Hi Jack Log File

[martymas]

hi team i need your help for a lady friend

who i suspect has got a hi-jack

i get her to scan with hi-jack this

and send me the log file

as she is a complete dunce with compt

i need your instructions on how to clean it

from porno sites from her partiner

thanks

marty

This is the log of the hijack this scan - I cannot see anything there - can you?

Logfile of HijackThis v1.99.1

Scan saved at 12:52:32 p.m., on 2/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\keyhook.exe

C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

C:\Program Files\D-Link\DSL-200\dslstat.exe

C:\Program Files\D-Link\DSL-200\dslagent.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\SpyNoMore\SNM.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\INCRED~1\bin\IMApp.exe

C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe

C:\WINDOWS\system32\sistray.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\PROGRA~1\Webshots\webshots.scr

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...Og==&lid=16

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: MSVPS System - {E4BAF378-7320-4A48-91DD-D9CCDDF6458E} - C:\WINDOWS\vpsnetwork.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe

O4 - HKLM\..\Run: [Quick Heal Startup Scan] C:\PROGRA~1\QUICKH~1\QHSTRT32.EXE /LOADRUN

O4 - HKLM\..\Run: [Quick Heal e-mail Protection] C:\PROGRA~1\QUICKH~1\MailSvr.exe

O4 - HKLM\..\Run: [QH Live Update Scheduler] C:\PROGRA~1\QUICKH~1\UPSCHD.EXE /CHECK

O4 - HKLM\..\Run: [Quick Heal On-Line Protection] C:\PROGRA~1\QUICKH~1\CATEYE.EXE

O4 - HKLM\..\Run: [Quick Heal Messenger] C:\PROGRA~1\QUICKH~1\QHM32.EXE

O4 - HKLM\..\Run: [Quick Heal Scheduler] C:\PROGRA~1\QUICKH~1\QHSCHED.EXE /startup

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sNM] C:\Program Files\SpyNoMore\SNM.exe /startup

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: SmartUI.lnk = ?

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132953110843

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{A69A751D-7E8B-47C1-9AEF-68C63FFBFEBB}: NameServer = 85.255.115.83,85.255.112.206

O17 - HKLM\System\CCS\Services\Tcpip\..\{B513604E-8BE6-4B30-9473-B9155F41931F}: NameServer = 85.255.115.83,85.255.112.206

O17 - HKLM\System\CCS\Services\Tcpip\..\{BCC1DD23-4033-4867-9125-BDD3972DC4C5}: NameServer = 85.255.115.83,85.255.112.206

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: vpssup - {B15AE7AF-F29B-4ACE-B50A-04E92BC95D9A} - C:\WINDOWS\vpssup.dll

O21 - SSODL: expro - {7099C0CD-08A5-46B5-BF83-B9CC93568BDF} - C:\WINDOWS\expro.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

[jwbirdsong]

Hello,

* Please download FixwareOut from one of the following sites:

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. If your firewall gives an alert about downloading an additional file from the internet,make SURE to allow it.

Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

[martymas]

Hello,

* Please download FixwareOut from one of the following sites:

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. If your firewall gives an alert about downloading an additional file from the internet,make SURE to allow it.

Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

hi thanks for your reply

it is very much appreciated

i have to relay it to another board

im trying to get her to join BT'S

but she know so little about compt and messages boards

that she is frightened to make the change

so your post is welcome

ile get back to you once she pms me

thanks again

marty

[martymas]

hi jwbirdsong

this is the scan you want posted in

she has done all you ask for

is there any thing i need to pass on to her

marty

Fixwareout Last edited 6/27/2007

Post this report in the forums please

...

»»»»»Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A69A751D-7E8B-47C1-9AEF-68C63FFBFEBB}

"nameserver"="85.255.115.83,85.255.112.206" <Value cleared.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B513604E-8BE6-4B30-9473-B9155F41931F}

"nameserver"="85.255.115.83,85.255.112.206" <Value cleared.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{BCC1DD23-4033-4867-9125-BDD3972DC4C5}

"nameserver"="85.255.115.83,85.255.112.206" <Value cleared.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B513604E-8BE6-4B30-9473-B9155F41931F}

"DhcpNameServer"="85.255.115.83,85.255.112.206" <Value cleared.

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{BCC1DD23-4033-4867-9125-BDD3972DC4C5}

"DhcpNameServer"="85.255.115.83,85.255.112.206" <Value cleared.

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

»»»»» Postrun check

HKLM\SOFTWARE\~\Winlogon\ "System"=""

....

....

»»»»» Misc files.

....

»»»»» Checking for older varients.

....

»»»»» Current runs (hklm hkcu "run" Keys Only)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"

"SiS Windows KeyHook"="C:\\WINDOWS\\system32\\keyhook.exe"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_05\\bin\\jusched.exe"

"DSLSTATEXE"="C:\\Program Files\\D-Link\\DSL-200\\dslstat.exe icon"

"DSLAGENTEXE"="C:\\Program Files\\D-Link\\DSL-200\\dslagent.exe"

"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl03a\\BrStDvPt.exe"

"Quick Heal Startup Scan"="C:\\PROGRA~1\\QUICKH~1\\QHSTRT32.EXE /LOADRUN"

"Quick Heal e-mail Protection"="C:\\PROGRA~1\\QUICKH~1\\MailSvr.exe"

"QH Live Update Scheduler"="C:\\PROGRA~1\\QUICKH~1\\UPSCHD.EXE /CHECK"

"Quick Heal On-Line Protection"="C:\\PROGRA~1\\QUICKH~1\\CATEYE.EXE"

"Quick Heal Messenger"="C:\\PROGRA~1\\QUICKH~1\\QHM32.EXE"

"Quick Heal Scheduler"="C:\\PROGRA~1\\QUICKH~1\\QHSCHED.EXE /startup"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

"SNM"="C:\\Program Files\\SpyNoMore\\SNM.exe /startup"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

"hotComm"=""

"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"IncrediMail"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe /c"

....

Hosts file was reset, If you use a custom hosts file please replace it

»»»»» End report »»»»»

and the hijack this log

Logfile of HijackThis v1.99.1

Scan saved at 6:47:22 p.m., on 2/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\keyhook.exe

C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

C:\Program Files\D-Link\DSL-200\dslstat.exe

C:\Program Files\D-Link\DSL-200\dslagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\SpyNoMore\SNM.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe

C:\WINDOWS\system32\sistray.exe

C:\PROGRA~1\Webshots\webshots.scr

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\PROGRA~1\INCRED~1\bin\IMApp.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...Og==&lid=16

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: MSVPS System - {E4BAF378-7320-4A48-91DD-D9CCDDF6458E} - C:\WINDOWS\vpsnetwork.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe

O4 - HKLM\..\Run: [Quick Heal Startup Scan] C:\PROGRA~1\QUICKH~1\QHSTRT32.EXE /LOADRUN

O4 - HKLM\..\Run: [Quick Heal e-mail Protection] C:\PROGRA~1\QUICKH~1\MailSvr.exe

O4 - HKLM\..\Run: [QH Live Update Scheduler] C:\PROGRA~1\QUICKH~1\UPSCHD.EXE /CHECK

O4 - HKLM\..\Run: [Quick Heal On-Line Protection] C:\PROGRA~1\QUICKH~1\CATEYE.EXE

O4 - HKLM\..\Run: [Quick Heal Messenger] C:\PROGRA~1\QUICKH~1\QHM32.EXE

O4 - HKLM\..\Run: [Quick Heal Scheduler] C:\PROGRA~1\QUICKH~1\QHSCHED.EXE /startup

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sNM] C:\Program Files\SpyNoMore\SNM.exe /startup

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: SmartUI.lnk = ?

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132953110843

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: vpssup - {B15AE7AF-F29B-4ACE-B50A-04E92BC95D9A} - C:\WINDOWS\vpssup.dll

O21 - SSODL: expro - {7099C0CD-08A5-46B5-BF83-B9CC93568BDF} - C:\WINDOWS\expro.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Edited July 2, 2007 by martymas

[jwbirdsong]

You need to print this out or save a copy to Notepad for reading because you can NOT have IE/FF or any browser open while doing the fix.

Couple of things, You friend seems to be running different Anti_Virus programs(AVG and Avast) ...While one is a MUST have running two can/will cause them to fight for resources and control of system and can cause slow down and errors. She should pick one and uninstall the other.

Please go here to upload a suspicious file for analysis.

• Enter your username from this forum
  
• Copy and paste the link to this thread
  
• Browse for this filename: C:\WINDOWS\expro.dll also C:\WINDOWS\vpssup.dll
  
• In the comments, please mention that I asked you to upload this file
  
• Click on Send File
  

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
  
• In the Mode menu click "Advanced mode" if not already selected.
  
• Choose "Yes" at the Warning prompt.
  
• Expand the "Tools" menu.
  
• Click "Resident".
  
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  
• In the File menu click "Exit" to exit Spybot Search & Destroy.
  

Open HijackThis and click on Do a system scan only. Place a check mark next to the following:

O2 - BHO: MSVPS System - {E4BAF378-7320-4A48-91DD-D9CCDDF6458E} - C:\WINDOWS\vpsnetwork.dll

O21 - SSODL: vpssup - {B15AE7AF-F29B-4ACE-B50A-04E92BC95D9A} - C:\WINDOWS\vpssup.dll

O21 - SSODL: expro - {7099C0CD-08A5-46B5-BF83-B9CC93568BDF} - C:\WINDOWS\expro.dll

Close ALL other open windows and programs and click Fix checked.

Reboot

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  
• If it wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• When download is complete, click on My Computer to start the scan
  
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report and a fresh HijackThis log