martymas Posted July 2, 2007 Report Share Posted July 2, 2007 hi team i need your help for a lady friendwho i suspect has got a hi-jacki get her to scan with hi-jack this and send me the log file as she is a complete dunce with compt i need your instructions on how to clean itfrom porno sites from her partinerthanksmartyThis is the log of the hijack this scan - I cannot see anything there - can you? Logfile of HijackThis v1.99.1 Scan saved at 12:52:32 p.m., on 2/07/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\Brmfrmps.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\keyhook.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\Program Files\D-Link\DSL-200\dslstat.exe C:\Program Files\D-Link\DSL-200\dslagent.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\SpyNoMore\SNM.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Messenger\msmsgs.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe C:\WINDOWS\system32\sistray.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN C:\PROGRA~1\Webshots\webshots.scr C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...Og==&lid=16 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: MSVPS System - {E4BAF378-7320-4A48-91DD-D9CCDDF6458E} - C:\WINDOWS\vpsnetwork.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe O4 - HKLM\..\Run: [Quick Heal Startup Scan] C:\PROGRA~1\QUICKH~1\QHSTRT32.EXE /LOADRUN O4 - HKLM\..\Run: [Quick Heal e-mail Protection] C:\PROGRA~1\QUICKH~1\MailSvr.exe O4 - HKLM\..\Run: [QH Live Update Scheduler] C:\PROGRA~1\QUICKH~1\UPSCHD.EXE /CHECK O4 - HKLM\..\Run: [Quick Heal On-Line Protection] C:\PROGRA~1\QUICKH~1\CATEYE.EXE O4 - HKLM\..\Run: [Quick Heal Messenger] C:\PROGRA~1\QUICKH~1\QHM32.EXE O4 - HKLM\..\Run: [Quick Heal Scheduler] C:\PROGRA~1\QUICKH~1\QHSCHED.EXE /startup O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [sNM] C:\Program Files\SpyNoMore\SNM.exe /startup O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: SmartUI.lnk = ? O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132953110843 O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{A69A751D-7E8B-47C1-9AEF-68C63FFBFEBB}: NameServer = 85.255.115.83,85.255.112.206 O17 - HKLM\System\CCS\Services\Tcpip\..\{B513604E-8BE6-4B30-9473-B9155F41931F}: NameServer = 85.255.115.83,85.255.112.206 O17 - HKLM\System\CCS\Services\Tcpip\..\{BCC1DD23-4033-4867-9125-BDD3972DC4C5}: NameServer = 85.255.115.83,85.255.112.206 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: vpssup - {B15AE7AF-F29B-4ACE-B50A-04E92BC95D9A} - C:\WINDOWS\vpssup.dll O21 - SSODL: expro - {7099C0CD-08A5-46B5-BF83-B9CC93568BDF} - C:\WINDOWS\expro.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing) O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe Quote Link to post Share on other sites
jwbirdsong Posted July 2, 2007 Report Share Posted July 2, 2007 Hello,* Please download FixwareOut from one of the following sites:http://www.bleepingcomputer.com/files/lonny/Fixwareout.exehttp://downloads.subratam.org/Fixwareout.exeSave it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.The fix will begin; follow the prompts. If your firewall gives an alert about downloading an additional file from the internet,make SURE to allow it.Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log. Quote Link to post Share on other sites
martymas Posted July 2, 2007 Author Report Share Posted July 2, 2007 Hello,* Please download FixwareOut from one of the following sites:http://www.bleepingcomputer.com/files/lonny/Fixwareout.exehttp://downloads.subratam.org/Fixwareout.exeSave it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.The fix will begin; follow the prompts. If your firewall gives an alert about downloading an additional file from the internet,make SURE to allow it.Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log. hi thanks for your reply it is very much appreciatedi have to relay it to another boardim trying to get her to join BT'Sbut she know so little about compt and messages boardsthat she is frightened to make the change so your post is welcomeile get back to you once she pms methanks againmarty Quote Link to post Share on other sites
martymas Posted July 2, 2007 Author Report Share Posted July 2, 2007 (edited) hi jwbirdsongthis is the scan you want posted in she has done all you ask foris there any thing i need to pass on to hermartyFixwareout Last edited 6/27/2007 Post this report in the forums please ... »»»»»Prerun check HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A69A751D-7E8B-47C1-9AEF-68C63FFBFEBB} "nameserver"="85.255.115.83,85.255.112.206" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B513604E-8BE6-4B30-9473-B9155F41931F} "nameserver"="85.255.115.83,85.255.112.206" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{BCC1DD23-4033-4867-9125-BDD3972DC4C5} "nameserver"="85.255.115.83,85.255.112.206" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B513604E-8BE6-4B30-9473-B9155F41931F} "DhcpNameServer"="85.255.115.83,85.255.112.206" <Value cleared. HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{BCC1DD23-4033-4867-9125-BDD3972DC4C5} "DhcpNameServer"="85.255.115.83,85.255.112.206" <Value cleared. Successfully flushed the DNS Resolver Cache. System was rebooted successfully. »»»»» Postrun check HKLM\SOFTWARE\~\Winlogon\ "System"="" .... .... »»»»» Misc files. .... »»»»» Checking for older varients. .... »»»»» Current runs (hklm hkcu "run" Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe" "SiS Windows KeyHook"="C:\\WINDOWS\\system32\\keyhook.exe" "SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_05\\bin\\jusched.exe" "DSLSTATEXE"="C:\\Program Files\\D-Link\\DSL-200\\dslstat.exe icon" "DSLAGENTEXE"="C:\\Program Files\\D-Link\\DSL-200\\dslagent.exe" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "SetDefPrt"="C:\\Program Files\\Brother\\Brmfl03a\\BrStDvPt.exe" "Quick Heal Startup Scan"="C:\\PROGRA~1\\QUICKH~1\\QHSTRT32.EXE /LOADRUN" "Quick Heal e-mail Protection"="C:\\PROGRA~1\\QUICKH~1\\MailSvr.exe" "QH Live Update Scheduler"="C:\\PROGRA~1\\QUICKH~1\\UPSCHD.EXE /CHECK" "Quick Heal On-Line Protection"="C:\\PROGRA~1\\QUICKH~1\\CATEYE.EXE" "Quick Heal Messenger"="C:\\PROGRA~1\\QUICKH~1\\QHM32.EXE" "Quick Heal Scheduler"="C:\\PROGRA~1\\QUICKH~1\\QHSCHED.EXE /startup" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP" "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe" "SNM"="C:\\Program Files\\SpyNoMore\\SNM.exe /startup" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe" "hotComm"="" "SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe" "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "IncrediMail"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe /c" .... Hosts file was reset, If you use a custom hosts file please replace it »»»»» End report »»»»» and the hijack this log Logfile of HijackThis v1.99.1 Scan saved at 6:47:22 p.m., on 2/07/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\Brmfrmps.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\keyhook.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\Program Files\D-Link\DSL-200\dslstat.exe C:\Program Files\D-Link\DSL-200\dslagent.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\SpyNoMore\SNM.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe C:\WINDOWS\system32\sistray.exe C:\PROGRA~1\Webshots\webshots.scr C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...Og==&lid=16 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: MSVPS System - {E4BAF378-7320-4A48-91DD-D9CCDDF6458E} - C:\WINDOWS\vpsnetwork.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [siS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe O4 - HKLM\..\Run: [Quick Heal Startup Scan] C:\PROGRA~1\QUICKH~1\QHSTRT32.EXE /LOADRUN O4 - HKLM\..\Run: [Quick Heal e-mail Protection] C:\PROGRA~1\QUICKH~1\MailSvr.exe O4 - HKLM\..\Run: [QH Live Update Scheduler] C:\PROGRA~1\QUICKH~1\UPSCHD.EXE /CHECK O4 - HKLM\..\Run: [Quick Heal On-Line Protection] C:\PROGRA~1\QUICKH~1\CATEYE.EXE O4 - HKLM\..\Run: [Quick Heal Messenger] C:\PROGRA~1\QUICKH~1\QHM32.EXE O4 - HKLM\..\Run: [Quick Heal Scheduler] C:\PROGRA~1\QUICKH~1\QHSCHED.EXE /startup O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [sNM] C:\Program Files\SpyNoMore\SNM.exe /startup O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: SmartUI.lnk = ? O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [iNTERNATIONAL] International* O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132953110843 O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: vpssup - {B15AE7AF-F29B-4ACE-B50A-04E92BC95D9A} - C:\WINDOWS\vpssup.dll O21 - SSODL: expro - {7099C0CD-08A5-46B5-BF83-B9CC93568BDF} - C:\WINDOWS\expro.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing) O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe Edited July 2, 2007 by martymas Quote Link to post Share on other sites
jwbirdsong Posted July 4, 2007 Report Share Posted July 4, 2007 You need to print this out or save a copy to Notepad for reading because you can NOT have IE/FF or any browser open while doing the fix.Couple of things, You friend seems to be running different Anti_Virus programs(AVG and Avast) ...While one is a MUST have running two can/will cause them to fight for resources and control of system and can cause slow down and errors. She should pick one and uninstall the other.Please go here to upload a suspicious file for analysis. Enter your username from this forumCopy and paste the link to this threadBrowse for this filename: C:\WINDOWS\expro.dll also C:\WINDOWS\vpssup.dll In the comments, please mention that I asked you to upload this fileClick on Send FileWhile TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.Open Spybot Search & Destroy.In the Mode menu click "Advanced mode" if not already selected.Choose "Yes" at the Warning prompt.Expand the "Tools" menu.Click "Resident".Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.In the File menu click "Exit" to exit Spybot Search & Destroy.Open HijackThis and click on Do a system scan only. Place a check mark next to the following: O2 - BHO: MSVPS System - {E4BAF378-7320-4A48-91DD-D9CCDDF6458E} - C:\WINDOWS\vpsnetwork.dll O21 - SSODL: vpssup - {B15AE7AF-F29B-4ACE-B50A-04E92BC95D9A} - C:\WINDOWS\vpssup.dllO21 - SSODL: expro - {7099C0CD-08A5-46B5-BF83-B9CC93568BDF} - C:\WINDOWS\expro.dll Close ALL other open windows and programs and click Fix checked.Reboot Please go HERE to run Panda's ActiveScanOnce you are on the Panda site click the Scan your PC buttonA new window will open...click the Check Now buttonEnter your CountryEnter your State/ProvinceEnter your e-mail address and click sendSelect either Home User or CompanyClick the big Scan Now buttonIf it wants to install an ActiveX component allow itIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on My Computer to start the scanWhen the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report and a fresh HijackThis log Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.