis, then click "Fix checked".

    Go here and download [bold]CCleaner[/bold].
    [bold]Note[/bold]: If you do not want [bold]Yahoo! Toolbar[/bold] uncheck the option when installing.
    Open [bold]CCleaner[/bold].
    Click [bold]Options[/bold] > [bold]Advance[/bold] > uncheck "Only delete files in Windows Temp folders older than 48 hours".
    Close all windows.
    Click Cleaner > [bold]Run Cleaner[/bold].

    Exit CCleaner and restart your computer.


    Then, go here to run [bold]ActiveScan[/bold].
    Click "[bold]Panda ActiveScan[/bold].
    Fill in the form with your information.
    After downloading, click [bold]My Computer[/bold] to scan.
    When it finishes, click "[bold]See Report[/bold]".
    Click "[bold]Save report[/bold]" and save it to the desktop.

    Post back with the ActiveScan log and a new HijackThis log.
     
    Last edited: Dec 1, 2006
  18. ravens1

    ravens1 Regular member

    Joined:
    Aug 26, 2006
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    26
    I removed VS-add in from add/remove programs, but when i tried to remove from program files it said something like: "access is denied", and that im running the proccess now and cant delete.

    i stopped the activescan slightly early. It didnt remove anything.. but heres the log:


    Incident Status Location

    Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
    Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
    Potentially unwanted tool:application/myway Not disinfected c:\program files\MyWay
    Potentially unwanted tool:application/zango Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287}
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\8ujywt2u.default\cookies.txt[.casalemedia.com/]
    Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\8ujywt2u.default\cookies.txt[.cdfreaks.com/]
    Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\8ujywt2u.default\cookies.txt[.club.cdfreaks.com/]
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Alex\Cookies\alex@atwola[1].txt
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Eliot\Application Data\Mozilla\Firefox\Profiles\p72y4v5o.default\cookies.txt[.adrevolver.com/]
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Eliot\Application Data\Mozilla\Firefox\Profiles\p72y4v5o.default\cookies.txt[.casalemedia.com/]
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Julio\Application Data\Mozilla\Firefox\Profiles\tjjsihwz.default\cookies-1.txt[.casalemedia.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Julio\Application Data\Mozilla\Firefox\Profiles\tjjsihwz.default\cookies-1.txt[.go.com/]
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Julio\Application Data\Mozilla\Firefox\Profiles\tjjsihwz.default\cookies-1.txt[.adrevolver.com/]
    Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Julio\Application Data\Mozilla\Firefox\Profiles\tjjsihwz.default\cookies-1.txt[.did-it.com/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Julio\Application Data\Mozilla\Firefox\Profiles\tjjsihwz.default\cookies-1.txt[.apmebf.com/]
    Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Julio\Application Data\Mozilla\Firefox\Profiles\tjjsihwz.default\cookies-1.txt[.club.cdfreaks.com/]
    Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Julio\Application Data\Mozilla\Firefox\Profiles\tjjsihwz.default\cookies-1.txt[.cdfreaks.com/]
    Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Julio\Application Data\Mozilla\Firefox\Profiles\tjjsihwz.default\cookies-1.txt[.adultfriendfinder.com/]
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Julio\Application Data\Mozilla\Firefox\Profiles\tjjsihwz.default\cookies.txt[.casalemedia.com/]
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Julio\Application Data\Mozilla\Firefox\Profiles\tjjsihwz.default\cookies.txt[.adrevolver.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Julio\Application Data\Mozilla\Firefox\Profiles\tjjsihwz.default\cookies.txt[.go.com/]
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Julio\Cookies\julio@atwola[1].txt
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Julio\Cookies\julio@drivecleaner[2].txt
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Julio\Cookies\julio@www.drivecleaner[1].txt
    Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Julio\Local Settings\Temp\Cookies\julio@cdfreaks[2].txt
    Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Julio\Local Settings\Temp\Cookies\julio@club.cdfreaks[2].txt
    Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Documents and Settings\Julio\Local Settings\Temp\uopfxfvy.exe
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\120ppse8.default\cookies.txt[.casalemedia.com/]
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\120ppse8.default\cookies.txt[.adrevolver.com/]
    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\120ppse8.default\cookies.txt[.zedo.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Mom\Application Data\Mozilla\Firefox\Profiles\120ppse8.default\cookies.txt[.go.com/]
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Mom\Cookies\mom@drivecleaner[1].txt
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Mom\Cookies\mom@go[2].txt
    Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Mom\Cookies\mom@stats.drivecleaner[2].txt
    Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Mom\Cookies\mom@target[1].txt
    Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Mom\Cookies\mom@winantivirus[2].txt
    Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Mom\Cookies\mom@www.winantivirus[1].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mom\Local Settings\Temp\Cookies\mom@atwola[1].txt
    Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Mom\Local Settings\Temp\Cookies\mom@target[1].txt
    Spyware:Cookie/SpywareQuake Not disinfected C:\Documents and Settings\Mom\Local Settings\Temp\Cookies\mom@www.spywarequake[1].txt
    Adware:Adware/WebSearch Not disinfected C:\Hjt\backups\backup-20061201-165425-494.dll






    HJT log:



    Logfile of HijackThis v1.99.1
    Scan saved at 9:13:47 PM, on 12/1/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\ZoneLabs\isafe.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\uTorrent\utorrent.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Hjt\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140209414083
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146943814406
    O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {FBAA44A9-2AF3-450D-9881-BFE7BE67D852} - http://www.geoplayer.com/downloads/GeoPlayerX.cab
    O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



     
  19. Niobis

    Niobis Active member

    Joined:
    Jan 30, 2005
    Messages:
    2,328
    Likes Received:
    0
    Trophy Points:
    66
    Yes delete all of them.

    Delete it in safe mode.

    It's not made to remove anything. It will simply let me know what is still present and what you can remove. How early did you stop it?

    ---------------------------------------------------------------------------

    Copy the following [bold]bold[/bold] text into Notepad(not WordPad).

    [bold]REGEDIT4

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287}][/bold]

    Make sure there are NO blank lines before REGEDIT4.
    Name the file [bold]Fix.reg[/bold]
    Change the "Save as Type" to [bold]All Files[/bold] and save it on the desktop.
    Open the Fix.reg file and click Yes when prompted to merge.
    After merging, you may delete the reg file.

    Fix this with HjT:
    O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe

    Restart in safe mode and delete the following:
    C:\WINDOWS\System32\ot.ico <--file
    C:\WINDOWS\smdat32m.sys <--file
    C:\Program Files\MyWay <--folder
    C:\Program Files\VSAdd-in <--folder

    Empty the Recycle Bin and restart in normal mode.

    Go here and download [bold]ATF Cleaner[/bold].
    Open ATF Cleaner.
    Check "Select All".
    Click "Empty Selected".
    Click "Firefox"
    Select all except "Save Passwords".
    Click Empty Selected".
    Exit ATF Cleaner.

    Java is out of date.
    Go here and download [bold]Java Runtime Environment 5.0 Update 10[/bold].
    Uninstall all previous version and updates of JRE via [bold]Add/Remove Programs[/bold].
    Restart and install [bold]Update 10[/bold].

    Clear the System Restore folder.
    Right click [bold]My Computer[/bold] > [bold]Properties[/bold] > [bold]System Restore tab[/bold] > check "[bold]Turn off System Restore[/bold]".
    Click [bold]Apply[/bold], then [bold]OK[/bold].
    Restart and turn System Restore back on.


    How are things? Any problems?
     
  20. ravens1

    ravens1 Regular member

    Joined:
    Aug 26, 2006
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    26
    Oh my god. I cant thank you enough for your help.

    But i have a problem. i did everything you told me to do until the part of restarting my computer in safe mode. Before i got my pc cleaned up (2 months ago), because i set windows to start in safe mode only. well, safe-mode was a no-go. I couldn't restart windows normally or anything. So i still have the problem of safe mode. I select safemode, (startup) then my monitor scrolls down with white folders/files. Its kind of difficult to explain. Should i take a video or something?
     
    Last edited: Dec 1, 2006

Share This Page