Cant delete virus's

n00b · #1 (**permalink**) 17-08-2007, 10:43 AM

heres an image of what happens when i do a virus scan with AVG. Ive tried sending them to the virus vault but that doesnt do anything.

While im playing a game this message will pop up in image 2. ive tried sending to vault and clicking heal but it just's keeps popping up every 15 minutes or so. and sometimes all my desktop items will have moved to the top of the screen.

here is the hijack thingy, i would appreciate it if somebody helped me fix this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:49 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNo ti

fier.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Giganology\Gigaget\Gigaget.exe
C:\Program Files\Trend

Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://dellsearchedit.myway.com/samisc/dellsidebar.j

html?p=DA
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682

-BF72-8AB8210D6D75} - C:\Program

Files\MyWaySA\SrchAsDe\deSrcAs.dll
O1 - Hosts: 212.162.52.233 irc.westwood.com
O1 - Hosts: 212.162.52.233 servserv.westwood.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-

C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-

8555-B48C1D87BBAB} - C:\WINDOWS\system32

\gigagetbho_v10.dll
O2 - BHO: MSVPS System - {283A0EE3-2CC1-45AB-8207-

B1D7B69C7F83} - C:\WINDOWS\duocore.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-

8AB8210D6D75} - C:\Program

Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-

206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-

8E15-001234567890} - C:\WINDOWS\System32

\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-

BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-

4C02-4ABF-8ECC-5164760863C6} - C:\Program

Files\Common Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-

4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-

7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\2.0.301.7164

\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-

009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32

\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32

\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32

\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1]

"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil

/RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32

\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync]

C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32

\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32

\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1

\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program

Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLCCCATS] rundll32

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3

\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program

Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program

Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1

\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent]

rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32

\ctfmon.exe
O4 - HKCU\..\Run: [StoreHeck] C:\DOCUME~1

\Elliot\APPLIC~1\thepop\More Grim.exe
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNo ti

fier.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program

Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1

\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1

\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK

SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1

\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1

\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default

user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat 7.0

\Reader\reader_sl.exe
O4 - Global Startup: AOL 7.0 Tray Icon.lnk =

C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk =

C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-

AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-

98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-

82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-

BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP:

c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP:

xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP:

xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP:

xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP:

xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP:

xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP:

xfire_lsp_9028.dll
O15 - Trusted Zone: http://www.keygen.ms
O15 - Trusted Zone: http://www.strike-team.net
O15 - Trusted Zone: http://*.xwis.net
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B}

(GSDACtl Class) -

http://launch.gamespyarcade.com/software/launch/alau

nch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}

(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsC

lient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF}

(Solitaire Showdown Class) -

http://messenger.zone.msn.com/binary/SolitaireShowdo

wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0FB9C313-

E004-49DC-93A7-10995B6B0594}: NameServer =

139.134.5.51 139.134.2.190
O17 - HKLM\System\CS1\Services\Tcpip\..\{0FB9C313-

E004-49DC-93A7-10995B6B0594}: NameServer =

139.134.5.51 139.134.2.190
O21 - SSODL: wmpenv - {12310F25-127A-4CB3-8BF6-

55C3CF7031A5} - C:\WINDOWS\wmpenv.dll (file missing)
O21 - SSODL: wmpconf - {DEA97A15-33CE-4E57-99A7-

4EE480E2D020} - C:\WINDOWS\wmpconf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt)

- GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7

\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7

\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) -

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7

\avgemc.exe
O23 - Service: dlcc_device - -

C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner -

C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) -

Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager

(IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32

\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. -

C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) -

Intel(R) Corporation - C:\Program

Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service

(WANMiniportService) - America Online, Inc. -

C:\WINDOWS\wanmpsvc.exe

--
End of file - 9494 bytes

VopThis · #2 (**permalink**) 17-08-2007, 12:58 PM

Please do not use WORDWRAP when using notepad - it makes the logs very difficult to read.

The following tool will not necessary fix any or all of your popup issues but will at least provide potentially valuable diagnostic information:

Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3

First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish. Please Post the contents of C:\NoLop.log

--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder and then rerun the program.

Read over the following directions. Ask if anything appears unclear to you.

Clean out TEMPORARY FILES procedures:
To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner http://www.ccleaner.com/downloadbuilds.asp

Install Options:

Don't install any Toolbars, or other programs, should it ask you!
Just uncheck the option of installing the Yahoo toolbar.

It will put a shortcut on your Desktop.

Do not run CCleaner until requested later.

We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

O2 - BHO: MSVPS System - {283A0EE3-2CC1-45AB-8207-B1D7B69C7F83} - C:\WINDOWS\duocore.dll

O21 - SSODL: wmpenv - {12310F25-127A-4CB3-8BF6-55C3CF7031A5} - C:\WINDOWS\wmpenv.dll (file missing)
O21 - SSODL: wmpconf - {DEA97A15-33CE-4E57-99A7-4EE480E2D020} - C:\WINDOWS\wmpconf.dll

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).

Delete TEMPORARY FILES: Now, use CCleaner to hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

Run CCleaner.

FIRST-TIME USE:
Select the ”Options” BUTTON option (top LEFT), ”Advanced” BUTTON, and then UNCHECK the ”Only delete files in Windows Temp Folders older than 48 hours”. Set back to default afterwards.

Select the ”Cleaner” BUTTON option (top LEFT), if not already selected. Use the ”Windows” TAB up front by default.

Uncheck ”Cookies” option (advisable)
Optionally, Uncheck ”Recently Typed URLs” option (potentially still useful)
Click the ”Analyse” button.
Thereafter, click ”Run Cleaner” after you have reviewed what it proposes to clean.

***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.

Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):

DELETE FILES:

C:\WINDOWS\duocore.dll
C:\WINDOWS\wmpconf.dll

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

n00b · #3 (**permalink**) 17-08-2007, 01:32 PM

here is the contents of c\nolop.log
NoLop! Log by Skate_Punk_21

Fix running from: C:\TDDownload\Software
[8/17/2007]
[10:09:22 PM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\A33A202491C1DF00.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\0liv3r\Application Data\Apple Computer
C:\Documents and Settings\0liv3r\Application Data\Avg7
C:\Documents and Settings\0liv3r\Application Data\Gtek
C:\Documents and Settings\0liv3r\Application Data\Identities
C:\Documents and Settings\0liv3r\Application Data\Microsoft
C:\Documents and Settings\0liv3r\Application Data\Sun
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Gtek
C:\Documents and Settings\All Users\Application Data\Installshield
C:\Documents and Settings\All Users\Application Data\Mcafee
C:\Documents and Settings\All Users\Application Data\Mcafee.com
C:\Documents and Settings\All Users\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Sbt
C:\Documents and Settings\All Users\Application Data\Sonic
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Way Pop Hold Safe
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Winzip -- EMPTY Directory
C:\Documents and Settings\Craig\Application Data\Adobe
C:\Documents and Settings\Craig\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Craig\Application Data\Apple Computer
C:\Documents and Settings\Craig\Application Data\Avg7
C:\Documents and Settings\Craig\Application Data\Google
C:\Documents and Settings\Craig\Application Data\Gtek
C:\Documents and Settings\Craig\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Craig\Application Data\Identities
C:\Documents and Settings\Craig\Application Data\Macromedia
C:\Documents and Settings\Craig\Application Data\Mcafee.com Personal Firewall -- EMPTY Directory
C:\Documents and Settings\Craig\Application Data\Microsoft
C:\Documents and Settings\Craig\Application Data\Mozilla
C:\Documents and Settings\Craig\Application Data\Sun
C:\Documents and Settings\Craig\Application Data\Template
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Sun
C:\Documents and Settings\Elliot\Application Data\Adobe
C:\Documents and Settings\Elliot\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Elliot\Application Data\Apple Computer
C:\Documents and Settings\Elliot\Application Data\Avg7
C:\Documents and Settings\Elliot\Application Data\Divx
C:\Documents and Settings\Elliot\Application Data\Google
C:\Documents and Settings\Elliot\Application Data\Gtek
C:\Documents and Settings\Elliot\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Elliot\Application Data\Identities
C:\Documents and Settings\Elliot\Application Data\Leadertech
C:\Documents and Settings\Elliot\Application Data\Macromedia
C:\Documents and Settings\Elliot\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Elliot\Application Data\Microsoft
C:\Documents and Settings\Elliot\Application Data\Microsoft Web Folders -- EMPTY Directory
C:\Documents and Settings\Elliot\Application Data\Mozilla
C:\Documents and Settings\Elliot\Application Data\Msninstaller
C:\Documents and Settings\Elliot\Application Data\Openoffice.org2
C:\Documents and Settings\Elliot\Application Data\Securom
C:\Documents and Settings\Elliot\Application Data\Sonic
C:\Documents and Settings\Elliot\Application Data\Sun
C:\Documents and Settings\Elliot\Application Data\Template
C:\Documents and Settings\Elliot\Application Data\Thepop
C:\Documents and Settings\Elliot\Application Data\Ventrilo
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Macromedia
C:\Documents and Settings\Localservice\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Margie\Application Data\Adobe
C:\Documents and Settings\Margie\Application Data\Adobeum
C:\Documents and Settings\Margie\Application Data\Apple Computer
C:\Documents and Settings\Margie\Application Data\Avg7
C:\Documents and Settings\Margie\Application Data\Google
C:\Documents and Settings\Margie\Application Data\Gtek
C:\Documents and Settings\Margie\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Margie\Application Data\Identities
C:\Documents and Settings\Margie\Application Data\Macromedia
C:\Documents and Settings\Margie\Application Data\Mcafee
C:\Documents and Settings\Margie\Application Data\Mcafee.com Personal Firewall
C:\Documents and Settings\Margie\Application Data\Microsoft
C:\Documents and Settings\Margie\Application Data\Openoffice.org2
C:\Documents and Settings\Margie\Application Data\Sun
C:\Documents and Settings\Margie\Application Data\Template
C:\Documents and Settings\Networkservice\Application Data\Microsoft

n00b · #4 (**permalink**) 17-08-2007, 02:24 PM

ok done everything u told me.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:27 PM, on 8/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://dellsearchedit.myway.com/sami...bar.jhtml?p=DA
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O1 - Hosts: 212.162.52.233 irc.westwood.com
O1 - Hosts: 212.162.52.233 servserv.westwood.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StoreHeck] C:\DOCUME~1\Elliot\APPLIC~1\thepop\More Grim.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9028.dll
O15 - Trusted Zone: http://www.keygen.ms
O15 - Trusted Zone: http://www.strike-team.net
O15 - Trusted Zone: http://*.xwis.net
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9188 bytes

VopThis · #5 (**permalink**) 17-08-2007, 03:27 PM

Quote:

C:\Program Files\Java\j2re1.4.2_03

Your system has an outdated version(s) of Sun Java that could create serious security exposure issues for your PC.

Update your Java.

Older JAVA versions have vulnerabilities that malware can and are using to infect systems.

Please follow these steps to remove older version Java components.

Close any programs you may have running, ESPECIALLY your web browser
Click Start > Control Panel.
Click Add/Remove Programs.
Check any item with Java Runtime Environment (JRE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.

Download the latest version of Java Runtime Environment (JRE) 6.0 Update 2 or higher, and install it to your computer.

New Version should show as (HijackThis log):

C:\Program Files\Java\jre1.6.0_02\… or higher

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

O4 - HKCU\..\Run: [StoreHeck] C:\DOCUME~1\Elliot\APPLIC~1\thepop\More Grim.exe

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

Go into SAFE MODE:

DELETE FOLDERS:

C:\Documents and Settings\Elliot\Application Data\Thepop

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.