Steve Posted May 17, 2006 Author Share Posted May 17, 2006 If you uninstalled WhenUSave, then chances are the folder is gone. You're fine to run CCleaner. You'll lose any cookies when you do, so you'll have to log back in to any sites that require a username and password (just warning you!). Quote Link to comment Share on other sites More sharing options...
Sir Dongbot Posted May 17, 2006 Share Posted May 17, 2006 Nice one Steve...really appreciate your help this morning..Your a star......well actually a bombay tv star!!!!!!lolhttp://www.grapheine.com/bombaytv/play_uk.php?id=1214337 Quote Link to comment Share on other sites More sharing options...
Steve Posted May 17, 2006 Author Share Posted May 17, 2006 lol. Shame the scenes aren't longer on that site. Quote Link to comment Share on other sites More sharing options...
Kper Posted May 17, 2006 Share Posted May 17, 2006 hey steve, was wondering if you could have a look thru this log when you get a minute. dont think the comp's got anything bad but it seems a bit sluggish when it shouldnt be... also seem to have a lot of stuff at start up but cant find the options to deactivate them Logfile of HijackThis v1.99.1Scan saved at 21:49:30, on 17/05/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\WINDOWS\system32\DeltTray.exeC:\PROGRA~1\Sony\SONICS~1\SsAAD.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Ella\Desktop\cleaning\hijack this!\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/mywayR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.turntableradio.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/mywayO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstallO4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimizeO4 - HKLM\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exeO4 - HKLM\..\Run: [DeltTray] DeltTray.exeO4 - HKLM\..\Run: [ssAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: BlueSoleil.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exeO23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exeO23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe thanks!! Quote Link to comment Share on other sites More sharing options...
Steve Posted May 17, 2006 Author Share Posted May 17, 2006 Nothing nasty there Lo. Perhaps a clean up and a defrag is in order. Quote Link to comment Share on other sites More sharing options...
Kper Posted May 17, 2006 Share Posted May 17, 2006 Nothing nasty there Lo. Perhaps a clean up and a defrag is in order.<{POST_SNAPBACK}>Â nice one. yeah i havent defraged it yet so might do that this weekend. thanks for the quick reply yo! Quote Link to comment Share on other sites More sharing options...
Steve Posted May 17, 2006 Author Share Posted May 17, 2006 No worries. BTW, if you want to stop a program starting when you boot the PC, delete it's O4 entry in the log. If you Google the filename at the end of each entry you'll be able to find out what each one does and if it can be safely disabled or not, for example: - O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe jusched.exe is the updater for Sun's Java. It doesn't work and even if it did you could check for updates manually anyway so you can safely disable this one. Quote Link to comment Share on other sites More sharing options...
Steve Posted May 18, 2006 Author Share Posted May 18, 2006 No mate. There's nothing bad in there that could be causing your problems. Quote Link to comment Share on other sites More sharing options...
dextrous Posted May 18, 2006 Share Posted May 18, 2006 If that line 20 is fixed this is good to go yes?      Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)  Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\blueyonder\PCguard\fws.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\blueyonder\PCguard\Rps.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\windows\system32\spool\printers\FireDaemon.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe c:\windows\system32\spool\printers\events.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\WINDOWS\system32\slserv.exe C:\Documents and Settings\Leon Dowd\Desktop\hijackthis\HijackThis.exe  O4 - HKLM\..\Run: [PCguard] C:\Program Files\blueyonder\PCguard\Rps.exe O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147529847156 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1147532401156 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\p44u0eh9eh4.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: FireDaemon Service: dll32 (dll32) - Sublime Solutions Pty Ltd - C:\windows\system32\spool\printers\FireDaemon.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: FireDaemon Service: events (events) - Sublime Solutions Pty Ltd - C:\windows\system32\spool\printers\FireDaemon.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted May 18, 2006 Author Share Posted May 18, 2006 If that line 20 is fixed this is good to go yes?Yep. Quote Link to comment Share on other sites More sharing options...
dextrous Posted May 18, 2006 Share Posted May 18, 2006 Cheers Steve. I kind of get hijack this now and if it was my own comp would have just done it, but seeing as it's not my comp thought I better get second opinions. Quote Link to comment Share on other sites More sharing options...
bfresh Posted June 5, 2006 Share Posted June 5, 2006 All reet Steve if ya can mate can you take another look at my list. I keep getting virus warnings, which Kaspersky keeps repelling but won't get rid. Thanks in advance cheers mate. Logfile of HijackThis v1.99.0Scan saved at 22:25:10, on 04/06/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exeC:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXEC:\WINDOWS\system32\CTHELPER.EXEC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\WinPortrait\wpctrl.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\MsPMSPSv.exeC:\WINDOWS\system32\wwSecure.exeC:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Webroot\Washer\wwDisp.exeC:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exeC:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exeC:\Program Files\WinPortrait\floater.exeC:\Program Files\blueyonder IST\bin\mpbtn.exeC:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exeC:\Documents and Settings\B Fresh\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonderR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exeO4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXEO4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLLO4 - HKLM\..\Run: [sBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /rO4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimizeO4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startupO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exeO4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exeO4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialogO4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cabO16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cabO16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cabO16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-30.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cabO16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exeO23 - Service: InstallDriver Table Manager - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Kaspersky Anti-Virus Service - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exeO23 - Service: Washer Security Access - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted June 5, 2006 Author Share Posted June 5, 2006 You have a trojan mate. Download CCleaner from HERE and install it but don't run it yet. Run HijackThis, do a scan and check off the following: - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonderO2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe Close all other windows and hit Fix Checked. Reboot into Safe Mode, enable the viewing of hidden/system files and delete this file: - C:\WINDOWS\system32\taskdir.exe Run CCleaner, uncheck the box on the left to clean "Old Prefetch data" and have it clean your drive. Reboot back into normal Windows. Have you done a full system scan with Kaspersky? Is it setup to check for malware/spyware as well as viruses? If the answer to both questions is no, then you need to do that ASAP, because there will be other files related to that trojan still on your drive. Also, you might want to give this a go: - http://www.prevx.com/ It's free and will remove any other files related to the taskdir.exe infection. **EDIT** Definitely use PrevX. I've just been reading a bit more about your infection and it uses a rootkit to conceal itself. The version of Kaspersky you're using may not be able to detect all of the files related to it, but PrevX will (or should be able to!). Quote Link to comment Share on other sites More sharing options...
bfresh Posted June 5, 2006 Share Posted June 5, 2006 Thanks for the help Steve, i have opened windows in safe mode but cannot find system32 folder - dunno where its gone (fishing perhaps).I have a D drive which has a system32 folder but the taskdir.exe file ain't there. Shall i just continue without doing this or has it gotta be done.Nice one mate. Quote Link to comment Share on other sites More sharing options...
Steve Posted June 5, 2006 Author Share Posted June 5, 2006 The System32 folder is inside your main Windows folder. If you hit Start then Run and type this: -Â C:\WINDOWS\system32Â Then press Enter, it should open. Either that or just run a search on all of your drives for that file. You do need to run that PrevX program though, because the trojan uses a rootkit to hide itself (which may also explain you not being able to locate it). Quote Link to comment Share on other sites More sharing options...
Frost Posted June 13, 2006 Share Posted June 13, 2006 steve can u have a goosey at this when you get a moment:  thanks Logfile of HijackThis v1.99.1Scan saved at 22:07:48, on 13/06/2006Platform: Windows XP (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes:C:\windows\System32\smss.exeC:\windows\system32\winlogon.exeC:\windows\system32\services.exeC:\windows\system32\lsass.exeC:\windows\system32\svchost.exeC:\windows\System32\svchost.exeC:\windows\Explorer.EXEC:\windows\system32\spoolsv.exeC:\windows\System32\carpserv.exeC:\windows\System32\ctfmon.exeC:\WINDOWS\system32\RACLE~1\SRVICE~1.EXEC:\windows\System32\devldr32.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\windows\System32\svchost.exeC:\Documents and Settings\Administrator\Desktop\downloads\THE EVER\utorrent.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Documents and Settings\Administrator\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = T-Bizzle in tha HizouseR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://192.168.0.1/start.htmR3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [CARPService] carpserv.exeO4 - HKLM\..\Run: [igfxTray] C:\windows\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\windows\System32\hkcmd.exeO4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exeO4 - HKLM\..\Run: [28e97a39.exe] C:\windows\System32\28e97a39.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\windows\System32\ctfmon.exeO4 - HKCU\..\Run: [28e97a39.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\28e97a39.exeO4 - HKCU\..\Run: [inoa] "C:\windows\ICROSO~1\javaw.exe" -vt yazrO4 - HKCU\..\Run: [Tjzgbme] C:\WINDOWS\system32\RACLE~1\SRVICE~1.EXEO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126560119388O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126971645596O16 - DPF: {90F7E144-984F-4FA6-83A7-C9C8DCB9974C} (RSActiveXObj Control) - http://www.radarsync.com/RSActiveX.ocxO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cabO16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cabO16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea1fd.sea1.hotmail.msn.com/activex/HMAtchmt.ocxO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O20 - AppInit_DLLs: C:\windows\System32\mmc.dllO20 - Winlogon Notify: winkzr32 - C:\windows\SYSTEM32\winkzr32.dllO23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\windows\System32\drivers\CDAC11BA.EXEO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXEO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted June 13, 2006 Author Share Posted June 13, 2006 If you haven't got CCleaner, then grab it from HERE and install it, but don't run it yet. Run HijackThis and check off the following: - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = T-Bizzle in tha HizouseR3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)O4 - HKLM\..\Run: [28e97a39.exe] C:\windows\System32\28e97a39.exeO4 - HKCU\..\Run: [28e97a39.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\28e97a39.exeO4 - HKCU\..\Run: [inoa] "C:\windows\ICROSO~1\javaw.exe" -vt yazrO4 - HKCU\..\Run: [Tjzgbme] C:\WINDOWS\system32\RACLE~1\SRVICE~1.EXEO16 - DPF: {90F7E144-984F-4FA6-83A7-C9C8DCB9974C} (RSActiveXObj Control) - http://www.radarsync.com/RSActiveX.ocxO20 - AppInit_DLLs: C:\windows\System32\mmc.dllO20 - Winlogon Notify: winkzr32 - C:\windows\SYSTEM32\winkzr32.dll Close ALL other windows and hit Fix Checked. Reboot into Safe Mode, enable the viewing of hidden/system files and delete the following: - C:\Documents and Settings\Administrator\Local Settings\Application Data\28e97a39.exe C:\windows\System32\28e97a39.exe C:\windows\System32\mmc.dll C:\windows\SYSTEM32\winkzr32.dll  There are also two folders you need to delete, although I can't tell the full names from the log: - C:\windows\ICROSO~1C:\WINDOWS\system32\RACLE~1 You should be able to figure out the names from the first 5 letters. Run CCleaner, uncheck the box to clean "Old prefetch data" and have it clean your drive, then reboot back into regular Windows. Download and install PrevX and have it scan and clean your PC: - http://www.prevx.com/ Reboot again. Start IE and hit Tools, then Internet Options. On the Programs tab, hit the Reset Web Settings button. On the General tab, re-enter the home page you want to use and then hit Apply then OK. Grab the latest version of Java by clicking this link: - http://jdl.sun.com/webapps/download/AutoDL?BundleId=10549 Uninstall your current version, reboot, then install this new one. You're getting infected partly because you have no antivirus or firewall software on your machine and also because you don't have Service Pack 2 for XP installed. Quote Link to comment Share on other sites More sharing options...
Guest sirchickski Posted July 13, 2006 Share Posted July 13, 2006 My pc has decided to be very slow today randomly so see what could be causing it.  Logfile of HijackThis v1.99.1Scan saved at 14:16:05, on 13/07/2006Platform: Windows ME (Win9x 4.90.3000)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\MSTASK.EXEC:\WINDOWS\SYSTEM\SSDPSRV.EXEC:\WINDOWS\SYSTEM\KB891711\KB891711.EXEC:\WINDOWS\SYSTEM\KB918547\KB918547.EXEC:\WINDOWS\SYSTEM\RESTORE\STMGR.EXEC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\TASKMON.EXEC:\WINDOWS\SYSTEM\SYSTRAY.EXEC:\WINDOWS\LOADQM.EXEC:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXEC:\PROGRAM FILES\AHEAD\INCD\INCD.EXEC:\WINDOWS\SYSTEM\WMIEXE.EXEC:\PROGRAM FILES\PEERGUARDIAN2\PG2.EXEC:\WINDOWS\SYSTEM\STIMON.EXEC:\WINDOWS\SYSTEM\DDHELP.EXEC:\WINDOWS\DESKTOP\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.ntlworld.comO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCXO4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorunO4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exeO4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -sO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXEO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUPO4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXEO4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exeO4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exeO4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\RunServices: [schedulingAgent] mstask.exeO4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exeO4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXEO4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXEO4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\AHEAD\NEROPH~1\DATA\XTRAS\MSSYSMGR.EXEO4 - HKCU\..\Run: [PeerGuardian] C:\PROGRAM FILES\PEERGUARDIAN2\PG2.EXEO4 - HKCU\..\Run: [bitTorrent] "C:\PROGRAM FILES\BITTORRENT\BITTORRENT.EXE" --force_start_minimizedO4 - HKCU\..\RunServices: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\AHEAD\NEROPH~1\DATA\XTRAS\MSSYSMGR.EXEO4 - HKCU\..\RunServices: [PeerGuardian] C:\PROGRAM FILES\PEERGUARDIAN2\PG2.EXEO4 - HKCU\..\RunServices: [bitTorrent] "C:\PROGRAM FILES\BITTORRENT\BITTORRENT.EXE" --force_start_minimizedO4 - Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exeO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_07\BIN\SSV.DLLO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_07\BIN\SSV.DLL Quote Link to comment Share on other sites More sharing options...
Steve Posted July 13, 2006 Author Share Posted July 13, 2006 Looks fine to me mate. What's that CConnect thing? I Googled it and it's Correct Connect which is part of the Windows 2000 Resource Kit, but you're running ME. Quote Link to comment Share on other sites More sharing options...
Guest sirchickski Posted July 13, 2006 Share Posted July 13, 2006 Correct Connect came with my NTL thing. I dont use it though, its a waste of resources.. i keep getting "Low on resources" when i have nothing running... what could be caused by? Quote Link to comment Share on other sites More sharing options...
Steve Posted July 13, 2006 Author Share Posted July 13, 2006 You must have something running man. Take a look at the list of running processes in task manager and see if any of them are using a lot of resources. Quote Link to comment Share on other sites More sharing options...
Guest sirchickski Posted July 13, 2006 Share Posted July 13, 2006 all that is running is:Â Internet FirefoxExplorerPeerguardianIncd - NeroSystem tray Quote Link to comment Share on other sites More sharing options...
Steve Posted July 13, 2006 Author Share Posted July 13, 2006 That's the list of programs, not processes. Quote Link to comment Share on other sites More sharing options...
Guest sirchickski Posted July 13, 2006 Share Posted July 13, 2006 Oh LOL! How do i get the list of processes on Windows Me Quote Link to comment Share on other sites More sharing options...
Steve Posted July 13, 2006 Author Share Posted July 13, 2006 It's been a while since I used ME, but in XP when you open Task Manager there are tabs at the top and Processes is one of them. I guess if you don't have that, you'll have to try and find a resource monitoring program on the web. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.