Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jul 5th, 2008, 6:36pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Hosts & Others		 « Previous topic | Next topic »
Pages: 1 2 3  ...  16 Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Hosts & Others  (Read 5717 times)
Rayg
Full Member
***





   


Gender: male
 Posts: 113
Hosts & Others
« on: Jan 1st, 2008, 6:35pm »		 Quote Quote  Modify Modify
Hi your assistance would be appreciated.Believe I have a number of issues.
As I have limited skills I thought it would be better to advise my concerns first and seek professional advice before attempting to use advise I have read on your Forum.
As a result of advice given yesterday on the forums I checked my Hosts file I have thirteen pages of entries over and above that which you have advised.
I am sure I have xyz entry you consider is of concern.
I did have Trojans which were removed ?
I followed your initial cleaning procedures a couple of days ago and no problems were reported.
However my C drive partition has some new folders which may be some hidden file folders showing. One shows as being over a Gig.
I now have a Thumbs db icon on my desktop properties indicate it is a database file.
As I dont want to compound any problems by proceeding incorrectly would be grateful for any assistance.
Thanks in anticipation.
P.S. Profile wouldn't let me tell you how old I am-not that old!!
Rayg
IP Logged
Rayg
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5468
Re: Hosts & Others
« Reply #1 on: Jan 1st, 2008, 11:11pm »		 Quote Quote  Modify Modify
Welcome to the forum Rayg  Cheesy
 
Quote:
As a result of advice given yesterday on the forums I checked my Hosts file I have thirteen pages of entries over and above that which you have advised.

 
Do you now or have you in the past run SpyBot S&D?  Reason for the question is that it loads valid entries into the HOSTS file for protection.  
 
If all of the entries in the HOSTS file begin with 127.0.0.1, then they are okay.  (a # as the first character is a comment line and is okay too).  
 
If you have doubts and did not intentionally add entries to the HOSTS file, just remove everything in it and then insert one line which is  
 
127.0.0.1   localhost  
 
Quote:
I now have a Thumbs db icon on my desktop properties indicate it is a database file.  

 
A Thumbs.db icon shows that your system is caching Thumbnails.  You can turn off this option and it will save you some disk space.  The link below provides instructions to do this.
 
http://www.pchell.com/support/thumbsdb.shtml
 
Please post a Hijackthis log and we'll see if anything abnormal shows up.  If you do not have Hijackthis on your system, please go to the link below for installation instructions.
 
http://www.misec.net/forum/board/FAQ/1163329424
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Rayg
Full Member
***





   


Gender: male
 Posts: 113
Re: Hosts & Others
« Reply #2 on: Jan 2nd, 2008, 1:14am »		 Quote Quote  Modify Modify
Thanks for response.
SpyBot S&D has not been run.
Two programs i did download and used add /remove very shortly after installing were
RegClear
Max Secure Spyware detector
There appears to be residual of both the latter in particular.
All lines in the host files arre preceeded by 127.0.0.1
These are an example of entries that follow; www.h-208-184-172-10.radiate.com or just
doberman.befree.com
Please accept I am a novice at this.I thought I new how to forward the HJT log but will have to check out the forum again to find out how.If you have time to assist great.
Regards
Rayg
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:11 PM, on 2/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
E:\System Mechanic Professional 7\IoloSGCtrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
E:\System Mechanic Professional 7\SMSystemAnalyzer.exe
E:\System Mechanic Professional 7\SystemGuardAlerter.exe
E:\System Mechanic Professional 7\AntiVirus\ioloAV.exe
E:\System Mechanic Professional 7\Personal Firewall\ioloFW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Presorium\Frontgate MX\frntgate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\Phone\skype\Phone\Skype.exe
F:\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
F:\SetPoint\SetPoint.exe
E:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
E:\System Mechanic Professional 7\AntiVirus\iAVEmailScanner.exe
E:\Phone\skype\Plugin Manager\skypePM.exe
E:\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Hijack This\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] "E:\Program Files\Scansoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Profiler] "C:\Program Files\Saitek\Software\ProfilerU.exe"
O4 - HKLM\..\Run: [SaiMfd] "C:\Program Files\Saitek\Software\SaiMfd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SMSystemAnalyzer] "E:\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [THGuard] "E:\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "E:\System Mechanic Professional 7\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [iolo AntiVirus] "E:\System Mechanic Professional 7\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "E:\System Mechanic Professional 7\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FG1_00] C:\Program Files\Presorium\Frontgate MX\frntgate.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] "F:\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
O4 - HKCU\..\Run: [Skype] "E:\Phone\skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Microsoft Windows Services Clock] WinClock.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Microsoft Windows Services Clock] WinClock.exe (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/cli ent/muweb_site.cab?1192530015218
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} (iolo.ProductDetector) - https://secure.iolo.com/app/ocx/UpgradeVerify.ocx
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - F:\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - E:\System Mechanic Professional 7\IoloSGCtrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SDService - Max Secure Software  - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
--
End of file - 11093 bytes
 
I hope I have this right and apologise for any time waisting.
IP Logged
Rayg
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5468
Re: Hosts & Others
« Reply #3 on: Jan 2nd, 2008, 2:01am »		 Quote Quote  Modify Modify
IF you have any questions concerning the following, please ask before you perform the steps below.
 
Concerning your HOSTS file, I see you have SpySweeper.  It adds valid entries in the HOSTS file too.  So you okay with your HOSTS file.  As long as the very first entry is
 
127.0.0.1   localhost
 
and all subsequent entries start with 127.0.0.1, you should be fine.  
 
Now, it does look like you have an infection on your system.  Please do the following.
 
1.  Make all your files and folders visible as described in the link below.
 
http://www.misec.net/forum/board/FAQ/1139610900
 
2.  Do a Search for the file named Winclock.exe.  Once you find it, please ZIP it and submit it to Mischel Internet Security for analysis.  The link below describes how to submit a file.
 
http://www.misec.net/forum/board/FAQ/1139308293
 
3.  Next, run another HiJackthis scan.  When the scan is completed, place a checkmark in the box next to the following items.  BE SURE that these are the only items checkmarked.
 

 
O4 - HKUS\S-1-5-18\..\RunServices: [Microsoft Windows Services Clock] WinClock.exe (User 'SYSTEM')
 
O4 - HKUS\.DEFAULT\..\RunServices: [Microsoft Windows Services Clock] WinClock.exe (User 'Default user')  
 
4.  Close your browser window.
 
5.  Click on Fix Checked at the lower left of the HiJackthis window.  Confirm that you want to fix the items and let HJT fix the items.
 
6.  Immediately reboot your computer into SAFE MODE.
 
7.  Once you are in SAFE MODE, do a Search of the file winclock.exe .  When you find it, delete it.
 
8.  Reboot your computer back into Normal Mode.
 
9.  Run another HJT scan and post a new log back here.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5468
Re: Hosts & Others
« Reply #4 on: Jan 2nd, 2008, 2:27am »		 Quote Quote  Modify Modify
In addition to the above post:
 
It looks like you are running two antivirus programs together in realtime....AVG and System Mechanic Pro.  If you are, this is definitely not desireable.  You should only run one antivirus program in realtime.
 
Did you intentionally install the "Ask" toolbar?
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Rayg
Full Member
***





   


Gender: male
 Posts: 113
Re: Hosts & Others
« Reply #5 on: Jan 2nd, 2008, 3:33am »		 Quote Quote  Modify Modify
Hi,
In the etc.folder there is no entry 127.0.0.1 localhost the first entry is
127.0.0.1   www.test.com
The last entry is
127.0.0.1 pop3.frontgate.mail # Added by Presorium Frontgate for email filtering    This is a Legitimate programme I have run forever----I will await your further advice here.
I have add/removed "ASK" toolbar
Will stop running two antivirus programs together-have found in the past AVG will sometimes quarrantine issues which appear to be triggered by running another anti virus program that neither pick up if run separately--maybe coincidence?
 
Am attending to your other requests.
Ineed to hasten slowly.
Rayg
IP Logged
Rayg
Rayg
Full Member
***





   


Gender: male
 Posts: 113
Re: Hosts & Others
« Reply #6 on: Jan 2nd, 2008, 3:33am »		 Quote Quote  Modify Modify
Hi,
In the etc.folder there is no entry 127.0.0.1 localhost the first entry is
127.0.0.1   www.test.com
The last entry is
127.0.0.1 pop3.frontgate.mail # Added by Presorium Frontgate for email filtering    This is a Legitimate programme I have run forever----I will await your further advice here.
I have add/removed "ASK" toolbar
Will stop running two antivirus programs together-have found in the past AVG will sometimes quarrantine issues which appear to be triggered by running another anti virus program that neither pick up if run separately--maybe coincidence?
 
Am attending to your other requests.
Ineed to hasten slowly.
Rayg
IP Logged
Rayg
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5468
Re: Hosts & Others
« Reply #7 on: Jan 2nd, 2008, 4:17am »		 Quote Quote  Modify Modify
Quote:
In the etc.folder there is no entry 127.0.0.1 localhost the first entry is  
127.0.0.1   www.test.com

 
It is VERY important that you modify your HOSTS file so that the very first entry is  
 
127.0.0.1   localhost
 
(It is okay if comment lines are before the 127.0.0.1  localhost)
 
Just open HOSTS with NotePad, insert  
 
127.0.0.1   localhost
 
as the first entry.  Then SAVE and close NotePad.
 
Below is an example of the beginning of my HOSTS file.
 
Quote:

127.0.0.1  localhost
::1  localhost
127.0.0.1  ad.a8.net
127.0.0.1  asy.a8ww.net
127.0.0.1  www.aaa-livedoor.net
#[Trojan-PSW.Win32.Maran.ei]
127.0.0.1  www.abcsearcher.com
#[Spamdexing][Microsoft.Strider]
127.0.0.1  abc-search.info
127.0.0.1  www.abx4.com
#[Adware.ABXToolbar]
127.0.0.1  acezip.net
#[SiteAdvisor.acezip.net]
127.0.0.1  www.acezip.net
#[Win32/Adware.180Solutions]
127.0.0.1  phpadsnew.abac.com
127.0.0.1  a.abnad.net
127.0.0.1  b.abnad.net
127.0.0.1  c.abnad.net
#[eTrust.Tracking.Cookie]
127.0.0.1  d.abnad.net
127.0.0.1  e.abnad.net
127.0.0.1  t.abnad.net
127.0.0.1  banners.absolpublisher.com
127.0.0.1  tracking.absolstats.com
127.0.0.1  adv.abv.bg
127.0.0.1  bimg.abv.bg
127.0.0.1  www2.a-counter.kiev.ua
127.0.0.1  accuserveadsystem.com
127.0.0.1  www.accuserveadsystem.com
127.0.0.1  gtcc1.acecounter.com
127.0.0.1  gtp1.acecounter.com
#[eTrust.Tracking.Cookie]
127.0.0.1  acestats.com
127.0.0.1  www.acestats.com
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Rayg
Full Member
***





   


Gender: male
 Posts: 113
Re: Hosts & Others
« Reply #8 on: Jan 2nd, 2008, 6:13am »		 Quote Quote  Modify Modify
Hi,
Very first entry in Hosts file has been ammended.
Have been searching for WinClock.exe used
Search Companion files and folders
Task Manager
no success
search companion a word or phrase the following results
 
Collected Data 1405.xml C:\WINDOWS\pchealth\helpctr\DataColl
Ditto but 14311.xml
HiJack Log
I looked at the first two and they contained amongst other material referances to the files you wish HJT to fix.
The first file is 19.4 the second 55.7 in size
Would this be what we are looking for or should I using another method of searching.
The latter search was lengthy hence the delay.
 
When we are carrying out suggested maintainence items should I disconnect from the internet whilst doing same.
 
Will await your further instruction before proceeding.
 
Thanks
Rayg
« Last Edit: Jan 2nd, 2008, 6:19am by Rayg » IP Logged
Rayg
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5468
Re: Hosts & Others
« Reply #9 on: Jan 2nd, 2008, 6:25am »		 Quote Quote  Modify Modify
Probably the quickest way to search for Winclock.exe is through Windows Explorer.
 
Just open Windows Explorer, highlight your C: drive, and then do a Search for Winclock.exe.  If it is not found on the C drive, highlight the D: drive and do a search, etc., until you find it.  
 
If you do not find it, it is possible that it has been removed by one of your security programs.  In that case, just do Steps 3-6 and then step 9 in the procedure I outlined above.  
 
On Step 6, just reboot into normal mode....not SAFE MODE
« Last Edit: Jan 2nd, 2008, 6:27am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Rayg
Full Member
***





   


Gender: male
 Posts: 113
Re: Hosts & Others
« Reply #10 on: Jan 2nd, 2008, 3:42pm »		 Quote Quote  Modify Modify
Hi
Sorry about delay expected process to take much longer hence wated until this am.
Dont know wheather this is important but instead of the pc opening directly onto the desktop with icons etc in place -for the past couple of weeks have been getting a screen requiring clicking on user name.  
Until last night this had two icons
1 Our user name
2YU which asked for a password
3Last night when restarting the pc what appears to be an addittioal user account has been added "xiaocao"
Dont know if this is related to wfat we are doing.
Didnt find Winlock file so proceeded as instructed.The searches done individually seemed to be superfast??
HJT Log as requested.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:38 AM, on 3/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
E:\System Mechanic Professional 7\IoloSGCtrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
E:\System Mechanic Professional 7\SMSystemAnalyzer.exe
E:\System Mechanic Professional 7\SystemGuardAlerter.exe
E:\System Mechanic Professional 7\Personal Firewall\ioloFW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Presorium\Frontgate MX\frntgate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
E:\Phone\skype\Phone\Skype.exe
F:\SetPoint\SetPoint.exe
E:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
E:\Phone\skype\Plugin Manager\skypePM.exe
E:\Hijack This\HijackThis.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] "E:\Program Files\Scansoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Profiler] "C:\Program Files\Saitek\Software\ProfilerU.exe"
O4 - HKLM\..\Run: [SaiMfd] "C:\Program Files\Saitek\Software\SaiMfd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SMSystemAnalyzer] "E:\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [THGuard] "E:\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "E:\System Mechanic Professional 7\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "E:\System Mechanic Professional 7\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FG1_00] C:\Program Files\Presorium\Frontgate MX\frntgate.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] "F:\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
O4 - HKCU\..\Run: [Skype] "E:\Phone\skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Microsoft Development Services] msdevelop.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Microsoft Development Services] msdevelop.exe (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/cli ent/muweb_site.cab?1192530015218
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} (iolo.ProductDetector) - https://secure.iolo.com/app/ocx/UpgradeVerify.ocx
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - F:\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - E:\System Mechanic Professional 7\IoloSGCtrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SDService - Max Secure Software  - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
--
End of file - 10335 bytes
 
Thanks for your continuing assistance and Patience
Rayg
« Last Edit: Jan 2nd, 2008, 7:34pm by Rayg » IP Logged
Rayg
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5468
Re: Hosts & Others
« Reply #11 on: Jan 3rd, 2008, 12:49am »		 Quote Quote  Modify Modify
Hmmm, you have picked up another infection named msdevelop.exe
 
Please do this:
 
1.  Make all your files and folders visible as described in the link below.  (If you have already done this, you do not need to do again).
 
http://www.misec.net/forum/board/FAQ/1139610900  
 
2.  Do a Search for the file named msdevelop.exe.  Once you find it, please ZIP it and submit it to Mischel Internet Security for analysis.  The link below describes how to submit a file.  
 
http://www.misec.net/forum/board/FAQ/1139308293  
 
3.  Next, run another HiJackthis scan.  When the scan is completed, place a checkmark in the box next to the following items.  BE SURE that these are the only items checkmarked.  
 

 
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
 
O4 - HKUS\S-1-5-18\..\RunServices: [Microsoft Development Services] msdevelop.exe (User 'SYSTEM')
 
O4 - HKUS\.DEFAULT\..\RunServices: [Microsoft Development Services] msdevelop.exe (User 'Default user')
 
O4 - Global Startup: SmartUI.lnk = ?
 
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
 
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
 
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
 
4.  Close your browser window.  
 
5.  Click on Fix Checked at the lower left of the HiJackthis window.  Confirm that you want to fix the items and let HJT fix the items.  Once the fix is completed, close the HiJackthis window.
 
6.  Immediately reboot your computer into SAFE MODE.  
 
7.  Once you are in SAFE MODE, do a Search of the file msdevelop.exe .  When you find it, delete it.  
 
8.  Reboot your computer back into Normal Mode.  
 
9.  Run another HJT scan and post a new log back here.  
 
10.  Then run a REMOTE Scan with Kaspersky Online Scanner.
 
-  BE SURE to disable all your security programs except your software firewall before starting this scan.  BE SURE the realtime antivirus programs are disabled.  
 
-  You will need to use Internet Explorer for this site because Kaspersky needs to download an ActiveX component.  Let it download/install this ActiveX component.
 
-  BE SURE to run a FULL scan of your entire system....all drives.
 
-  The link below takes you to the remote scanner.
 
http://www.kaspersky.com/virusscanner
 
11.  Post the Kaspersky remote scan log back here once it has completed.  
 
Concerning the User Accounts:
 
Go to the Control Panel and select "User Accounts"
 
Does the list of User Accounts show this new account?
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Rayg
Full Member
***





   


Gender: male
 Posts: 113
Re: Hosts & Others
« Reply #12 on: Jan 3rd, 2008, 1:29am »		 Quote Quote  Modify Modify
Hi
My apologise if my departure last night caused confusion.
As you were sending me the above response AVG grabbed the following
C;\WINDOWS\System32\boot.exe
Virus found BackDoor.PcClient
I have Quarranteend this but have not attempted any further action ie deleting or cleaning.
I thought I should advise and await your further instruction before proceeding in case this incident would cause any conflict.
I may take a little time to respond as I am printing out your instructions to ensure I dont make any mistakes.
I will need to take 20minutes from the PC to organise to then stay hear as long as you need me.
Trust this is OK
Rayg
IP Logged
Rayg
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5468
Re: Hosts & Others
« Reply #13 on: Jan 3rd, 2008, 1:41am »		 Quote Quote  Modify Modify
Please post a new HiJackthis log.  I need to see if AVG's discovery and quarantine changed anything concerning the previous HJT log.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Rayg
Full Member
***





   


Gender: male
 Posts: 113
Re: Hosts & Others
« Reply #14 on: Jan 3rd, 2008, 1:57am »		 Quote Quote  Modify Modify
I Have done this in Normal mode please advif youneed another in saLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:54:49 PM, on 3/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
E:\System Mechanic Professional 7\IoloSGCtrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\SOUNDMAN.EXE
E:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Saitek\Software\ProfilerU.exe
C:\Program Files\Saitek\Software\SaiMfd.exe
E:\System Mechanic Professional 7\SMSystemAnalyzer.exe
E:\System Mechanic Professional 7\SystemGuardAlerter.exe
E:\System Mechanic Professional 7\Personal Firewall\ioloFW.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Presorium\Frontgate MX\frntgate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\Phone\skype\Phone\Skype.exe
F:\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
F:\SetPoint\SetPoint.exe
E:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
E:\Phone\skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Hijack This\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abc.net.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] "E:\Program Files\Scansoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Profiler] "C:\Program Files\Saitek\Software\ProfilerU.exe"
O4 - HKLM\..\Run: [SaiMfd] "C:\Program Files\Saitek\Software\SaiMfd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SMSystemAnalyzer] "E:\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [THGuard] "E:\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "E:\System Mechanic Professional 7\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [iolo Personal Firewall] "E:\System Mechanic Professional 7\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FG1_00] C:\Program Files\Presorium\Frontgate MX\frntgate.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LDM] "F:\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
O4 - HKCU\..\Run: [Skype] "E:\Phone\skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Microsoft Development Services] msdevelop.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Microsoft Development Services] msdevelop.exe (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = F:\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartUI.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/cli ent/muweb_site.cab?1192530015218
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/threatcenter/App/ocx/AVCheckUp.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {FFD85DC8-5261-4D11-B728-F7C59D911691} (iolo.ProductDetector) - https://secure.iolo.com/app/ocx/UpgradeVerify.ocx
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - F:\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - E:\System Mechanic Professional 7\IoloSGCtrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SDService - Max Secure Software  - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
--
End of file - 10351 bytes
fe mode or & with allfiles and folders visible.
IP Logged
Rayg
Pages: 1 2 3  ...  16 Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register