Steve Posted February 21, 2006 Author Share Posted February 21, 2006 You've missed virtually everything I said to delete dood. Quote Link to comment Share on other sites More sharing options...
Pman Posted February 21, 2006 Share Posted February 21, 2006 i did what u said myabe its just not ment to be Quote Link to comment Share on other sites More sharing options...
Pman Posted February 21, 2006 Share Posted February 21, 2006 ill try again Quote Link to comment Share on other sites More sharing options...
Pman Posted February 21, 2006 Share Posted February 21, 2006 Logfile of HijackThis v1.99.1Scan saved at 18:28:07, on 21/02/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Documents and Settings\Paul Holness\My Documents\Downloads\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [Windows Word] WINWORD32.EXEO4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /iconO4 - HKLM\..\Run: [Ad-Aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~2\AD-AWARE.EXE" +cO4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimizeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [speedTouchstInstall] "C:/Documents and Settings/Paul Holness/Desktop/SetupWizard/stInstall.exe" O4 - Startup: Karoo.lnk = D:\Start.exeO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htmO8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htmO8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htmO8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htmO8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htmO8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htmO8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htmO8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO17 - HKLM\System\CCS\Services\Tcpip\..\{2F1876E1-25BE-4089-9173-4933F8F30001}: NameServer = 212.50.160.100 213.249.130.100O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)O20 - Winlogon Notify: debugg - C:\WINDOWS\SYSTEM32\debugg.dllO21 - SSODL: WebCheck - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: SmartLinkService (SLService) - Unknown owner - slserv.exe (file missing) Quote Link to comment Share on other sites More sharing options...
Pman Posted February 21, 2006 Share Posted February 21, 2006 most of them wont go Quote Link to comment Share on other sites More sharing options...
Steve Posted February 21, 2006 Author Share Posted February 21, 2006 That's better man. You need to fix these: - O20 - Winlogon Notify: debugg - C:\WINDOWS\SYSTEM32\debugg.dllO21 - SSODL: WebCheck - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file) And you need to do the Safe Mode part or they'll keep coming back. One is a virus that allows hackers full access to your PC and as you have no firewall to stop them........ You also need to get your Windows Updates man. Service Pack 2 was released months ago and fixes a lot of security issues. Quote Link to comment Share on other sites More sharing options...
trick Posted February 21, 2006 Share Posted February 21, 2006 Steve - how do I take off email notifications on this thread? Only I'm getting mail every time someone replies now, which I don't really want... I tried clicking the "track this topic" link, but it only starts tracking, but doesn't stop it... Quote Link to comment Share on other sites More sharing options...
Pman Posted February 21, 2006 Share Posted February 21, 2006 That's better man. You need to fix these: - O20 - Winlogon Notify: debugg - C:\WINDOWS\SYSTEM32\debugg.dllO21 - SSODL: WebCheck - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file) And you need to do the Safe Mode part or they'll keep coming back. One is a virus that allows hackers full access to your PC and as you have no firewall to stop them........ You also need to get your Windows Updates man. Service Pack 2 was released months ago and fixes a lot of security issues.<{POST_SNAPBACK}> chhers will do Quote Link to comment Share on other sites More sharing options...
Pman Posted February 21, 2006 Share Posted February 21, 2006 one more thing i lost the desktop icon it isnt anywhere any ideas how to get it back also my internet explorer icon Quote Link to comment Share on other sites More sharing options...
Steve Posted February 21, 2006 Author Share Posted February 21, 2006 Have you turned the Quick Launch toolbar off? Right click the taskbar and have a look - it's under Toolbars. Quote Link to comment Share on other sites More sharing options...
Pman Posted February 21, 2006 Share Posted February 21, 2006 (edited) i got onto safe mode could'nt find tools and folder options. its just like normal but weird.found debug.dll cant delete iti got internet explorer icon back but still missing desttop one from quick lauch i deleted it off a while ago cant find away to get it back.cheers Edited February 21, 2006 by Pman Quote Link to comment Share on other sites More sharing options...
Steve Posted February 21, 2006 Author Share Posted February 21, 2006 OK, well you need to get rid of that debugg.dll file. (Note the 2 letter g's in the name - don't delete any other files with similar names!). To get rid of it, do this: - Hit Start, then Run and type "cmd" without quotes and hit Enter. An old DOS style window will open. Type the following commands, pressing enter after each one: - c:cd\cd c:\windows\system32regsvr32 /u debugg.dll In the third command there is a single space after "cd" and in the last command there is a single space either side of "/u". Once you've done that, reboot into Safe Mode again and you should be able to delete the file. If you can't post back again, but either way it has to be gotten rid of as it's a trojan. To restore your Show Desktop icon, download this attachment and unzip the file to your Desktop. Then you can drag it on to the Quick Launch bar: - Show_Desktop.zip Quote Link to comment Share on other sites More sharing options...
Pman Posted February 21, 2006 Share Posted February 21, 2006 i got the desktop logo backs thanks alot i did that thing in what looks like dos, it says the registery point was not found so shall i still go in safe modego through step by step what i do in safe mode.cheers Quote Link to comment Share on other sites More sharing options...
Steve Posted February 21, 2006 Author Share Posted February 21, 2006 I tell you what, we'll try it an easier way, because if you didn't get a message saying "the dll has been unregistered" or some shit like that, then chances are you won't be able to delete it in Safe Mode again. Run HijackThis again and instead of clicking the Scan button, click Config on the right. Click the Misc Tools button at the top, then from the menu on the left select Delete A File On Reboot... Browse to the debugg.dll file and select it. You'll get a message saying it'll be deleted next time you reboot and do you want to do that now - select yes and that should be it. Quote Link to comment Share on other sites More sharing options...
Pman Posted February 21, 2006 Share Posted February 21, 2006 I tell you what, we'll try it an easier way, because if you didn't get a message saying "the dll has been unregistered" or some shit like that, then chances are you won't be able to delete it in Safe Mode again. Run HijackThis again and instead of clicking the Scan button, click Config on the right. Click the Misc Tools button at the top, then from the menu on the left select Delete A File On Reboot... Browse to the debugg.dll file and select it. You'll get a message saying it'll be deleted next time you reboot and do you want to do that now - select yes and that should be it.<{POST_SNAPBACK}> Righti done all that ill post my last hijack logi'll love you forever if its worked just give us a final overlook Logfile of HijackThis v1.99.1Scan saved at 22:02:54, on 21/02/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\wuauclt.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeC:\PROGRA~1\MOZILL~1\FIREFOX.EXEC:\Documents and Settings\Paul Holness\My Documents\Downloads\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exeO2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {2548e425-a332-4c84-9633-4b3101f7d0bb} - (no file)O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dllO2 - BHO: (no name) - {4CFD8060-60C8-45A8-8133-4B086C5AE49F} - (no file)O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)O2 - BHO: (no name) - {B9089D79-F34A-7D76-9427-BF5FF9BABCF1} - (no file)O2 - BHO: (no name) - {D881967C-B832-4DE8-B844-98D9D055C89A} - (no file)O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [Windows Word] WINWORD32.EXEO4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /iconO4 - HKLM\..\Run: [Ad-Aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~2\AD-AWARE.EXE" +cO4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimizeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [speedTouchstInstall] "C:/Documents and Settings/Paul Holness/Desktop/SetupWizard/stInstall.exe" O4 - Startup: Karoo.lnk = D:\Start.exeO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htmO8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htmO8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htmO8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htmO8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htmO8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htmO8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htmO8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} - O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} - O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} - O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} - O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} - O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} - O16 - DPF: {E154E3CC-0C3A-4101-91D8-6B4876F0FD64} - O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - O17 - HKLM\System\CCS\Services\Tcpip\..\{2F1876E1-25BE-4089-9173-4933F8F30001}: NameServer = 212.50.160.100 213.249.130.100O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)O20 - Winlogon Notify: debugg - debugg.dll (file missing)O21 - SSODL: WebCheck - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: SmartLinkService (SLService) - Unknown owner - slserv.exe (file missing) if there anything ill do that delete on reboot via hijack cheers + could u post a list of program in order of how i should use them this has took forever cheers for your time.nice one Quote Link to comment Share on other sites More sharing options...
Steve Posted February 21, 2006 Author Share Posted February 21, 2006 Weird. Loads of stuff has come back since you posted the earlier log. We'll get it sorted though. I just noticed that I missed a dodgy file earlier so maybe that is the cause. Fix these in HijackThis: - O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - (no file)O2 - BHO: (no name) - {2548e425-a332-4c84-9633-4b3101f7d0bb} - (no file)O2 - BHO: (no name) - {4CFD8060-60C8-45A8-8133-4B086C5AE49F} - (no file)O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)O2 - BHO: (no name) - {B9089D79-F34A-7D76-9427-BF5FF9BABCF1} - (no file)O2 - BHO: (no name) - {D881967C-B832-4DE8-B844-98D9D055C89A} - (no file)O4 - HKLM\..\Run: [Windows Word] WINWORD32.EXEO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} - O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} - O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} - O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} - O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - O16 - DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} - O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} - O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} - O16 - DPF: {E154E3CC-0C3A-4101-91D8-6B4876F0FD64} - O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} - O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - O20 - Winlogon Notify: debugg - debugg.dll (file missing)O21 - SSODL: WebCheck - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file) One you're done, you need to run a search for this file: - WINWORD32.EXE If you can delete it simply then cool, but otherwise use the same HijackThis method you used before. I'm afraid you're gonna have to come back and post another log afterwards, but once your PC is clean I'll tell you some methods to keep it that way. Quote Link to comment Share on other sites More sharing options...
Pman Posted February 21, 2006 Share Posted February 21, 2006 cheers stevehereit is Logfile of HijackThis v1.99.1Scan saved at 22:17:02, on 21/02/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeC:\PROGRA~1\MOZILL~1\FIREFOX.EXEC:\Documents and Settings\Paul Holness\My Documents\Downloads\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /iconO4 - HKLM\..\Run: [Ad-Aware] "C:\PROGRA~1\LAVASOFT\AD-AWA~2\AD-AWARE.EXE" +cO4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kav.exe" /minimizeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [speedTouchstInstall] "C:/Documents and Settings/Paul Holness/Desktop/SetupWizard/stInstall.exe" O4 - Startup: Karoo.lnk = D:\Start.exeO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htmO8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htmO8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htmO8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htmO8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htmO8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htmO8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htmO8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO17 - HKLM\System\CCS\Services\Tcpip\..\{2F1876E1-25BE-4089-9173-4933F8F30001}: NameServer = 212.50.160.100 213.249.130.100O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~2\msgrapp.dll" (file missing)O21 - SSODL: ShellFolder for CD Burning - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: iPod Service (iPodService) - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\kavsvc.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: SmartLinkService (SLService) - Unknown owner - slserv.exe (file missing) Quote Link to comment Share on other sites More sharing options...
Steve Posted February 21, 2006 Author Share Posted February 21, 2006 OK, it is almost clean. This was in your old log: - O21 - SSODL: WebCheck - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file) Now this has appeared in the most recent: - O21 - SSODL: ShellFolder for CD Burning - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file) As you can see by the long number in brackets, it's the same file, but under a different name. It's related to a toolbar. I dunno what's causing it to come back, but it says (no file) next to it, so you could probably just ignore it. Get on a file sharing service or torrent and download Sygate Firewall. Once you've got that installed you'll be much more protected. Also, go and do your Windows Updates and install Service Pack 2. I've been using a combination of Kaspersky and Sygate and I've not had a virus, spyware infection or anything bad since installing them. You might also want to disable System Restore, reboot, then re-enable it again and create a nice fresh restore point in case anything goes pear-shaped in the near future. Quote Link to comment Share on other sites More sharing options...
Pman Posted February 21, 2006 Share Posted February 21, 2006 OK, it is almost clean. This was in your old log: - O21 - SSODL: WebCheck - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file) Now this has appeared in the most recent: - O21 - SSODL: ShellFolder for CD Burning - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file) As you can see by the long number in brackets, it's the same file, but under a different name. It's related to a toolbar. I dunno what's causing it to come back, but it says (no file) next to it, so you could probably just ignore it. Get on a file sharing service or torrent and download Sygate Firewall. Once you've got that installed you'll be much more protected. Also, go and do your Windows Updates and install Service Pack 2. I've been using a combination of Kaspersky and Sygate and I've not had a virus, spyware infection or anything bad since installing them. You might also want to disable System Restore, reboot, then re-enable it again and create a nice fresh restore point in case anything goes pear-shaped in the near future.<{POST_SNAPBACK}> Cheers for everythingi'll sort that out right away Quote Link to comment Share on other sites More sharing options...
Steve Posted February 21, 2006 Author Share Posted February 21, 2006 No problem mate. Once you've done all that you can run RegSeeker too and clean out all the leftover crap from the registry. Quote Link to comment Share on other sites More sharing options...
airnino Posted February 23, 2006 Share Posted February 23, 2006 Logfile of HijackThis v1.99.0Scan saved at 14:38:19, on 23.02.2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\SYSTEM32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Programme\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\drivers\CDAC11BA.EXEC:\Programme\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exeC:\Programme\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exeC:\Programme\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exeC:\Programme\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exeC:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exeC:\Programme\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exeC:\Programme\Panda Software\Panda Platinum 2005 Internet Security\AVENGINE.EXEC:\Programme\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exeC:\Programme\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\Explorer.EXEC:\Programme\Panda Software\Panda Platinum 2005 Internet Security\apvxdwin.exeC:\Programme\Panda Software\Panda Platinum 2005 Internet Security\SRVLOAD.EXEC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\system32\DeltTray.exeC:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exeC:\Programme\QuickTime\qttask.exeC:\Programme\Panda Software\Panda Platinum 2005 Internet Security\WebProxy.exeC:\WINDOWS\Dit.exeC:\Programme\Java\j2re1.4.2_06\bin\jusched.exeC:\Programme\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\Programme\Messenger\msmsgs.exeC:\Programme\T-Online\WLAN-Access Finder\ToWLaAcF.exeC:\Programme\FRITZ!\IWatch.exeC:\Programme\DT\Sinus 1054 data\Wifiusb.exeC:\Programme\iPod\bin\iPodService.exeC:\Programme\Gemeinsame Dateien\Marmiko Shared\MWLaMaS.exeC:\WINDOWS\System32\wbem\wmiprvse.exeC:\Programme\Panda Software\Panda Platinum 2005 Internet Security\PAVJOBS.EXEC:\Programme\meine programme\sicherheitsprogramme\installers\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [DeltTray] DeltTray.exeO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Dit] Dit.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_06\bin\jusched.exeO4 - HKLM\..\Run: [iTunesHelper] C:\Programme\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [sCANINICIO] "C:\Programme\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe"O4 - HKLM\..\Run: [APVXDWIN] "C:\Programme\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE" /sO4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Programme\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe"O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [T-Online_Software_5\WLAN-Access Finder] C:\Programme\T-Online\WLAN-Access Finder\ToWLaAcF.exe /StartMinimizedO4 - HKCU\..\Run: [skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - Global Startup: ISDNWatch.lnk = C:\Programme\FRITZ!\IWatch.exeO4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: Sinus 1054 data WLAN Manager.lnk = ?O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108728044261O17 - HKLM\System\CCS\Services\Tcpip\..\{8A164755-0570-4BF8-A053-4E46784C1B56}: NameServer = 192.168.120.252,192.168.120.253O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXEO23 - Service: AVM FRITZ!web Routing Service - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exeO23 - Service: Panda Antispam Server Service - Unknown - C:\Programme\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exeO23 - Service: Panda Firewall Service - Unknown - C:\Programme\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exeO23 - Service: Panda Function Service - Unknown - C:\Programme\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exeO23 - Service: Panda Pavkre - Unknown - C:\Programme\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exeO23 - Service: Panda PavProt - Unknown - C:\Programme\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exeO23 - Service: Panda Process Protection Service - Unknown - C:\Programme\Gemeinsame Dateien\Panda Software\PavShld\pavprsrv.exeO23 - Service: Panda anti-virus service - Unknown - C:\Programme\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exeO23 - Service: Panda Preventium+ Service - Unknown - C:\Programme\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exeO23 - Service: Panda IManager Service - Panda Software Internacional - C:\Programme\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe any suggestions? Quote Link to comment Share on other sites More sharing options...
Steve Posted February 23, 2006 Author Share Posted February 23, 2006 I'll break down each item you can remove and then you can pick which ones to get rid of: - If you want to get rid of the HiDownload toolbar/browser helper object then fix this item: - O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll Unnecessary Nero app - not required for Nero to function: - O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe Updater for RealPlayer. Not required: - O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot File that makes Quicktime start a little faster when needed. Not required: - O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime Updater for Sun's Java. Not required and also it doesn't work (as can be seen by the old version you're using.): - O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe Element of Microsoft Office that runs constantly. Go HERE for instructions on how to disable it as fixing it just in HijackThis won't work. Not required for the main Office applications to run: - O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe MSN Messenger. Can be started from a shortcut when required: - O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background Skype. Can be started from a shortcut when required: - O4 - HKCU\..\Run: [skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized Starts the Microsoft Office toolbar. Not required as elements of Office can be started via the Start Menu or shortcuts: - O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE   You also need to update your installation of Java. Click this link to download the latest version: - http://jdl.sun.com/webapps/download/AutoDL?BundleId=10343 Uninstall your current version, reboot, then install this new one. Once you're done, run HijackThis again and fix the following new item that will have appeared: - O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe All of the changes will take effect on the next reboot. I see you're using Panda antivirus. That's responsible for a lot of processes, but it's not a bad program so I'd keep it. Quote Link to comment Share on other sites More sharing options...
airnino Posted February 23, 2006 Share Posted February 23, 2006 thanks a lot for the help! so to get rid of an item i just have to tick the box before it in hijackthis and hit fix checked right? Quote Link to comment Share on other sites More sharing options...
Steve Posted February 23, 2006 Author Share Posted February 23, 2006 Yep. Also, HijackThis makes backups as long as you're running it from it's own folder so if you make a mistake or you decide you want to restore an item it's easy enough. What you're basically doing is editing the registry but with an easy interface. Any changes you make will take effect when you restart your computer. Quote Link to comment Share on other sites More sharing options...
airnino Posted February 23, 2006 Share Posted February 23, 2006 i got one more question: i just ran regseeker, deleted the detected problems and rebooted the pc. i ran regseeker again, but it still found 165 problems. should i ignore that or just run regseeker once again? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.