winantivirus

I have a stubborn winantivirus popup problem.
I've scanned with lots of antispyware scanners.
Most pick up something but winantivirus is still there.
BELOW IS A FRESH HIJACK THIS LOG
I RENAMED HIJACKTHIS BECAUSE APPARENTLY VUNDO HIDES ITSELF NOW

Logfile of HijackThis v1.99.1
Scan saved at 12:32:55, on 20/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SiteAdvisor\5020\SiteAdv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\AOL\1170097487\ee\AOLSoftware.exe
C:\Program Files\SiteAdvisor\5020\SAService.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Anti-Lost CD Ejector\antilostlite.exe
C:\Program Files\Invention Pilot\Tray Pilot Lite\TrayPlt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
C:\Program Files\PopTray\PopTray.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\WINDOC.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\WINDOC.EXE
C:\Program Files\DriveHQ\DriveHQ FileManager\DriveHQClient.exe
C:\Program Files\DriveHQ\DriveHQ FileManager\DriveHQRepository2.23.exe
C:\Program Files\Technology Lighthouse\PTFB\PTFB.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Virus\Analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/webhp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/webhp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/webhp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\5020\SiteAdv.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1170097487\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AntiLostCD] C:\Program Files\Anti-Lost CD Ejector\antilostlite.exe
O4 - HKCU\..\Run: [Tray Pilot Lite] "C:\Program Files\Invention Pilot\Tray Pilot Lite\TrayPlt.exe"
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Startup: clear.lnk = C:\STORE\clear.brs
O4 - Startup: DigiGuide Lite.lnk = C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
O4 - Startup: PopTray.lnk = C:\Program Files\PopTray\PopTray.exe
O4 - Startup: PTFB.lnk = C:\Program Files\Technology Lighthouse\PTFB\PTFB.exe
O4 - Startup: Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\5020\SAService.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Tirminal™ (Tirminal_Service) - Unknown owner - c:\program files\tirminal\tirminal_service.exe (file missing)


SCANNERS USED
SPYBOT
TRUST
SYMANTEC
FIXSPYBOT
STOPZILLA
LIVE ONECARE
AVG ANTIVIRUS
AVG ANTISPYWARE
WINDEFENDER
NTL NETGUARD
XOFT SE
ADAWARE
SUPERANTISPYWARE
PROTECTED BY SPYWAREBLASTER

I think I've just about run out of scanners, ideas and patience
please help

COULD YOU PLEASE PUT REPLYS ON HOLD UNTIL I MAKE CONTACT IN A FEW DAYS
JUST SCANNED AND SCRUBBED MY COMPUTER
NEED TO SEE IF ITS DONE ANY GOOD
FOUND 2 HIJACKS
6 SPYBOTS
CARRIED OUT ALL MY SCANS AND CLEANED
SHOULD BE THE CLEANEST COMPUTER IN THE WORLD
WINANTIVIRUS IS STILL THERE
DESPERATE
CLOSE TO FORMATTING
POST IS NOW ACTIVE AGAIN
NEED ANY HELP YOU CAN GIVE PLEASE
THE HIJACKTHIS LOG WAS TAKEN SINCE WINANTIVIRUS POPPED UP AGAIN

Comments

  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited February 2007
    Please download VundoFix.exe
    to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above
    instructions starting from "Click the Scan for Vundo button." when
    VundoFix appears at reboot.
  • edited February 2007
    Cant Run Vundo Fix
    The Link Supplies Could Not Download Software
    Downloadsed Vundofix From Another Blocation
    Error R6034 An Aplication Made An Attempt To Load C Runtime Library Incorrectly

    What Now?
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited February 2007
    Download VirtumundoBeGone by secured2k
      Save the file to your desktop
    1. Close all running programs (including your Internet Browser)
    2. Double-click VirtumundoBeGone.exe on the desktop
    3. Read the introductory information, and then click Continue
    4. Click Start
    5. When asked if you want to continue, click Yes to run the fix
    6. Click "Save Log"
  • edited February 2007
    fixvundo run in safe mode nothing foung
    log
    Symantec Trojan.Vundo Removal Tool 1.5.0

    C:\System Volume Information: (not scanned)
    Trojan.Vundo has not been found on your computer.

    VIRTUMONDO RUN NOTHING FOUND
    LOG
    [02/21/2007, 10:37:22] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Robert Dempster\Desktop\VirtumundoBeGone.exe" )
    [02/21/2007, 10:37:33] - Detected System Information:
    [02/21/2007, 10:37:33] - Windows Version: 5.1.2600, Service Pack 2
    [02/21/2007, 10:37:33] - Current Username: Robert Dempster (Admin)
    [02/21/2007, 10:37:33] - Windows is in NORMAL mode.
    [02/21/2007, 10:37:33] - Searching for Browser Helper Objects:
    [02/21/2007, 10:37:33] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    [02/21/2007, 10:37:33] - BHO 2: {089FD14D-132B-48FC-8861-0048AE113215} ()
    [02/21/2007, 10:37:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [02/21/2007, 10:37:33] - Checking for HKLM\...\Winlogon\Notify\SiteAdv
    [02/21/2007, 10:37:33] - Key not found: HKLM\...\Winlogon\Notify\SiteAdv, continuing.
    [02/21/2007, 10:37:33] - BHO 3: {3C060EA2-E6A9-4E49-A530-D4657B8C449A} (PopKill Class)
    [02/21/2007, 10:37:33] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
    [02/21/2007, 10:37:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [02/21/2007, 10:37:33] - Checking for HKLM\...\Winlogon\Notify\SDHelper
    [02/21/2007, 10:37:33] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
    [02/21/2007, 10:37:33] - BHO 5: {56071E0D-C61B-11D3-B41C-00E02927A304} (ZKBho Class)
    [02/21/2007, 10:37:33] - BHO 6: {69A87B7D-DE56-4136-9655-716BA50C19C7} (&Google Web Accelerator Helper)
    [02/21/2007, 10:37:33] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [02/21/2007, 10:37:33] - BHO 8: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
    [02/21/2007, 10:37:33] - Finished Searching Browser Helper Objects
    [02/21/2007, 10:37:33] - Finishing up...
    [02/21/2007, 10:37:33] - Nothing found! Exiting...

    [02/21/2007, 10:38:12] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Robert Dempster\Desktop\VirtumundoBeGone.exe" )
    [02/21/2007, 10:38:19] - Detected System Information:
    [02/21/2007, 10:38:19] - Windows Version: 5.1.2600, Service Pack 2
    [02/21/2007, 10:38:19] - Current Username: Robert Dempster (Admin)
    [02/21/2007, 10:38:19] - Windows is in NORMAL mode.
    [02/21/2007, 10:38:19] - Searching for Browser Helper Objects:
    [02/21/2007, 10:38:19] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
    [02/21/2007, 10:38:19] - BHO 2: {089FD14D-132B-48FC-8861-0048AE113215} ()
    [02/21/2007, 10:38:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [02/21/2007, 10:38:19] - Checking for HKLM\...\Winlogon\Notify\SiteAdv
    [02/21/2007, 10:38:19] - Key not found: HKLM\...\Winlogon\Notify\SiteAdv, continuing.
    [02/21/2007, 10:38:19] - BHO 3: {3C060EA2-E6A9-4E49-A530-D4657B8C449A} (PopKill Class)
    [02/21/2007, 10:38:19] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
    [02/21/2007, 10:38:19] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [02/21/2007, 10:38:19] - Checking for HKLM\...\Winlogon\Notify\SDHelper
    [02/21/2007, 10:38:19] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
    [02/21/2007, 10:38:19] - BHO 5: {56071E0D-C61B-11D3-B41C-00E02927A304} (ZKBho Class)
    [02/21/2007, 10:38:19] - BHO 6: {69A87B7D-DE56-4136-9655-716BA50C19C7} (&Google Web Accelerator Helper)
    [02/21/2007, 10:38:19] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [02/21/2007, 10:38:19] - BHO 8: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
    [02/21/2007, 10:38:19] - Finished Searching Browser Helper Objects
    [02/21/2007, 10:38:19] - Finishing up...
    [02/21/2007, 10:38:19] - Nothing found! Exiting...
  • edited February 2007
    NEW HIJACKTHIS LOG

    Logfile of HijackThis v1.99.1
    Scan saved at 10:46:07, on 21/02/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\ntl\ntl Netguard\fws.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ntl\ntl Netguard\RPS.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\SiteAdvisor\5020\SiteAdv.exe
    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\Common Files\AOL\1170097487\ee\AOLSoftware.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SiteAdvisor\5020\SAService.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Anti-Lost CD Ejector\antilostlite.exe
    C:\Program Files\Invention Pilot\Tray Pilot Lite\TrayPlt.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
    C:\Program Files\PopTray\PopTray.exe
    C:\Program Files\Technology Lighthouse\PTFB\PTFB.exe
    C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
    C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\DriveHQ\DriveHQ Desktop Express\DriveHQRepository2.23.exe
    C:\Program Files\JGsoft\EditPadLite\EditPad.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\WDSCAN.EXE
    C:\Program Files\Virus\Analyze.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/webhp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk/webhp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/webhp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
    O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
    O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\5020\SiteAdv.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1170097487\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AntiLostCD] C:\Program Files\Anti-Lost CD Ejector\antilostlite.exe
    O4 - HKCU\..\Run: [Tray Pilot Lite] "C:\Program Files\Invention Pilot\Tray Pilot Lite\TrayPlt.exe"
    O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
    O4 - Startup: clear.lnk = C:\STORE\clear.brs
    O4 - Startup: DigiGuide Lite.lnk = C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe
    O4 - Startup: PopTray.lnk = C:\Program Files\PopTray\PopTray.exe
    O4 - Startup: PTFB.lnk = C:\Program Files\Technology Lighthouse\PTFB\PTFB.exe
    O4 - Startup: Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
    O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O4 - Global Startup: Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: http://www.cae.mypersonalexpression.com
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\5020\SAService.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    O23 - Service: Tirminal™ (Tirminal_Service) - Unknown owner - c:\program files\tirminal\tirminal_service.exe (file missing)
  • edited February 2007
    I Dont Know If This Will Help Its The Frequency Of Winantivirus Popup

    16022007
    17022007
    17022007
    18022007
    18022007
    20022007

    WINANTIVIRUS ONLY SEEMS TO APPER WHEN IM ON THE INTERNET
    SOMETIMES ON THE MOST UNLIKELY SITES
    ONE WAS AN ONLINE SECURITY SCANNER
    ITS AS IF THE PAGES ARE BEING HIJACKED
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited February 2007
    Go here and download then run Silent Runners.vbs. Right click on the download link and select Save Target As. Save it to the desktop or to a folder in a permanent directory. It generates a log which will be created in the same folder you are running it from. Please post the information back in this thread.
    If you have a script blocking program, please allow the file to run. It is not malicious.

    ==

    Download the Hoster.
    Run it and press "Restore Original Hosts" and press "OK". Exit Program.
    Note that if you have a custom host file, this will remove it. You can edit the host file with this program too.
  • edited February 2007
    SILENT RUNNER LOG

    "Silent Runners.vbs", revision R50, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
    "PhotoShow Deluxe Media Manager" = "C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" ["Ahead Software"]
    "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "AntiLostCD" = "C:\Program Files\Anti-Lost CD Ejector\antilostlite.exe" ["NeSoft"]
    "Tray Pilot Lite" = ""C:\Program Files\Invention Pilot\Tray Pilot Lite\TrayPlt.exe"" ["Invention Pilot, Inc"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "ntl Netguard" = ""C:\Program Files\ntl\ntl Netguard\RPS.exe"" ["ntl"]
    "Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]
    "Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
    "IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
    "HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
    "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
    "InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" ["Nero AG"]
    "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
    "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
    "iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
    "PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string]
    "USBToolTip" = ""C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe"" ["Pinnacle Systems"]
    "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
    "HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
    "Opware12" = ""C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"" ["ScanSoft, Inc."]
    "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
    "SiteAdvisor" = "C:\Program Files\SiteAdvisor\5020\SiteAdv.exe" ["McAfee, Inc."]
    "Motive SmartBridge" = "C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" ["Motive Communications, Inc."]
    "EoEngine" = "(empty string)" [file not found]
    "EoClock" = "(empty string)" [file not found]
    "HostManager" = "C:\Program Files\Common Files\AOL\1170097487\ee\AOLSoftware.exe" ["America Online, Inc."]
    "UnlockerAssistant" = ""C:\Program Files\Unlocker\UnlockerAssistant.exe" -H" [null data]
    "(Default)" = (unknown data type)

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {089FD14D-132B-48FC-8861-0048AE113215}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\5020\SiteAdv.dll" ["McAfee, Inc."]
    {3C060EA2-E6A9-4E49-A530-D4657B8C449A}\(Default) = "Pop-Up Blocker BHO"
    -> {HKLM...CLSID} = "PopKill Class"
    \InProcServer32\(Default) = "C:\Program Files\ntl\ntl Netguard\pkR.dll" ["Radialpoint Inc."]
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
    {56071E0D-C61B-11D3-B41C-00E02927A304}\(Default) = "Form Filler BHO"
    -> {HKLM...CLSID} = "ZKBho Class"
    \InProcServer32\(Default) = "C:\Program Files\ntl\ntl Netguard\FBHR.dll" ["Radialpoint Inc."]
    {69A87B7D-DE56-4136-9655-716BA50C19C7}\(Default) = "Google Web Accelerator Helper"
    -> {HKLM...CLSID} = "&Google Web Accelerator Helper"
    \InProcServer32\(Default) = "C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll" [null data]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSVHelper Class"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
    {9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Windows Live Sign-in Helper"
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
    "{8C3B57EA-7511-4007-87CD-C052FD573284}" = "DriveHQ FileManager"
    -> {HKLM...CLSID} = "DriveHQ FileManager"
    \InProcServer32\(Default) = "C:\Program Files\DriveHQ\DriveHQ FileManager\DriveHQMenu.dll" [null data]
    "{9C5157BC-8DB4-4b66-9844-1C3CB448E2ED}" = "My DriveHQ"
    -> {HKLM...CLSID} = "My DriveHQ"
    \InProcServer32\(Default) = "C:\Program Files\DriveHQ\DriveHQ Desktop Express\MyDriveHQ.dll" ["DriveHQ"]
    "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
    -> {HKLM...CLSID} = "My Sharing Folders"
    \InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
    "{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
    -> {HKLM...CLSID} = "Shell Extension for CDRW"
    \InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Nero AG"]
    "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
    -> {HKLM...CLSID} = "iTunes"
    \InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
    -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
    \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
    -> {HKLM...CLSID} = "UnlockerShellExtension"
    \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    <<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
    -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
    \InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS]
    <<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
    -> {HKLM...CLSID} = "SABShellExecuteHook Class"
    \InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
    -> {HKLM...CLSID} = "WPDShServiceObj Class"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
    <<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

    HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
    -> {HKLM...CLSID} = "PDF Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    DriveHQ FileManager\(Default) = "{8C3B57EA-7511-4007-87CD-C052FD573284}"
    -> {HKLM...CLSID} = "DriveHQ FileManager"
    \InProcServer32\(Default) = "C:\Program Files\DriveHQ\DriveHQ FileManager\DriveHQMenu.dll" [null data]
    TirminalContextMenu_\(Default) = "{324ec0d4-0469-4a7d-bc7c-70a7122d89dd}"
    -> {HKLM...CLSID} = "Tirminal.Shell.TirminalColumnHandler"
    \InProcServer32\(Default) = "mscoree.dll" [MS]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    DriveHQ FileManager\(Default) = "{8C3B57EA-7511-4007-87CD-C052FD573284}"
    -> {HKLM...CLSID} = "DriveHQ FileManager"
    \InProcServer32\(Default) = "C:\Program Files\DriveHQ\DriveHQ FileManager\DriveHQMenu.dll" [null data]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    DriveHQ FileManager\(Default) = "{8C3B57EA-7511-4007-87CD-C052FD573284}"
    -> {HKLM...CLSID} = "DriveHQ FileManager"
    \InProcServer32\(Default) = "C:\Program Files\DriveHQ\DriveHQ FileManager\DriveHQMenu.dll" [null data]
    UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
    -> {HKLM...CLSID} = "UnlockerShellExtension"
    \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
    UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
    -> {HKLM...CLSID} = "UnlockerShellExtension"
    \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]


    Group Policies {GPedit.msc branch and setting}:

    Note: detected settings may not have any effect.

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Devices: Allow undock without having to log on}


    Active Desktop and Wallpaper:

    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
    "Wallpaper" = "C:\CLIPART\CLIPART\WPAPER\BDIXP.bmp"

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\CLIPART\CLIPART\WPAPER\BDIXP.bmp"


    Startup items in "Robert Dempster" & "All Users" startup folders:

    C:\Documents and Settings\Robert Dempster\Start Menu\Programs\Startup
    "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
    "broadband medic" -> shortcut to: "C:\Program Files\ntl\broadband medic\bin\matcli.exe -boot" ["Motive Communications, Inc."]
    "clear" -> shortcut to: "C:\STORE\clear.brs" [null data]
    "DigiGuide Lite" -> shortcut to: "C:\Program Files\DigiGuide Lite TV Guide\DigiGuideLite.exe" ["GipsyMedia Limited"]
    "PopTray" -> shortcut to: "C:\Program Files\PopTray\PopTray.exe" ["Renier Crause"]
    "PTFB" -> shortcut to: "C:\Program Files\Technology Lighthouse\PTFB\PTFB.exe" ["Technology Lighthouse"]
    "Web Accelerator" -> shortcut to: "C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe" [null data]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
    "broadband medic" -> shortcut to: "C:\Program Files\ntl\broadband medic\bin\matcli.exe -boot" ["Motive Communications, Inc."]
    "Norton System Doctor" -> shortcut to: "C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE /startup" ["Symantec Corporation"]
    "Web Accelerator" -> shortcut to: "C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe" [null data]


    Enabled Scheduled Tasks:

    "MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
    "SpywareBlaster" -> launches: "C:\PROGRA~1\SPYWAR~2\SPYWAR~1.EXE" [null data]
    "System Snapshot" -> launches: "C:\Program Files\System Snapshot\Syssnap.exe" ["Hkeylocal Executables"]
    "XoftSpySE" -> launches: "C:\Program Files\XoftSpySE\XoftSpy.exe -t" ["ParetoLogic"]


    Winsock2 Service Provider DLLs:

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:

    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}"
    -> {HKLM...CLSID} = "Google Web Accelerator"
    \InProcServer32\(Default) = "C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll" [null data]
    "{F2CF5485-4E02-4F68-819C-B92DE9277049}"
    -> {HKLM...CLSID} = "&Links"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

    HKLM\Software\Microsoft\Internet Explorer\Toolbar\
    "{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}" = (no title provided)
    -> {HKLM...CLSID} = "Google Web Accelerator"
    \InProcServer32\(Default) = "C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll" [null data]
    "{0BF43445-2F28-4351-9252-17FE6E806AA0}" = "McAfee SiteAdvisor"
    -> {HKLM...CLSID} = "McAfee SiteAdvisor"
    \InProcServer32\(Default) = "C:\Program Files\SiteAdvisor\5020\SiteAdv.dll" ["McAfee, Inc."]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
    -> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
    -> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    HOSTS file

    C:\WINDOWS\System32\drivers\etc\HOSTS

    maps: 150 domain names to IP addresses,
    1 of the IP addresses is *not* localhost!


    Running Services (Display Name, Service Name, Path {Service DLL}):

    DvpApi, dvpapi, ""C:\Program Files\Common Files\Command Software\dvpapi.exe"" ["Command Software Systems, Inc."]
    InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Nero AG"]
    iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
    Messenger Sharing Folders USN Journal Reader service, usnjsvc, ""C:\Program Files\MSN Messenger\usnsvc.exe"" [MS]
    Norton Unerase Protection, NProtectService, "C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" ["Symantec Corporation"]
    Radialpoint Service, FWS, "C:\Program Files\ntl\ntl Netguard\fws.exe" ["Radialpoint Inc."]
    SiteAdvisor Service, SiteAdvisor Service, "C:\Program Files\SiteAdvisor\5020\SAService.exe" [null data]
    Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe" ["Symantec Corporation"]
    Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]


    Print Monitors:

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    hpzsnt09\Driver = "hpzsnt09.dll" ["HP"]


    <<!>>: Suspicious data at a malware launch point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points, use the -supp parameter or answer "No" at the
    first message box and "Yes" at the second message box.
    (total run time: 68 seconds, including 31 seconds for message boxes)
  • edited February 2007
    With Hoster No Restore Original Hosts
    Restored Ms Host Settings
    Hope Thats Right
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited February 2007
    Did you run the Hoster after silent runners?
    Please go here http://www.kaspersky.com/virusscanner and do a scan. Save the log report and post it back here please.
    You might also want to try running Vundofix in safe mode.
  • edited February 2007
    vundofix was run in safe mode
    nothing found
    log already posted
    was run after silent runners
    kaspersky scanner run whole computer
    winpopup appeared again as i visited kaspersky site
    kaspersky scanner run
    no viruses
    hardly surprising
    ran 2 days ago
    nothing then either

    THE KASPERSKY REPORT IS AVAILABLE BUT TOO LONG TO POST HERE
    TAKE MY WORD FOR IT
    DEEP SCAN WHOLE COMPUTER
    MAIL SCAN
    NOTHING FOUND
  • edited February 2007
    i just uninstalled ntl netguard
    installed virgin pcguard
    its F****D my computer up big time
    restore doesnt do anything
    im going to have to format and set up again
    this will fix the winantivirus problem
    can you recommend a good free antivirus for me please
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited February 2007
  • TroganTrogan London, UK
    edited March 2007
    This topic is now closed, if you still require assistance then please start a new topic in the Spyware & Virus Removal Forum

    If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

    Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
    If you are not the user who started this thread, you must start a new Thread instead :)
This discussion has been closed.