therock247uk Posted October 7, 2006 Report Share Posted October 7, 2006 Please make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://pchowtos.co.uk/index.php?page=tutor...=view&id=34Please download the Killbox by Option^Explicit.Note: In the event you already have Killbox, this is a new version that I need you to download.Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.While in safemode open Hijackthis and click scan. Then check mark the following entriesR3 - Default URLSearchHook is missingO4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exeO20 - AppInit_DLLs: C:\WINDOWS\System32\win_a3.dllNow close all open windows except Hijackthis and click fix checkedDelete the folders. (if present)C:\WINDOWS\inet20004 Please double-click Killbox.exe to run Killbox. Select: Delete on Reboot then Click on the All Files button.[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):C:\WINDOWS\System32\win_a3.dll[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).If your computer does not restart automatically, please restart it manually.If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.Then post a new Hijackthis log here in a reply also...Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)Click Save, copy and paste the results in your next post.And do you know what file this is? C:\Program Files\Picasa\pinstall.dll Link to post Share on other sites
taniguce Posted October 7, 2006 Author Report Share Posted October 7, 2006 Please make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://pchowtos.co.uk/index.php?page=tutor...=view&id=34Please download the Killbox by Option^Explicit.Note: In the event you already have Killbox, this is a new version that I need you to download.Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.While in safemode open Hijackthis and click scan. Then check mark the following entriesR3 - Default URLSearchHook is missingO4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exeO20 - AppInit_DLLs: C:\WINDOWS\System32\win_a3.dllNow close all open windows except Hijackthis and click fix checkedDelete the folders. (if present)C:\WINDOWS\inet20004 Please double-click Killbox.exe to run Killbox. Select: Delete on Reboot then Click on the All Files button.[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):C:\WINDOWS\System32\win_a3.dll[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).If your computer does not restart automatically, please restart it manually.If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.Then post a new Hijackthis log here in a reply also...Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)Click Save, copy and paste the results in your next post.And do you know what file this is? C:\Program Files\Picasa\pinstall.dll1. I ran Hijack This and checked the boxes to delete. I received an error message regarding deleting the 020 box, O20 - AppInit_DLLs: C:\WINDOWS\System32\win_a3.dll. It should be noted in the hijack logfile.2. I ran Killblox and did receive the message regarding any PendingFileRenameOperations prompt . I clicked OK at this prompt as you instructed.3. I do not know what the C:\Program Files\Picasa\pinstall.dll is. I do have a "Hello" folder in the C:\Program Files\ directory which I don't know anything about. In the folder, it has a Picasa icon. I did a search on Google regarding the Hello.exe program. It looks like another spyware. I have a feeling this is also a bad program or something that should be deleted. I also have a Picasa and a Picasa2 folder in the C:\Program Files\ directory of which I do not know anything about. Can I just unistall these programs? Please advise on these. Hijack Logfile:Logfile of HijackThis v1.99.1Scan saved at 3:42:17 PM, on 10/7/2006Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R3 - Default URLSearchHook is missingO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLLO2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dllO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeO4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exeO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dllO9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {A22FCC59-1921-45B8-AA99-CD01D1A01DA9} - http://nexpoly.co.kr/controls/nixplay25.cabO20 - AppInit_DLLs: C:\WINDOWS\System32\win_a3.dllO23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeO23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe**************************************************************************************Uninstall_list.txt:Adaptec DirectCDAdaptec Easy CD Creator 4Ad-Aware SE PersonalAdobe Acrobat 5.0Adobe Download Manager 1.2 (Remove Only)Adobe Photoshop 6.0Adobe Reader 6.0.1Adobe SVG ViewerArabic Language SupportATI - Software Uninstall UtilityATI Control PanelAVG Anti-Spyware 7.5AVG Free EditionBackpack DriverBy Design HomeCCleaner (remove only)Chinese (Simplified) Language SupportChinese (Traditional) Language SupportEudoraGalaris Musicians Directory 2005Hebrew Language SupportHello (remove only)HijackThis 1.99.1HP DeskJet 930C Series (Remove only)HP PhotoSmart Photo Printing SoftwareHydraVisionIntel HaM Modem Drivers and UtilitiesJ2SE Runtime Environment 5.0 Update 6Japanese Language SupportKeynote ConnectorKorean Language SupportKova-Solutions jBackupLSP Explorer plug-in for Ad-Aware SEMacromedia DreamweaverMacromedia Flash Player 8Macromedia Shockwave PlayerMcAfee FirewallMcAfee VirusScan Home EditionMicrosoft Data Access Components KB870669Microsoft Office 97, Professional EditionMicrosoft VGX Q833989Mozilla Firefox (1.5)Offer OptimizerOutlook Express Q837009Paint Shop Pro Shareware Version 3.11Panda ActiveScanPan-European Language SupportPicasa 2Pop-Up Stopper Free EditionRealPlayerRegScrubXP 3.25Shopping WizardSound Blaster AudioPCISpybot - Search & Destroy 1.3SpywareBlaster v3.5.1SpywareGuard v2.2STOMP Backup MyPCSTOMP Backup MyPC Update ManagerThai Language SupportTweak-SE plug-in for Ad-Aware SEVIA Audio Driver Setup ProgramWindows XP Hotfix - KB823559Windows XP Hotfix - KB828741Windows XP Hotfix - KB833987Windows XP Hotfix - KB834707Windows XP Hotfix - KB835732Windows XP Hotfix - KB840987Windows XP Hotfix - KB841356Windows XP Hotfix - KB841533Windows XP Hotfix - KB842773Windows XP Hotfix - KB873376Windows XP Hotfix - KB887822Windows XP Hotfix (SP1) [see Q329048 for more information]Windows XP Hotfix (SP1) [see Q329390 for more information]Windows XP Hotfix (SP1) [see Q329441 for more information]Windows XP Hotfix (SP1) [see Q329834 for more information]Windows XP Hotfix (SP1) Q329170Windows XP Hotfix (SP1) Q810577Windows XP Hotfix (SP1) Q810833Windows XP Hotfix (SP1) Q817606Windows XP Hotfix (SP2) [see Q329115 for more information]WinZip Link to post Share on other sites
taniguce Posted October 7, 2006 Author Report Share Posted October 7, 2006 Please make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://pchowtos.co.uk/index.php?page=tutor...=view&id=34Please download the Killbox by Option^Explicit.Note: In the event you already have Killbox, this is a new version that I need you to download.Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.While in safemode open Hijackthis and click scan. Then check mark the following entriesR3 - Default URLSearchHook is missingO4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exeO20 - AppInit_DLLs: C:\WINDOWS\System32\win_a3.dllNow close all open windows except Hijackthis and click fix checkedDelete the folders. (if present)C:\WINDOWS\inet20004 Please double-click Killbox.exe to run Killbox. Select: Delete on Reboot then Click on the All Files button.[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):C:\WINDOWS\System32\win_a3.dll[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).If your computer does not restart automatically, please restart it manually.If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.Then post a new Hijackthis log here in a reply also...Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)Click Save, copy and paste the results in your next post.And do you know what file this is? C:\Program Files\Picasa\pinstall.dll1. I ran Hijack This and checked the boxes to delete. I received an error message regarding deleting the 020 box, O20 - AppInit_DLLs: C:\WINDOWS\System32\win_a3.dll. It should be noted in the hijack logfile.2. I ran Killblox and did receive the message regarding any PendingFileRenameOperations prompt . I clicked OK at this prompt as you instructed.3. I do not know what the C:\Program Files\Picasa\pinstall.dll is. I do have a "Hello" folder in the C:\Program Files\ directory which I don't know anything about. In the folder, it has a Picasa icon. I did a search on Google regarding the Hello.exe program. It looks like another spyware. I have a feeling this is also a bad program or something that should be deleted. I also have a Picasa and a Picasa2 folder in the C:\Program Files\ directory of which I do not know anything about. Can I just unistall these programs? Please advise on these. Hijack Logfile:Logfile of HijackThis v1.99.1Scan saved at 3:42:17 PM, on 10/7/2006Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R3 - Default URLSearchHook is missingO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLLO2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dllO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeO4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exeO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dllO9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {A22FCC59-1921-45B8-AA99-CD01D1A01DA9} - http://nexpoly.co.kr/controls/nixplay25.cabO20 - AppInit_DLLs: C:\WINDOWS\System32\win_a3.dllO23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeO23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe**************************************************************************************Uninstall_list.txt:Adaptec DirectCDAdaptec Easy CD Creator 4Ad-Aware SE PersonalAdobe Acrobat 5.0Adobe Download Manager 1.2 (Remove Only)Adobe Photoshop 6.0Adobe Reader 6.0.1Adobe SVG ViewerArabic Language SupportATI - Software Uninstall UtilityATI Control PanelAVG Anti-Spyware 7.5AVG Free EditionBackpack DriverBy Design HomeCCleaner (remove only)Chinese (Simplified) Language SupportChinese (Traditional) Language SupportEudoraGalaris Musicians Directory 2005Hebrew Language SupportHello (remove only)HijackThis 1.99.1HP DeskJet 930C Series (Remove only)HP PhotoSmart Photo Printing SoftwareHydraVisionIntel HaM Modem Drivers and UtilitiesJ2SE Runtime Environment 5.0 Update 6Japanese Language SupportKeynote ConnectorKorean Language SupportKova-Solutions jBackupLSP Explorer plug-in for Ad-Aware SEMacromedia DreamweaverMacromedia Flash Player 8Macromedia Shockwave PlayerMcAfee FirewallMcAfee VirusScan Home EditionMicrosoft Data Access Components KB870669Microsoft Office 97, Professional EditionMicrosoft VGX Q833989Mozilla Firefox (1.5)Offer OptimizerOutlook Express Q837009Paint Shop Pro Shareware Version 3.11Panda ActiveScanPan-European Language SupportPicasa 2Pop-Up Stopper Free EditionRealPlayerRegScrubXP 3.25Shopping WizardSound Blaster AudioPCISpybot - Search & Destroy 1.3SpywareBlaster v3.5.1SpywareGuard v2.2STOMP Backup MyPCSTOMP Backup MyPC Update ManagerThai Language SupportTweak-SE plug-in for Ad-Aware SEVIA Audio Driver Setup ProgramWindows XP Hotfix - KB823559Windows XP Hotfix - KB828741Windows XP Hotfix - KB833987Windows XP Hotfix - KB834707Windows XP Hotfix - KB835732Windows XP Hotfix - KB840987Windows XP Hotfix - KB841356Windows XP Hotfix - KB841533Windows XP Hotfix - KB842773Windows XP Hotfix - KB873376Windows XP Hotfix - KB887822Windows XP Hotfix (SP1) [see Q329048 for more information]Windows XP Hotfix (SP1) [see Q329390 for more information]Windows XP Hotfix (SP1) [see Q329441 for more information]Windows XP Hotfix (SP1) [see Q329834 for more information]Windows XP Hotfix (SP1) Q329170Windows XP Hotfix (SP1) Q810577Windows XP Hotfix (SP1) Q810833Windows XP Hotfix (SP1) Q817606Windows XP Hotfix (SP2) [see Q329115 for more information]WinZipThis is an addition to my last reply. I didn't know if I was suppose to create another HiJack logfile after the 3 boxes were checked and deleted. So, I went back and ran another scan and create logfile just in case. I am sorry if I should have done this before I sent you the previous Hijack Logfile. Hope this is not confusing. Thanks for all the help you have been giving me. I really appreciate it.New HiJack Logfile:Logfile of HijackThis v1.99.1Scan saved at 4:26:46 PM, on 10/7/2006Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLLO2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dllO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeO4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exeO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dllO9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {A22FCC59-1921-45B8-AA99-CD01D1A01DA9} - http://nexpoly.co.kr/controls/nixplay25.cabO23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeO23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe Link to post Share on other sites
taniguce Posted October 8, 2006 Author Report Share Posted October 8, 2006 Please make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://pchowtos.co.uk/index.php?page=tutor...=view&id=34Please download the Killbox by Option^Explicit.Note: In the event you already have Killbox, this is a new version that I need you to download.Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.While in safemode open Hijackthis and click scan. Then check mark the following entriesR3 - Default URLSearchHook is missingO4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exeO20 - AppInit_DLLs: C:\WINDOWS\System32\win_a3.dllNow close all open windows except Hijackthis and click fix checkedDelete the folders. (if present)C:\WINDOWS\inet20004 Please double-click Killbox.exe to run Killbox. Select: Delete on Reboot then Click on the All Files button.[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):C:\WINDOWS\System32\win_a3.dll[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).If your computer does not restart automatically, please restart it manually.If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.Then post a new Hijackthis log here in a reply also...Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)Click Save, copy and paste the results in your next post.And do you know what file this is? C:\Program Files\Picasa\pinstall.dll1. I ran Hijack This and checked the boxes to delete. I received an error message regarding deleting the 020 box, O20 - AppInit_DLLs: C:\WINDOWS\System32\win_a3.dll. It should be noted in the hijack logfile.2. I ran Killblox and did receive the message regarding any PendingFileRenameOperations prompt . I clicked OK at this prompt as you instructed.3. I do not know what the C:\Program Files\Picasa\pinstall.dll is. I do have a "Hello" folder in the C:\Program Files\ directory which I don't know anything about. In the folder, it has a Picasa icon. I did a search on Google regarding the Hello.exe program. It looks like another spyware. I have a feeling this is also a bad program or something that should be deleted. I also have a Picasa and a Picasa2 folder in the C:\Program Files\ directory of which I do not know anything about. Can I just unistall these programs? Please advise on these. Hijack Logfile:Logfile of HijackThis v1.99.1Scan saved at 3:42:17 PM, on 10/7/2006Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R3 - Default URLSearchHook is missingO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLLO2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dllO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeO4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exeO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dllO9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {A22FCC59-1921-45B8-AA99-CD01D1A01DA9} - http://nexpoly.co.kr/controls/nixplay25.cabO20 - AppInit_DLLs: C:\WINDOWS\System32\win_a3.dllO23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeO23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe**************************************************************************************Uninstall_list.txt:Adaptec DirectCDAdaptec Easy CD Creator 4Ad-Aware SE PersonalAdobe Acrobat 5.0Adobe Download Manager 1.2 (Remove Only)Adobe Photoshop 6.0Adobe Reader 6.0.1Adobe SVG ViewerArabic Language SupportATI - Software Uninstall UtilityATI Control PanelAVG Anti-Spyware 7.5AVG Free EditionBackpack DriverBy Design HomeCCleaner (remove only)Chinese (Simplified) Language SupportChinese (Traditional) Language SupportEudoraGalaris Musicians Directory 2005Hebrew Language SupportHello (remove only)HijackThis 1.99.1HP DeskJet 930C Series (Remove only)HP PhotoSmart Photo Printing SoftwareHydraVisionIntel HaM Modem Drivers and UtilitiesJ2SE Runtime Environment 5.0 Update 6Japanese Language SupportKeynote ConnectorKorean Language SupportKova-Solutions jBackupLSP Explorer plug-in for Ad-Aware SEMacromedia DreamweaverMacromedia Flash Player 8Macromedia Shockwave PlayerMcAfee FirewallMcAfee VirusScan Home EditionMicrosoft Data Access Components KB870669Microsoft Office 97, Professional EditionMicrosoft VGX Q833989Mozilla Firefox (1.5)Offer OptimizerOutlook Express Q837009Paint Shop Pro Shareware Version 3.11Panda ActiveScanPan-European Language SupportPicasa 2Pop-Up Stopper Free EditionRealPlayerRegScrubXP 3.25Shopping WizardSound Blaster AudioPCISpybot - Search & Destroy 1.3SpywareBlaster v3.5.1SpywareGuard v2.2STOMP Backup MyPCSTOMP Backup MyPC Update ManagerThai Language SupportTweak-SE plug-in for Ad-Aware SEVIA Audio Driver Setup ProgramWindows XP Hotfix - KB823559Windows XP Hotfix - KB828741Windows XP Hotfix - KB833987Windows XP Hotfix - KB834707Windows XP Hotfix - KB835732Windows XP Hotfix - KB840987Windows XP Hotfix - KB841356Windows XP Hotfix - KB841533Windows XP Hotfix - KB842773Windows XP Hotfix - KB873376Windows XP Hotfix - KB887822Windows XP Hotfix (SP1) [see Q329048 for more information]Windows XP Hotfix (SP1) [see Q329390 for more information]Windows XP Hotfix (SP1) [see Q329441 for more information]Windows XP Hotfix (SP1) [see Q329834 for more information]Windows XP Hotfix (SP1) Q329170Windows XP Hotfix (SP1) Q810577Windows XP Hotfix (SP1) Q810833Windows XP Hotfix (SP1) Q817606Windows XP Hotfix (SP2) [see Q329115 for more information]WinZipThis is an addition to my last reply. I didn't know if I was suppose to create another HiJack logfile after the 3 boxes were checked and deleted. So, I went back and ran another scan and create logfile just in case. I am sorry if I should have done this before I sent you the previous Hijack Logfile. Hope this is not confusing. Thanks for all the help you have been giving me. I really appreciate it.New HiJack Logfile:Logfile of HijackThis v1.99.1Scan saved at 4:26:46 PM, on 10/7/2006Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLLO2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dllO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeO4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exeO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dllO9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {A22FCC59-1921-45B8-AA99-CD01D1A01DA9} - http://nexpoly.co.kr/controls/nixplay25.cabO23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeO23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeOK, I just found out that my husband downloaded and installed the Hello and Picasa programs for his blog that he uses on his website. So, I guess the C:\program files\picasa\pinstall is a valid file that is part of these programs. Sorry again for not knowing sooner and not letting you know in two previous replies.Thank you. Link to post Share on other sites
therock247uk Posted October 8, 2006 Report Share Posted October 8, 2006 What files are in c:\!killbox? Link to post Share on other sites
taniguce Posted October 8, 2006 Author Report Share Posted October 8, 2006 What files are in c:\!killbox?Files in c:\!killbox:1. Logs (folder), in this folder is a file called kb2. conscorr.ini3. z2748.exe (when I went into the !killbox folder, the AVG Anti-Spyware you had me load previously comes up and states that "Malware found" Name: Downloader.CWS.ab Location: C:\!KillBox\z2748.exeBelow is the contents of the file called kb:Pocket Killbox version 2.0.0.881Running on Windows XP as Leigh Silberg(Administrator)was started @ Thursday, October 05, 2006, 8:10 PM# 1 [Delete on Reboot]Path = C:\windows\inf\conscorr.inf# 2 [Delete on Reboot]Path = c:\temp\FLEOK# 3 [Delete on Reboot]Path = C:\Documents and Settings\Leigh Silberg\Favorites\health# 4 [Delete on Reboot]Path = C:\WINDOWS\SYSTEM32\z2924.exe# 5 [Delete on Reboot]Path = C:\WINDOWS\SYSTEM32\z2748.exe# 6 [Delete on Reboot]Path = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.ocxPendingFileRenameOperations Registry Data has been Removed by External Process! @ 8:15:03 PMKillbox Closed(Exit) @ 8:19:20 PM__________________________________________________Pocket Killbox version 2.0.0.881Running on Windows XP as Leigh Silberg(Administrator)was started @ Saturday, October 07, 2006, 3:48 PM# 1 [Delete on Reboot]Path = c:\windows\system32\win_a3.dllPendingFileRenameOperations Registry Data has been Removed by External Process! @ 3:51:51 PMKillbox Closed(Exit) @ 3:52:36 PM__________________________________________________ Link to post Share on other sites
therock247uk Posted October 8, 2006 Report Share Posted October 8, 2006 Ok post a new Hijackthis log here in a reply and let me know how things are runnnig... Link to post Share on other sites
taniguce Posted October 9, 2006 Author Report Share Posted October 9, 2006 Ok post a new Hijackthis log here in a reply and let me know how things are runnnig...Logfile of HijackThis v1.99.1Scan saved at 5:14:13 PM, on 10/8/2006Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Messenger\msmsgs.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeC:\Program Files\SpywareGuard\sgmain.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\SpywareGuard\sgbhp.exeC:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeC:\Program Files\McAfee\McAfee VirusScan\VsStat.exeC:\Program Files\McAfee\McAfee Firewall\CPD.EXEC:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exeC:\Program Files\McAfee\McAfee Firewall\CPD.EXEC:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeC:\Program Files\McAfee\McAfee VirusScan\Avconsol.exeC:\Program Files\hijackthis\HijackThis.exeC:\WINDOWS\System32\wuauclt.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLLO2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dllO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeO4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exeO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dllO9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {A22FCC59-1921-45B8-AA99-CD01D1A01DA9} - http://nexpoly.co.kr/controls/nixplay25.cabO23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeO23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe******************************************************************************I also ran the AVG anti-spyware in safemode after getting the malware alert for the file in c:\!killbox directory that it found. Here is the text file for that report:---------------------------------------------------------AVG Anti-Spyware - Scan Report--------------------------------------------------------- + Created at: 2:01:21 PM 10/8/2006 + Scan result: C:\System Volume Information\_restore{6EBA4C03-A18F-4374-9B57-78EB62701D84}\RP279\A0047549.ocx -> Adware.MediaTickets : Cleaned with backup (quarantined).C:\WINDOWS\SYSTEM32\сhkntfs.exe -> Adware.PurityScan : Cleaned with backup (quarantined).C:\!KillBox\z2748.exe -> Downloader.CWS.ab : Cleaned with backup (quarantined).C:\System Volume Information\_restore{6EBA4C03-A18F-4374-9B57-78EB62701D84}\RP279\A0047539.exe -> Downloader.CWS.ab : Cleaned with backup (quarantined).C:\System Volume Information\_restore{6EBA4C03-A18F-4374-9B57-78EB62701D84}\RP279\A0047548.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).::Report end********************************************************************************I also uninstalled the AVG anti-virus software since I already have Mcafee running. I read awhile back that having more than one anti-virus program can create problems. I only installed the free version of the AVG when I couldn't get into the Mcafee update page. After you have been helping me, I can now get into their page to download the latest dat files. Otherwise, so far I think things are running OK. I just don't understand why the AVG Anti-Spyware program found 5 more problems that it quarantined after all the scanning and cleaning that was already done previously. Please advise on this.Thank you. Link to post Share on other sites
therock247uk Posted October 9, 2006 Report Share Posted October 9, 2006 Lets clear your restore points...To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. (Windows XP)1. Turn off System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK.2. Reboot.3. Turn ON System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.How to Turn On and Turn Off System Restore in Windows XPhttp://support.microsoft.com/default.aspx?...kb;en-us;310405Run another scan and tell me if it finds anything... Link to post Share on other sites
taniguce Posted October 9, 2006 Author Report Share Posted October 9, 2006 Lets clear your restore points...To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. (Windows XP)1. Turn off System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK.2. Reboot.3. Turn ON System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.How to Turn On and Turn Off System Restore in Windows XPhttp://support.microsoft.com/default.aspx?...kb;en-us;310405Run another scan and tell me if it finds anything...I ran another AVG Anti-Spyware scan in safemode. It did not find anything this time, so there is no report to copy/paste to you. Link to post Share on other sites
therock247uk Posted October 9, 2006 Report Share Posted October 9, 2006 Ok post a new Hijackthis log here in a reply. Link to post Share on other sites
taniguce Posted October 9, 2006 Author Report Share Posted October 9, 2006 Ok post a new Hijackthis log here in a reply.Logfile of HijackThis v1.99.1Scan saved at 9:11:28 AM, on 10/9/2006Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeC:\Program Files\McAfee\McAfee VirusScan\VsStat.exeC:\Program Files\McAfee\McAfee Firewall\CPD.EXEC:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exeC:\Program Files\Common Files\Network Associates\McShield\Mcshield.exeC:\Program Files\McAfee\McAfee VirusScan\Avconsol.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\Explorer.EXEC:\Program Files\McAfee\McAfee Firewall\CPD.EXEC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Messenger\msmsgs.exeC:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeC:\Program Files\SpywareGuard\sgmain.exeC:\Program Files\SpywareGuard\sgbhp.exeC:\Program Files\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLLO2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dllO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exeO4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exeO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dllO9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {A22FCC59-1921-45B8-AA99-CD01D1A01DA9} - http://nexpoly.co.kr/controls/nixplay25.cabO23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exeO23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe Link to post Share on other sites
therock247uk Posted October 9, 2006 Report Share Posted October 9, 2006 Your log is clean.Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:Detect and Remove Programs:How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.Prevention Programs: Spywareblaster <= SpywareBlaster will prevent spyware from being installed.Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computerGoogle Toolbar <= Get the free google toolbar to help stop pop up windows.I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.Other necessary Programs: AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.Firewall<= A firewall is definatley a must have. Three good free versions are Kerio, Sygate and ZoneLabs. Link to post Share on other sites
taniguce Posted October 9, 2006 Author Report Share Posted October 9, 2006 Your log is clean.Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:Detect and Remove Programs:How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.Prevention Programs: Spywareblaster <= SpywareBlaster will prevent spyware from being installed.Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computerGoogle Toolbar <= Get the free google toolbar to help stop pop up windows.I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.Other necessary Programs: AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.Firewall<= A firewall is definatley a must have. Three good free versions are Kerio, Sygate and ZoneLabs.Thank you so much for all your help. I really appreciate it. I will definitely take the tips you gave me to protect my pc. Thanks, again. Link to post Share on other sites
therock247uk Posted October 9, 2006 Report Share Posted October 9, 2006 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts