26 virus - cant remove!

Unknown · May 2006

Hi, im sitting here at my moms computer when i just saw that she had alot of virus and spyware she, well, cant remove.. Her Hijackthis log looks like this:

Logfile of HijackThis v1.99.1
Scan saved at 16:55:27, on 05-05-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\essspk.exe
C:\Programmer\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmer\ScanSoft\PaperPort\pptd40nt.exe
C:\Programmer\Brother\ControlCenter2\brctrcen.exe
C:\Programmer\Microsoft IntelliPoint\point32.exe
C:\Programmer\eDonkey2000\edonkey2000.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\system32\DOBE~1\wuauclt.exe
C:\WINDOWS\system32\??pPatch\n?lookup.exe
C:\Programmer\Brother\Brmfcmon\BrMfcWnd.exe
C:\Programmer\Winzip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\HPConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\3D system v 7.0.5\Husqvarna 7.25\Opdateringer\3D Embroidery System 7.2 Documentation (English Only)\3DEmbroideryDocumentationPatch72.exe
C:\WINDOWS\system32\MSIEXEC.EXE
C:\WINDOWS\system32\MsiExec.exe
C:\Programmer\Fælles filer\InstallShield\Driver\8\Intel 32\IDriver.exe
C:\Documents and Settings\Margit\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jubi.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/notebooks/pavilion/home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {DC7A4021-679C-C7C7-7B2B-8C17BAC4F0C7} - C:\WINDOWS\jrlaoidk.dll (file missing)
R3 - URLSearchHook: (no name) - {3CFEFB99-397B-63F0-2C72-48B60D1FF7B0} - C:\WINDOWS\system32\vmwzgkw.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3CFEFB99-397B-63F0-2C72-48B60D1FF7B0} - C:\WINDOWS\system32\vmwzgkw.dll
O2 - BHO: (no name) - {E2C8D970-D94A-1E13-B369-4FFC06E6809D} - C:\WINDOWS\jrlaoidk.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Programmer\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programmer\Fælles filer\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Programmer\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Programmer\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Programmer\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programmer\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [eDonkey2000] "C:\Programmer\eDonkey2000\edonkey2000.exe" -t
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Retu] "C:\WINDOWS\system32\DOBE~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [Itgy] C:\WINDOWS\system32\??pPatch\n?lookup.exe
O4 - Global Startup: Statusmonitor.lnk = C:\Programmer\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\Winzip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/home
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe

Well its a bit comfusing, but her log from AVG anti virus program looks like this:

"" "" "Trojan horse Generic.QCH" "C:\WINDOWS\uni_eh.exe" "01-05-2006 10:59:32" "uni_eh.exe" "52 KB"
"" "" "Trojan horse Generic.QAZ" "C:\WINDOWS\unin101.exe" "01-05-2006 10:59:36" "unin101.exe" "48 KB"
"" "" "Trojan horse Dropper.Generic.CHY" "C:\DOCUME~2\Margit\LOKALE~1\Temp\echo.exe" "30-04-2006 22:44:58" "echo.exe" "29.5 KB"
"" "" "Trojan horse Downloader.Generic.SSH" "C:\DOCUME~2\Margit\LOKALE~1\Temp\MONEY1.exe" "30-04-2006 22:45:07" "MONEY1.exe" "27.38 KB"
"" "" "Trojan horse Downloader.Generic.SDF" "C:\WINDOWS\sms112x.exe" "30-04-2006 22:45:10" "sms112x.exe" "132 KB"
"" "" "Trojan horse Generic.RVT" "C:\WINDOWS\CheckS02.exe" "30-04-2006 22:45:14" "CheckS02.exe" "96 KB"
"" "" "Trojan horse Downloader.Agent.13.AW" "C:\DOCUME~2\Margit\LOKALE~1\Temp\mc-110-12-0000122.exe" "30-04-2006 22:45:19" "mc-110-12-0000122.exe" "47.95 KB"
"" "" "Trojan horse Downloader.Istbar.9.AU" "C:\Documents and Settings\Margit\Skrivebord\cor2\YSB_toolBar.exe" "27-04-2006 11:38:46" "YSB_toolBar.exe" "55.98 KB"
"" "" "Trojan horse Downloader.Istbar.9.AU" "C:\Programmer\Emule\Incoming\(Serial) husqvarna viking 3d embroidery system (1)\YSB_toolBar.exe" "27-04-2006 11:39:04" "YSB_toolBar.exe" "55.98 KB"
"" "" "Trojan horse Downloader.Dyfica.2.BA" "C:\Documents and Settings\Margit\Lokale indstillinger\Temporary Internet Files\Content.IE5\GHQ7IRQH\nem220[1].dll" "02-05-2006 17:16:44" "nem220[1].dll" "35.75 KB"
"" "" "Adware Generic.MCT" "C:\Programmer\FCAdvice\FCAdvice.dll" "01-05-2006 09:00:35" "FCAdvice.dll" "92 KB"
"" "" "Adware Generic.ELB" "C:\Programmer\TheSearchAccelerator\UCMTSAIE.dll" "01-05-2006 09:00:35" "UCMTSAIE.dll" "664 KB"
"" "" "Adware Generic.NFF" "C:\System Volume Information\_restore{3DAA929F-A39A-46A7-BA10-DBA4347BC239}\RP66\A0009719.dll" "03-05-2006 08:42:42" "A0009719.dll" "72 KB"
"" "" "Trojan horse Downloader.Dyfica.2.BA" "C:\Documents and Settings\Margit\Lokale indstillinger\Temporary Internet Files\Content.IE5\03PFA6N9\nem220[2].dll" "02-05-2006 08:34:03" "nem220[2].dll" "35.75 KB"
"" "" "Adware Generic.ELB" "C:\System Volume Information\_restore{3DAA929F-A39A-46A7-BA10-DBA4347BC239}\RP65\A0009686.dll" "02-05-2006 08:34:03" "A0009686.dll" "664 KB"
"" "" "Adware Generic.MCT" "C:\System Volume Information\_restore{3DAA929F-A39A-46A7-BA10-DBA4347BC239}\RP65\A0009687.dll" "02-05-2006 08:34:04" "A0009687.dll" "92 KB"
"" "" "Adware Generic.MDE" "C:\System Volume Information\_restore{3DAA929F-A39A-46A7-BA10-DBA4347BC239}\RP65\A0009700.dll" "02-05-2006 08:34:04" "A0009700.dll" "474.87 KB"
"" "" "Trojan horse Generic.QCH" "C:\System Volume Information\_restore{3DAA929F-A39A-46A7-BA10-DBA4347BC239}\RP65\A0009702.exe" "02-05-2006 08:34:04" "A0009702.exe" "52 KB"
"" "" "Trojan horse Generic.QAZ" "C:\System Volume Information\_restore{3DAA929F-A39A-46A7-BA10-DBA4347BC239}\RP65\A0009703.exe" "02-05-2006 08:34:04" "A0009703.exe" "48 KB"
"" "" "Adware Generic.MDE" "C:\System Volume Information\_restore{3DAA929F-A39A-46A7-BA10-DBA4347BC239}\RP65\A0009704.dll" "02-05-2006 08:34:04" "A0009704.dll" "481.82 KB"
"" "" "Adware Generic.MDE" "C:\System Volume Information\_restore{3DAA929F-A39A-46A7-BA10-DBA4347BC239}\RP66\A0009707.dll" "02-05-2006 08:34:04" "A0009707.dll" "556.76 KB"
"" "" "Adware Generic.MDE" "C:\System Volume Information\_restore{3DAA929F-A39A-46A7-BA10-DBA4347BC239}\RP66\A0009711.dll" "02-05-2006 08:34:04" "A0009711.dll" "560.18 KB"
"" "" "Adware Generic.LED" "C:\WINDOWS\bxxs5.dll" "02-05-2006 08:34:05" "bxxs5.dll" "368 KB"
"" "" "Adware Generic.MDE" "C:\WINDOWS\hvofflrk.dll" "02-05-2006 08:34:05" "hvofflrk.dll" "512.65 KB"
"" "" "Adware Generic.MDE" "C:\WINDOWS\jrlaoidk.dll" "02-05-2006 08:34:06" "jrlaoidk.dll" "521.41 KB"
"" "" "Adware Generic.NFF" "C:\WINDOWS\system32\nabgglbo.dll" "02-05-2006 08:34:06" "nabgglbo.dll" "72 KB"

Its clearly thats something is rong;) So I hope you guys can help her, hey did a great job when you solve my computer problems so I hope that you can help my mom too

Well, keep up the good work guys and peace!

- Mike From Denmark

chiaz · May 2006

Let's try to get some infections out of the way first...

* Clean your Cache and Cookies in IE:

Close all instances of Outlook Express and Internet Explorer
Go to Control Panel > Internet Options > General tab
Click the "Delete Cookies" button
Next to it, Click the "Delete Files" button
When prompted, place a check in: "Delete all offline content", click OK

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

Go to Tools > Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

* Clean other Temporary files + Recycle bin

Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Next download Ad-Aware SE Personal and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

1) Run Ad-Aware, and click Check for updates now.

2) Select Configurations (click the Gear wheel at the top) as follows:

General Button > Safety & Settings: Check (Green) all three.
Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

Click Proceed.

3) To start the scan, Click > "Scan Now" at left

Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
Select "Search for low-risk threats"
Select "Perform full system scan"
Click Next

4) When the scan has completed, select Next.

In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects"
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

Now rescan with HijackThis and post the fresh log in your next reply.

Sp34k · May 2006

I have done all you told me to:) Now i have the hijackthis log for you dude:)

Logfile of HijackThis v1.99.1
Scan saved at 12:37:51, on 06-05-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\essspk.exe
C:\Programmer\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmer\ScanSoft\PaperPort\pptd40nt.exe
C:\Programmer\Brother\Brmfl05a\BrStDvPt.exe
C:\Programmer\Brother\ControlCenter2\brctrcen.exe
C:\Programmer\Microsoft IntelliPoint\point32.exe
C:\Programmer\eDonkey2000\edonkey2000.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\system32\DOBE~1\wuauclt.exe
C:\WINDOWS\system32\??pPatch\n?lookup.exe
C:\Programmer\Brother\Brmfcmon\BrMfcWnd.exe
C:\Programmer\Winzip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\Margit\Skrivebord\HijackThis.exe
C:\WINDOWS\System32\HPConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jubi.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/notebooks/pavilion/home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {DC7A4021-679C-C7C7-7B2B-8C17BAC4F0C7} - C:\WINDOWS\jrlaoidk.dll (file missing)
R3 - URLSearchHook: (no name) - {3CFEFB99-397B-63F0-2C72-48B60D1FF7B0} - C:\WINDOWS\system32\vmwzgkw.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3CFEFB99-397B-63F0-2C72-48B60D1FF7B0} - C:\WINDOWS\system32\vmwzgkw.dll
O2 - BHO: (no name) - {E2C8D970-D94A-1E13-B369-4FFC06E6809D} - C:\WINDOWS\jrlaoidk.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Programmer\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programmer\Fælles filer\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Programmer\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Programmer\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Programmer\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programmer\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [eDonkey2000] "C:\Programmer\eDonkey2000\edonkey2000.exe" -t
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Retu] "C:\WINDOWS\system32\DOBE~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [Itgy] C:\WINDOWS\system32\??pPatch\n?lookup.exe
O4 - Global Startup: Statusmonitor.lnk = C:\Programmer\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\Winzip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/home
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe

Well its good that you didnt start the thread with saying the word: Hopeless

heh..

chiaz · May 2006

Please launch HijackThis and place a checkmark by the following entries:
R3 - URLSearchHook: (no name) - {DC7A4021-679C-C7C7-7B2B-8C17BAC4F0C7} - C:\WINDOWS\jrlaoidk.dll (file missing)
O2 - BHO: (no name) - {E2C8D970-D94A-1E13-B369-4FFC06E6809D} - C:\WINDOWS\jrlaoidk.dll (file missing)
O4 - HKCU\..\Run: [Itgy] C:\WINDOWS\system32\??pPatch\n?lookup.exe
Close all other windows except HijackThis and press "Fix Checked".

Then close HijackThis and restart the computer. Before Windows starts, begin tapping the F8 key. The Windows Advanced Options Menu appears. Ensure that the Safe mode option is selected. Press Enter. The computer then begins to start in Safe mode.

Once in safe mode, Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK.

Now navigate to and delete the following files if they still exist:
C:\WINDOWS\jrlaoidk.dll
C:\WINDOWS\system32\??pPatch\n?lookup.exe

Then restart the computer again. You should get back to normal mode.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following list of bad file(s) into the Suspicious File Packer window:

[C:\WINDOWS\system32\vmwzgkw.dll]

Allow SFP to pack the file(s). This will generate a CAB archive on your desktop. Please email the file(s) to me at:

smbmre[AT]gmail.com (replace [AT] with @)

I will analyse the file and inform you of the results as soon as possible.

Meanwhile, please rescan with HijackThis and post the new log in your next reply.

Sp34k · May 2006

Hi..

I did as you told me to, and you should got my mail atm.

Well, the new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 14:36:34, on 08-05-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\essspk.exe
C:\Programmer\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmer\ScanSoft\PaperPort\pptd40nt.exe
C:\Programmer\Brother\ControlCenter2\brctrcen.exe
C:\Programmer\Microsoft IntelliPoint\point32.exe
C:\Programmer\eDonkey2000\edonkey2000.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DOBE~1\wuauclt.exe
C:\Programmer\Brother\Brmfcmon\BrMfcWnd.exe
C:\Programmer\Winzip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\HPConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Margit\Skrivebord\sfp.exe
C:\Documents and Settings\Margit\Skrivebord\HijackThis.exe
C:\Programmer\Windows Media Player\wmplayer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jubi.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/notebooks/pavilion/home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Programmer\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programmer\Fælles filer\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Programmer\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Programmer\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Programmer\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programmer\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [eDonkey2000] "C:\Programmer\eDonkey2000\edonkey2000.exe" -t
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Retu] "C:\WINDOWS\system32\DOBE~1\wuauclt.exe" -vt yazb
O4 - Global Startup: Statusmonitor.lnk = C:\Programmer\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\Winzip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/home
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe

Still, you didnt say the word: Hopeless;) So, its wonderful..

Keep up the good work..

- Mike

chiaz · May 2006

Seems much better now.

Please run a free online scan with BitDefender (works only with MS Internet Explorer 5.0 or higher).

In the new window that opens, click the "I agree" button to accept the user agreement before allowing the installation of the ActiveX control.
By default, BitDefender Online Scanner will scan your entire computer.
CLick "Click here to scan".
Please wait patiently while BitDefender updates its virus signatures.
Scan will commence.
When the scan is finished, click on the tab "Detected Problems".
Then click on "Click here to export the scan report".
Save the scan report to your desktop or somewhere convenient.
Close the BitDefender Online Scanner window, and post the contents of the BitDefender scan report in your next reply.

Sp34k · May 2006

Ehm, dude? It will take over 400 hours to scan with BitDefender;) Soo, what should I do then?:P hehe.. Dont know why it take so long time but its pretty bad.. I dont have the time to scan this pc in, yeah.. 400 hours:P

chiaz · May 2006

Hmmmm....let's try Kaspersky then...

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher) instead.
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").

In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
When you get the Windows dialog asking if you want to install this software, click the "Install" button.
When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
Under "Please select a target to scan:", click My Computer to start the scan.

When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

Sp34k · May 2006

Hello again:) Hehe, im really sorry to tell this bro.. But, lets say in a minut it scan about 4 files, then try think how many hours it will take :P I dont know why it takes so long time, but in Antivirus.dk (Panda software) It dosnt take that long time..

I hope you have the will to give it another try?:)

- Mike - Keep up the great work, ! U won a big respect from me!

chiaz · May 2006

Have you even tried the scanner? Trust me, it will not take very long. I will say 2-3 hours at most.

Sp34k · May 2006

Yes I have, it scan like BitDefencer, its really slow, and kaspersky will taker over 400 hours:P It just keep counting up and up and up :P

But I can give it a try again dude

Yayo01 · May 2006

You could Also Download AVG 7.1 Free Edition! Its the best *freeware* that i used

PS. its a Free *Spyware Free* Anti-Virus program

Sp34k · May 2006

I normaly use AVG

But it cant remove all viruses I have.

Hmm, it will take more then a day for me to scan with kaspersky, but! The funny part is that if I use Panda Software.. www.pandasoftware.com and i scan my computer online there, it scan much faster and take, 1-2 hours. But with bitdefender and Kaspersky it takes more then a day to scan..

But with activescan (Pandasoftware) It only finds 6 spyware and thats not dangerrus, only in cookies.. I dont know what to do then? With kaspersky and Bitdefender it takes more then a day on this computer..

By Activscan with PandaSoftware free online scanning:

Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Margit\Cookies\margit@ad.yieldmanager[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Margit\Cookies\margit@errorsafe[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Margit\Cookies\margit@revenue[1].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Margit\Cookies\margit@www.advnt01[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Margit\Cookies\margit@www.errorsafe[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Margit\Cookies\margit@www.myaffiliateprogram[1].txt

chiaz · May 2006

Alright, Panda ActiveScan is OK as well.... shows only cookies, which are relatively harmless.

Start HijackThis and place a checkmark against the following entry if still present:
O4 - HKCU\..\Run: [Retu] "C:\WINDOWS\system32\DOBE~1\wuauclt.exe" -vt yazb
Close all other windows except HijackThis and press "Fix Checked". Then close all windows and restart the computer.

Now rescan with HijackThis and post the fresh log here. You should be fully cleaned up by now, but let's just be sure.

Sp34k · May 2006

Here is a homemade fresh Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 13:23:26, on 11-05-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\essspk.exe
C:\Programmer\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programmer\ScanSoft\PaperPort\pptd40nt.exe
C:\Programmer\Brother\ControlCenter2\brctrcen.exe
C:\Programmer\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\WINDOWS\system32\?racle\e?plorer.exe
C:\Programmer\Brother\Brmfcmon\BrMfcWnd.exe
C:\Programmer\Winzip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\HPConfig.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Programmer\Fælles filer\InstallShield\Driver\8\Intel 32\IDriver.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Margit\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jubi.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/notebooks/pavilion/home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {459632DF-A839-F9B8-3521-8D6A60D8DABA} - C:\WINDOWS\system32\enrdnvh.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {459632DF-A839-F9B8-3521-8D6A60D8DABA} - C:\WINDOWS\system32\enrdnvh.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Programmer\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmer\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmer\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programmer\Fælles filer\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Programmer\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Programmer\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Programmer\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programmer\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programmer\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Lcsewx] C:\WINDOWS\system32\?racle\e?plorer.exe
O4 - Global Startup: Statusmonitor.lnk = C:\Programmer\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmer\Winzip\WZQKPICK.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/home
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3D6DDD23-870A-4FC8-B3AF-5F67C935A9B7} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/authenticode/PrimeInkCSP-1204.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://opdatering.tdc.dk/csp/authenticode/tdccsp-0506.exe
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe

Sp34k · May 2006

By the way, when i open my explore i normaly get some popups i cant stop, example a popup called: Advertiseme by outerinfo.. Its about www.netmeeting.dk and i dont know hope to stop it..

And a second question, who do i look what programs start on startup and how i can add some programs and/or remove some programs?:)

sanma · May 2006

Hi Chiawaikian

I wonder if you could help me too. I've got Trojan Horse Downloader.Istbar.9.AU on my laptop. I tried to follow the instruction you gave to Sp34k but all the things you advised Sp34k weren't on my hijackthis file and I don't know what to do....
I would be most grateful if you could help me get rid of the Trojan.

The following is my logfile-

Logfile of HijackThis v1.99.1
Scan saved at 01:14:31, on 12/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Juneko\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\2.bin\IMESHBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\2.bin\IMESHBAR.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
O15 - Trusted Zone: http://memberservices.tesco.net
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126156017108
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by20fd.bay20.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Many thanks for your help.

26 virus - cant remove!

Comments