Help Computer GONe rEALLY SLOW!!!

Insane001 · #1 (**permalink**) 13-03-2006, 03:48 PM

hello my computer has recently started going REALLY REALLY slow,
2.4Ghz Celeron Processor
768MB DDr RAM
128 MB Geforce 4 Ti Graphics card

And im sure thats enough to run some games and programs but nearly all programs and games run VERY slow and the fan is really straining it self here is a hijackthis log anyone's help would be great thanks.

Logfile of HijackThis v1.99.1
Scan saved at 14:43:42, on 13/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.ex e
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.obotnpxwjjoldvjupi.net/B_...KESoWWlRw.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.red.clientapps.yahoo.com/c...ww.yahoo.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.red.clientapps.yahoo.com/c...ww.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.q-serve.com/signup.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {DB70CDD9-DBA7-0770-C2B4-8A449F25A568} - C:\DOCUME~1\Adil\APPLIC~1\KINDPR~1\THIRDSECT.exe
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\RunServices: [MSN] Msnmrg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.q-serve.com/signup.htm
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2A9146F3-E5DE-48D8-8B53-E1214450B778} (Generator Class) - http://users.rcn.com/hornms/MachineID.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3EA82A7B-73BE-4E65-B8F8-3E14F44F1441}: NameServer = 194.72.9.38 194.74.65.68
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

VopThis · #2 (**permalink**) 14-03-2006, 02:25 AM

Please reinstate anything disabled by MSCONFIG.

Disable the a2guard component of a-squared for now.

Please download WebRoot SpySweeper from HERE (It's a 14 day trial):
http://www.webroot.com/shoppingcart/...php?bjpc=64011

Click the Free Trial link to download the program.
Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directory as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.

Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Disable SpySweeper Shields
- Click Shields on the left.
- Click Internet Explorer and uncheck all items.
- Click Windows System and uncheck all items.
- Click Startup Programs and uncheck all items.
Once the definitions are installed and shields disabled, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

Post the SpySweeper session log here along with a fresh HiJackThis log.

Insane001 · #3 (**permalink**) 14-03-2006, 02:12 PM

hello thanks for the speedy reply i enabled everything in my MSCONFIG which when rebooted made my computer run EVEN slower below is a log of the SPY SWEEPER SESSION and a Fresh new hijack this log:

********
11:55: | Start of Session, 14 March 2006 |
11:55: Spy Sweeper started
11:55: Sweep initiated using definitions version 632
11:55: Starting Memory Sweep
12:00: Memory Sweep Complete, Elapsed Time: 00:04:48
12:00: Starting Registry Sweep
12:00: Found Adware: 180search assistant/zango
12:00: HKLM\software\microsoft\windows\currentversion\run \ || saap (ID = 135724)
12:00: Found Adware: whenu savenow
12:00: HKLM\software\microsoft\windows\currentversion\run \ || vvsn (ID = 140442)
12:00: Found Adware: webhancer
12:00: HKLM\software\microsoft\windows\currentversion\run \ || webhancer agent (ID = 146272)
12:00: HKLM\software\microsoft\windows\currentversion\run \ || webhancer survey companion (ID = 146273)
12:00: Found Adware: lopdotcom
12:00: HKU\S-1-5-21-1220945662-1647877149-1801674531-1004\software\microsoft\internet explorer\new windows\allow\ || searchweb2.com (ID = 130288)
12:00: HKU\S-1-5-21-1220945662-1647877149-1801674531-1004\software\microsoft\internet explorer\new windows\allow\ || www.searchweb2.com (ID = 130290)
12:00: Registry Sweep Complete, Elapsed Time:00:00:50
12:00: Starting Cookie Sweep
12:00: Found Spy Cookie: zedo cookie
12:00: adil@c4.zedo[1].txt (ID = 3763)
12:00: adil@zedo[1].txt (ID = 3762)
12:00: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:00: Starting File Sweep
12:01: a0574894.exe (ID = 90)
12:04: a0574895.exe (ID = 121)
12:06: a0574896.exe (ID = 121)
12:06: a0574764.exe (ID = 308)
12:09: a0574893.exe (ID = 308)
12:09: thirdsect.exe (ID = 91)
12:11: a0492972.exe (ID = 308)
12:11: a0573667.exe (ID = 308)
12:11: a0492893.exe (ID = 90)
12:12: a0574901.exe (ID = 308)
12

a0574898.exe (ID = 308)
12

a0492891.exe (ID = 304)
12:22: a0574900.exe (ID = 304)
12:23: a0492892.exe (ID = 121)
12:28: a0492859.exe (ID = 308)
12:28: a0492858.exe (ID = 308)
12:28: a0492861.exe (ID = 308)
12:28: a0492860.exe (ID = 308)
12:28: a0492862.exe (ID = 308)
12:29: a0492894.exe (ID = 91)
12:29: a0492857.exe (ID = 308)
12:30: a0492856.exe (ID = 308)
12:31: a0574897.exe (ID = 121)
12:31: a0574899.exe (ID = 308)
12:31: a0574892.exe (ID = 308)
12:33: Found System Monitor: potentially rootkit-masked files
12:33: 00-va_pain_killer_riddim(smouts_remix_edition)-promo_cds-2004-smo_int.nfo (ID = 0)
12:40: Warning: Unhandled Archive Type
12:47: File Sweep Complete, Elapsed Time: 00:46:03
12:47: Full Sweep has completed. Elapsed time 00:51:45
12:47: Traces Found: 34
13:08: Removal process initiated
13:08: Quarantining All Traces: 180search assistant/zango
13:08: Quarantining All Traces: lopdotcom
13:08: Quarantining All Traces: potentially rootkit-masked files
13:08: potentially rootkit-masked files is in use. It will be removed on reboot.
13:08: 00-va_pain_killer_riddim(smouts_remix_edition)-promo_cds-2004-smo_int.nfo is in use. It will be removed on reboot.
13:08: Quarantining All Traces: webhancer
13:08: Quarantining All Traces: whenu savenow
13:08: Quarantining All Traces: zedo cookie
13:09: Removal process completed. Elapsed time 00:00:31
********
11:46: | Start of Session, 14 March 2006 |
11:46: Spy Sweeper started
11:47: Your spyware definitions have been updated.

HIJACKTHISLOG:

Logfile of HijackThis v1.99.1
Scan saved at 13:11:25, on 14/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\INTRIG~1\pcbodyguard.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Game Accelerator\gamexl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T 1.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Smart Protector Pro\SmartProtector-Pro.exe
C:\RamCleaner\RamCleaner.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.ex e
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.obotnpxwjjoldvjupi.net/B_...KESoWWlRw.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.red.clientapps.yahoo.com/c...ww.yahoo.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.red.clientapps.yahoo.com/c...ww.yahoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.q-serve.com/signup.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {DB70CDD9-DBA7-0770-C2B4-8A449F25A568} - C:\DOCUME~1\Adil\APPLIC~1\KINDPR~1\THIRDSECT.exe (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [yjqnsxyf] C:\WINDOWS\yjqnsxyf.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\STOPzilla.exe /autostart
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SP2 Firewall/Internet Updater] crssrs.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [PCBG] C:\PROGRA~1\INTRIG~1\pcbodyguard.exe /start
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NetPumper] "C:\Program Files\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSN] Msnmrg.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [internetatomcurbcdrom] C:\Documents and Settings\All Users\Application Data\64ThunkInternetAtom\Win Bold.exe
O4 - HKLM\..\Run: [GameXL] "C:\Program Files\Game Accelerator\gamexl.exe"
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T 1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCleaner_free.exe" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [This Link] C:\DOCUME~1\Adil\APPLIC~1\ONLINE~1\Wipedashpile.ex e
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Smart Protector Pro\SmartProtector-Pro.exe" /stealt
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [RamCleaner] C:\RamCleaner\RamCleaner.exe
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunServices: [MSN] Msnmrg.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.q-serve.com/signup.htm
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2A9146F3-E5DE-48D8-8B53-E1214450B778} (Generator Class) - http://users.rcn.com/hornms/MachineID.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3EA82A7B-73BE-4E65-B8F8-3E14F44F1441}: NameServer = 194.72.9.38 194.74.65.68
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks for any help

VopThis · #4 (**permalink**) 14-03-2006, 03:53 PM

Please disable the following application(s), as it/they may hinder the removal of some entries. Otherwise, certain cleaning attempts may be wrongly recognized and blocked as hijacking attempts or other potentially inappropriate behavior. You can re-enable such tools after your computer is clean.

Disable Spyware Doctor

Click the Spyware Doctor icon in the System Tray.
Click Settings.
Click Startup Settings under Pick a Category.
Uncheck Run at Windows startup.
Click Apply and Exit Spyware Doctor.

Disable A-Squared Guard

Open A-Squared
Click on Configure Background-Guard
Deselect Enable background guard on system startup
Close the window
Close A-Squared
Reboot your machine for the changes to take effect before running HiJackThis.

Read over the following directions. Ask if anything appears unclear to you.

Download Clean.bat to your desktop: for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat

We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.obotnpxwjjoldvjupi.net/B_...KESoWWlRw.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.red.clientapps.yahoo.com/c...ww.yahoo.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.red.clientapps.yahoo.com/c...ww.yahoo.co.uk

O2 - BHO: (no name) - {DB70CDD9-DBA7-0770-C2B4-8A449F25A568} - C:\DOCUME~1\Adil\APPLIC~1\KINDPR~1\THIRDSECT.exe (file missing)

O4 - HKLM\..\Run: [YJQNSXYF] C:\WINDOWS\yjqnsxyf.exe
O4 - HKLM\..\Run: [SPYHUNTER] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

Quote:

SpyHunter - spyware remover of somewhat dubious repute; see note http://www.spywarewarrior.com/rogue_...re.htm#sh_note
http://castlecops.com/startuplist-5284.html

O4 - HKLM\..\Run: [SP2 FIREWALL/INTERNET UPDATER] crssrs.exe
O4 - HKLM\..\Run: [NETPUMPER] "C:\Program Files\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [MSN] Msnmrg.exe
O4 - HKLM\..\Run: [MESSENGERPLUS3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [internetatomcurbcdrom] C:\Documents and Settings\All Users\APPLICation Data\64ThunkInternetAtom\Win Bold.exe
O4 - HKCU\..\Run: [This Link] C:\DOCUME~1\Adil\APPLIC~1\ONLINE~1\Wipedashpile.ex e
O4 - HKCU\..\RunServices: [MSN] Msnmrg.exe

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).

Delete TEMPORARY FILES: Now, hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:

Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files

Click OK or Enter

For additional, more thorough cleaning and for multi-profile user configurations:
(*) Run Clean.bat to clean up your TEMPorary files.

***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.

Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):

DELETE FILES:

C:\WINDOWS\yjqnsxyf.exe
crssrs.exe
Msnmrg.exe

DELETE APPLICATION FOLDERS:

Delete (including containing FOLDER):

C:\Documents and Settings\All Users\APPLICation Data\64ThunkInternetAtom\Win Bold.exe
C:\DOCUME~1\Adil\APPLIC~1\ONLINE~1\Wipedashpile.exe

Go to Add/Remove Programs
In Control Panel>Add/Remove Programs look for any CLEARLY related entries for unwanted items listed below (or anything else you need to investigate or did not put in there).

-----> C:\Program Files\Enigma Software Group
-----> C:\Program Files\Enigma Software Group\SpyHunter
-----> C:\Program Files\NetPumper
-----> C:\Program Files\MessengerPlus! 3

UNINSTALLER Alternate SEARCH: Otherwise, advisable to locate and try right-clicking on any of the given SEARCH FOLDER items above and further search (tick include subdirectories) for the following exact text:

UN*.EXE, *UN*.EXE

This may reveal an uninstaller with label terms such as '...uninstall...EXE', ‘unins000’, or 'unwise.EXE'. Double-click that EXE, if one is found, to remove that particular FOLDER and it contents. Thereafter, check to ensure that the folder is completely gone. Otherwise, consider deleting the folder in question.

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

Insane001 · #5 (**permalink**) 14-03-2006, 04:51 PM

Hi First of all i would just like to say THANK YOU VERY MUCH VOPTHIS for your help, i have done all those things the computer seems to be running more smoother i dont know if all spyware malware has gone yet but here is a fresh new Hijackthis LOG:

Logfile of HijackThis v1.99.1
Scan saved at 15:49:12, on 14/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\a-squared\a2guard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.ex e
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.q-serve.com/signup.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.q-serve.com/signup.htm
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2A9146F3-E5DE-48D8-8B53-E1214450B778} (Generator Class) - http://users.rcn.com/hornms/MachineID.dll
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hope it is all well

VopThis · #6 (**permalink**) 14-03-2006, 05:41 PM

Your HJT log looks clean. Is there any reason why MSCONFIG appears to be running at startup (you had re-enabled everything right)?

You do not appear to have a dedicated real-time anti-virus tool running - such a tool is a MUST have (see below for details).

Suggest that you run the following as a second opinion scan for those type of nasties:

Please do an online scan (scan only tool) with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (if available otherwise Standard)
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

To help avoid serious infection again, please look carefully at this post for some excellent preventative measures. Prevention must be made the first line of defense to improve upon.

ONLY ONCE you are as clean as possible from any needed cleanup steps - As a final cleanup step (after serious infection), it may be advisable to Reset and Re-enable your System Restore to remove any bad files that may have been backed up by Windows . The files in System Restore are protected to prevent any programs changing them. And, this is the only complete way to clean these files: (You will lose all previous restore points which could likely be infected, anyway.)

PLEASE NOTE: you will need to log into your computer with an account that has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

Quote:

c:\System Volume Information\_restore….

To Turn OFF System Restore.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.
Click Apply.

REBOOT.

To Turn ON System Restore.

Follow the steps in the previous section, but in step 3, uncheck Turn off System Restore or Turn off System Restore on all drives. Then click OK.
Create new System Restore points.

(Windows ME)

Quote:

c:\_RESTORE\TEMP\….

See the following link for instructions:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

To reduce the re-infection potential for malware and protect your PC against spyware, here are a few helpful suggestions:

Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft . This will patch many of the security holes through which attackers can gain access to your computer . You CANNOT complete this update using an alternate browser – you must use Internet Explorer.
http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
http://www.microsoft.com/windows/ie/default.asp
- http://www.securityfocus.com/news/11273
  If you surf to questionable (blockable) parts of the Web, you could encounter sites that compromise your PC without any user interaction. In experiments [reported Aug 2005], Microsoft identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system. Also, be aware that the WinXP Service Pack 2 was an update that focused almost exclusively on security. Also reported was that a fully patched Windows XP SP2 system cannot be compromised by any such discovered rogue Web sites.
Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching (using a real-time AV tool only one at a time), there are some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1
Avast: http://www.avast.com/eng/avast_4_home.html
In addition to using Ad-aware, consider using another free malware scanning/removal program :
Adaware SE: http://www.download.com/Ad-Aware-SE-Person...ubj=dl&tag=top5
Spybot S&D: http://www.download.com/Spybot-Search-Dest...tml?tag=lst-0-1
MS Antispyware beta: http://www.microsoft.com/athome/security/s...re/default.mspx
Consider using a free firewall if you are not already using one (use only one firewall at a time – normally you will need to disable the MS firewall). Some good free ones (for incoming and added outgoing traffic protection) are:
Kerio Personal Firewall: http://www.sunbelt-software.com/Kerio.cfm
*** After 30 days, Kerio shuts down selected features, but will continue to run in 'free' mode.
Zone Alarm: http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za

It is not a bad idea to also consider using a Router/Hardware firewall device where you have a High-Speed Internet access connection. A software firewall may occasionally need to be disabled or it gets/remains disabled by someone or something. Such an added layer of security consistency has a lot of merit to it.
Consider using an alternate free browser for general web surfing but you must use IE for windows updates.
Mozilla Firefox: http://www.mozilla.org/products/firefox/
Consider increasing your browser security by using these programs:
SpywareGuard will help protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster will increase browser protection by blocking access to thousands of known malware sites by adding them to IE's restricted sites zone. It essentially blocks known- bad ActiveX program items from being installed or running on your computer. Download it here: http://www.javacoolsoftware.com/spywareblaster.html
- If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
- IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
  http://www.spywarewarrior.com/uiuc/resource.htm

A HOSTS file can block Internet access to thousands of known-bad sites by not allowing you any easy browser access to such sites knowingly or unknowingly. Use HJT to determine if a current HOSTS file exists and any contents therein:

Run the HiJackThis tool and select ‘Open the Misc Tools section’.
Next select ‘Open host file manager’ button.
Use the ‘Open in Notepad’ button in XP/W2K or use WORDPAD if necessary [type wordpad.exe in the RUN box (Start>Run)] and load the FILE PATH identified in HJT.

Go to http://www.mvps.org/winhelp2002/hosts.txt . # Read the initial instructions #. Copy and paste (append or replace) the RELEVANT host address entry contents of that file into Notepad or Wordpad and save the updated file contents.

EXCERPT:

Quote:

#start of lines added by WinHelp2002
# [Misc A - Z]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 e.abnad.net
127.0.0.1 www.accoona.com #[Adware-Accoona][Adware.Atoolb][Panda.Accoona]
.
.
.
#end of lines added by WinHelp2002

*Remember just like your primary anti-virus software, it is important to:
Keep all of these programs up-to-date, and

Use them on a regular basis.

Insane001 · #7 (**permalink**) 14-03-2006, 08:52 PM

i put msconfig back on because too many things startup, is there anyway i can stop them loading without MSConfig?

VopThis · #8 (**permalink**) 14-03-2006, 10:01 PM

Quote:

i put msconfig back on because too many things startup, is there anyway i can stop them loading without MSConfig?

Even I have the odd item disabled in MSCONFIG because it is convenient. Any more than 3 to 5 five items is probably out-of-hand, in my opinion.

You can 'fix' any such startup item in HijackThis. If you don't cleanout the backup, you can reinstate (recover) such an item at any time. If you play around with the application in question, it may be quite simple in some instances to enable/disable loading upon startup. In other instances, there may be no clear method other than to reinstall a loaded feature that seemingly only came with the installation process.