Please read the report.txt, report2.txt, report3.txt(scan it before just incase)! as its wayyyy to long for me to post ... best to just paste it in all one file thank you!!


[EDIT] Think i fixed it! I dont think you going to get any more from me! now got 5 anti ciruses / malware / adware an others installed :O they keep fighting tho!

Glad you got your problem fixed. Welcome to TechSpot!
Cheers :wave: :wave:

Thanks you kitty <3

Hello and welcome to Techspot.

You`re running an outdated version of HJT. The current version is 1.99.1.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.


Regards Howard :wave: :wave:

Edit: I`ve just seen your edited post. Make sure you have the latest version of HJT and post a fresh HJT log. I`ll then check it to make sure your system is clean or not.


This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

It's no clear!! hmm it was on last boot but it seems to have re infected me! grr

Ill get info now

[edit]
Logs removed updated!
LOOK DOWN FOR LOGS!

Your system is riddled with nasties.

Now, go and follow all the instructions in the link I gave you.

Post fresh HJT and AVG Antispyware logs as attachments, only after doing the above.

Regards Howard

This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Please read the report.txt, report2.txt, report3.txt(scan it before just incase)! as its wayyyy to long for me to post ... best to just paste it in all one file thank you!!

I`ve just had a look at your reports from your first post and it doesn`t change a thing. If you wanted to post lots of logs, you should`ve posted an upto date HJT log/AVG Antispyware log and possibly Smitfruad fix/vundofix/look2me destroyer/Virtumundobegone logs, all seperately.

I don`t need nor want to see SS&D logs. I can tell from your AVG log that you haven`t followed the instructions properly, if at all.

You still need to follow all the instructions in the link I gave you.

Once you`ve done that, I`ll be in a better position to help you.

See: The way it works is you ask for help, I give you some instructions to follow. You follow them and I check the logs you post as requested. I then tell you how best to proceed with any further clean up that needs to be done. You then follow those instructions and post the requested log files. If your system still isn`t clean, more instructions will follow until it is.

I have no wish to appear difficult, but It has to be like that, otherwise it just won`t work.

Regards Howard

This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Sorry for late reply

Code:

Logfile of HijackThis v1.99.1
Scan saved at 13:47:44, on 28/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Dit.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\program files\steam\steam.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\xampp\mysql\bin\winmysqladmin.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\Macromedia\Fireworks 8\Fireworks.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe
C:\Program Files\Downloads\hijackthis\HijackThis1337.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {BA2E7AEE-9C5B-E9F1-7BE4-C79EF03056C6} - (no file)
R3 - URLSearchHook: (no name) - {D19E56EE-ED0A-96FF-7C04-B989115E609A} - (no file)
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\atknsoik.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1010DF3A-9489-4FDC-9C97-4555F8041594} - (no file)
O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - C:\WINDOWS\system32\wirvufc.dll
O2 - BHO: URLDetector Class - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)
O2 - BHO: (no name) - {BA2E7AEE-9C5B-E9F1-7BE4-C79EF03056C6} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: (no name) - {D19E56EE-ED0A-96FF-7C04-B989115E609A} - (no file)
O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NoAdware4] "C:\Program Files\NoAdware4\NoAdware4.exe" :Min:
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: WinMySQLadmin.lnk = C:\Program Files\xampp\mysql\bin\winmysqladmin.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113244918218
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006FreeInstall.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by112fd.bay112.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ddcca - C:\WINDOWS\
O20 - Winlogon Notify: fccccdc - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\
O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Program Files\xampp\mysql\bin\my.cnf" mysql (file missing)
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

AVG AV

Code:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:	12:19:02 28/11/2006

 + Scan result:	



	Nothing found.



::Report end

Somthing tells me thats not good

Ok most of its cleared up but now its just pop ups i can cope but would be nice to be infection free

Download the pocket killbox programme from HERE. Extract it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

ipwins
NoAdware4

Close control panel

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ipwins.exe
NoAdware4.exe
ShowWnd.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R3 - URLSearchHook: (no name) - {BA2E7AEE-9C5B-E9F1-7BE4-C79EF03056C6} - (no file)

R3 - URLSearchHook: (no name) - {D19E56EE-ED0A-96FF-7C04-B989115E609A} - (no file)

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\atknsoik.dll

O2 - BHO: (no name) - {1010DF3A-9489-4FDC-9C97-4555F8041594} - (no file)

O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - C:\WINDOWS\system32\wirvufc.dll

O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)

O2 - BHO: (no name) - {BA2E7AEE-9C5B-E9F1-7BE4-C79EF03056C6} - (no file)

O2 - BHO: (no name) - {D19E56EE-ED0A-96FF-7C04-B989115E609A} - (no file)

O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - (no file)

O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe

O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe

O4 - HKCU\..\Run: [NoAdware4] "C:\Program Files\NoAdware4\NoAdware4.exe" :Min:

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2006Free Install.cab

O20 - Winlogon Notify: ddcca - C:\WINDOWS\

O20 - Winlogon Notify: fccccdc - C:\WINDOWS\

O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\NoAdware4<Delete the entire folder.
C:\Program Files\ipwins<Delete the entire folder.

ShowWnd.exe<Search your system for this file and delete all instances found.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

These are the filepaths you need to enter into killbox.

C:\WINDOWS\system32\wingsa32.dll
C:\WINDOWS\system32\fccccdc.dll
C:\WINDOWS\system32\ddcca.dll
C:\WINDOWS\system32\wirvufc.dll
C:\WINDOWS\system32\atknsoik.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log as an attachment(see HERE) and let me know how your system is running.

Regards Howard

This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Ok i cant find ipwins or ShowWnd in processes or a&r.. i had a quick look tho and in SSD resident and it says this:

Code:

28/11/2006 00:00:18 Denied value "IpWins" (new data: "") deleted in System Startup global entry!
28/11/2006 00:00:35 Denied value "ITBarLayout" (new data: "") deleted in User-specific browser toolbar!
28/11/2006 00:00:41 Denied value "{74DD705D-6834-439C-A735-A6DBE2677452}" (new data: "") deleted in Global browser toolbar!
28/11/2006 00:00:46 Denied value "Local Page" (new data: "C:\windows\system32\blank.htm") changed in Browser page!
28/11/2006 00:00:56 Allowed value "Default_Page_URL" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome") changed in Browser page!
28/11/2006 00:00:58 Allowed value "boucicault" (new data: "") deleted in Shell services!
28/11/2006 00:01:01 Allowed value "ITBarLayout" (new data: "") deleted in User-specific browser toolbar!
28/11/2006 00:01:02 Allowed value "{74DD705D-6834-439C-A735-A6DBE2677452}" (new data: "") deleted in Global browser toolbar!
28/11/2006 11:18:13 Allowed value "ITBarLayout" (new data: "") deleted in User-specific browser toolbar!
28/11/2006 11:18:13 Allowed value "{74DD705D-6834-439C-A735-A6DBE2677452}" (new data: "") deleted in Global browser toolbar!
28/11/2006 11:20:20 Allowed value "Default_Page_URL" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome") changed in Browser page!
28/11/2006 11:20:21 Allowed value "boucicault" (new data: "") deleted in Shell services!
28/11/2006 11:46:43 Allowed value "{74DD705D-6834-439C-A735-A6DBE2677452}" (new data: "") deleted in User-specific browser toolbar!
28/11/2006 11:46:46 Allowed value "{46A4E9D9-B30E-452A-8157-DBBEC8573B03}" (new data: "") deleted in Browser Helper Object!
28/11/2006 14:42:23 Allowed value "PrevxOne" (new data: "") deleted in System Startup global entry!
28/11/2006 14:48:19 Allowed value "PrevxOne" (new data: "") deleted in System Startup global entry!

I'll continue to do the rest of it.. rbr

[EDIT]

Ok i done all what you said apart from none of these dlls exist:

C:\WINDOWS\system32\wingsa32.dll
C:\WINDOWS\system32\fccccdc.dll
C:\WINDOWS\system32\ddcca.dll
C:\WINDOWS\system32\wirvufc.dll
C:\WINDOWS\system32\atknsoik.dll

Code:

# 1 [Files to Delete]
Path = C:\WINDOWS\system32\wingsa32.dll
*This file does not seem to exist
 
# 2 [Files to Delete]
Path = C:\WINDOWS\system32\fccccdc.dll
*This file does not seem to exist
 
# 3 [Files to Delete]
Path = C:\WINDOWS\system32\ddcca.dll
*This file does not seem to exist
 
# 4 [Files to Delete]
Path = C:\WINDOWS\system32\wirvufc.dll
*This file does not seem to exist
 
# 5 [Files to Delete]
Path = C:\WINDOWS\system32\atknsoik.dll
*This file does not seem to exist
 
# 6 [Files to Delete]
Path = C:\WINDOWS\system32\atknsoik.dll
*This file does not seem to exist
 
# 7 [Files to Delete]
Path = C:\WINDOWS\system32\atknsoik.dll
*This file does not seem to exist

It seems to be fixed thanks! But i would like to completly remove f-secure aswell. Then uninstall dosn't uninstall it! A bit of a con! I try to delete the file but it says fslsp.dll is still runing or write protect message. And in the HJT log O10 fslsp.dll missing and i cant remove any of the f-secure processes. how could i do this please thanks.

Ok, before we tackle the F-secure issue, do the following from normal mode.

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - (no file)

O2 - BHO: (no name) - {1010DF3A-9489-4FDC-9C97-4555F8041594} - (no file)

O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - (no file)

O2 - BHO: (no name) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)

O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)

O2 - BHO: (no name) - {BA2E7AEE-9C5B-E9F1-7BE4-C79EF03056C6} - (no file)

O2 - BHO: (no name) - {D19E56EE-ED0A-96FF-7C04-B989115E609A} - (no file)

O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - (no file)

O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -

O20 - Winlogon Notify: ddcca - C:\WINDOWS\

O20 - Winlogon Notify: fccccdc - C:\WINDOWS\

O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\

Click on the fix checked button.

Close HJT.

Download and run these three tools in order.

Tool1
Tool2
Tool3

Reboot your system and post a fresh HJT log into a new post.

Regards Howard

This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

hi sorry for the late reply i had a lot of course work finished it all now

soz ill reply as fast as possible

Code:

Logfile of HijackThis v1.99.1
Scan saved at 16:14:00, on 29/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Downloads\hijackthis\HijackThis1337.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1010DF3A-9489-4FDC-9C97-4555F8041594} - (no file)
O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)
O2 - BHO: (no name) - {BA2E7AEE-9C5B-E9F1-7BE4-C79EF03056C6} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: (no name) - {D19E56EE-ED0A-96FF-7C04-B989115E609A} - (no file)
O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - (no file)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: WinMySQLadmin.lnk.disabled
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113244918218
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - 
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by112fd.bay112.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ddcca - C:\WINDOWS\
O20 - Winlogon Notify: fccccdc - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\
O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\
O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Program Files\xampp\mysql\bin\my.cnf" mysql (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

I'm happy as the virus+adware seems to have gone now i just need to get rid off F-secure!!

You have a very stubborn vundo infection.

Download vundofix from HERE.

Double-click VundoFix.exe to run it.

Rightclick in the main window and click add more files.

Enter the filepath you wish to remove and click the add files button, followed by the close window button.

These are the filepaths you need to enter into vundofix.

C:\WINDOWS\system32\ddcca.dll
C:\WINDOWS\system32\fccccdc.dll
C:\WINDOWS\system32\igfxcui.dll
C:\WINDOWS\system32\wingsa32.dll

Click the remove vundo button. And let vundofix do it`s stuff.

Post a fresh HJT log after doing the above.

Regards Howard

This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Yes i did run it and it rebooted and everything! still there ? :S


[EDIT]

I done fix and it now shows:

Code:

Logfile of HijackThis v1.99.1
Scan saved at 19:11:23, on 29/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\program files\steam\steam.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Downloads\hijackthis\HijackThis1337.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1010DF3A-9489-4FDC-9C97-4555F8041594} - (no file)
O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)
O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)
O2 - BHO: (no name) - {BA2E7AEE-9C5B-E9F1-7BE4-C79EF03056C6} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: (no name) - {D19E56EE-ED0A-96FF-7C04-B989115E609A} - (no file)
O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - (no file)
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Startup: WinMySQLadmin.lnk.disabled
O4 - Startup: Xfire.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113244918218
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - 
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by112fd.bay112.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Program Files\xampp\mysql\bin\my.cnf" mysql (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

The entries are still there, maybe F-secure is interfering with the fix.

Download LSPFix from http://cexx.org/lspfix.htm
1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Select (highlight) all instances of 'fslsp.dll' in the left column under "Keep".
5. Click the arrow >> so it goes over to the right column under "Remove".
6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
7. Restart your computer

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

F-Secure

Also, temporarily uninstall AVG Antispyware and Spybot search and destroy.

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

FSGKHS

F-Secure Automatic Update Agent
F-Secure Anti-Virus Firewall Daemon
F-Secure Management Agent

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

fsgk32st.exe
fsaua.exe
fsdfwd.exe
FSMA32.EXE

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - (no file)

O2 - BHO: (no name) - {1010DF3A-9489-4FDC-9C97-4555F8041594} - (no file)

O2 - BHO: (no name) - {11F0EE13-5947-2942-F631-09BEB2706006} - (no file)

O2 - BHO: (no name) - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - (no file)

O2 - BHO: (no name) - {755bbd1a-aa59-456c-afeb-b4c42c4dcb6f} - (no file)

O2 - BHO: (no name) - {BA2E7AEE-9C5B-E9F1-7BE4-C79EF03056C6} - (no file)

O2 - BHO: (no name) - {D19E56EE-ED0A-96FF-7C04-B989115E609A} - (no file)

O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - (no file)

O4 - Startup: WinMySQLadmin.lnk.disabled

O4 - Startup: Xfire.lnk.disabled

O4 - Global Startup: Microsoft Office.lnk.disabled

O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll

O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -

O20 - Winlogon Notify: ddcca - C:\WINDOWS\

O20 - Winlogon Notify: fccccdc - C:\WINDOWS\

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\

O20 - Winlogon Notify: wingsa32 - C:\WINDOWS\

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\F-Secure<Delete the entire folder.

Reboot into normal mode, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Code:

Logfile of HijackThis v1.99.1
Scan saved at 20:42:42, on 29/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\xampp\apache\bin\apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Downloads\hijackthis\HijackThis1337.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\WINDOWS\system32\shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113244918218
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by112fd.bay112.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Apache2 - Unknown owner - C:\Program Files\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Program Files\xampp\mysql\bin\my.cnf" mysql (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Now thats looking good

I didnt uninstall AVG AV because there seems to be no need as it looks (TO ME) to of worked

Is there any way to completly uninstall the f-secure services as there only disabled... i want the gone and dont want anything to do with that program!

Very well done, your HJT log is now clean.

I suggest you install the AVG free Antivirus programme.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

hehe i didnt uninstall it

Thanks for all your help!!

Theres a small thing though how do i uninstall a service? as i want to get rid of F-secure.

and anywhere i can donate ?

Don`t confuse AVG Antispyware with AVG Antivirus. They`re two completely different programmes. It`s the AVG Antivirus you need to install, because your system has no antivirus programme running.

According to your last HJT log, F-Secure is no longer running on your system.

Thanks for the offer of a donation, but it`s really not necessary. This website is paid for via advertising. the members help out on a voluntary basis.

Regards Howard

This thread is for the use of adammm only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.