TechSpot

Computer suspected to be infected by spyware

By mumbai_pune_guy
Mar 21, 2008
  1. My comp has slowed down a lot.. and i am getting irritating pop ups.
    Also not able to view hidden files and task manager. Please help me as I am not having much knowledge abt spyware removal.
    Here is a log file of HJT (which i have renamed to Crusty.exe):

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:54:43 AM, on 3/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\Ati2evxx.exe
    C:\windows\system32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\windows\system32\Ati2evxx.exe
    C:\windows\system32\spoolsv.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\windows\system32\wscntfy.exe
    C:\windows\system32\WgaTray.exe
    C:\windows\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\windows\RTHDCPL.EXE
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\ntdetec1\shell32.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\ntdetec1\cmrss.exe
    C:\ntdetec1\ntdetec1.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Trend Micro\HijackThis\Crusty.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\windows\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\ntdetec1\run.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: VPN Client.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {33331111-1111-1111-1111-611111193423} -
    O16 - DPF: {33331111-1111-1111-1111-615111193427} -
    O16 - DPF: {33331111-1131-1111-1111-611111193428} -
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://rajivdisha.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1F5EB82E-A1B4-4261-A4E7-421CECA6517A}: NameServer = 203.187.217.203 203.187.215.35
    O21 - SSODL: Systemcheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\windows\system32\vbsys2.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

    --
    End of file - 4931 bytes
     
  2. kritius

    kritius TS Guru Posts: 2,084

    Hi mumbai_pune_guy, :wave:

    I need you to follow all the steps HERE and then post back with the three requested logs as attachments
    • AVG antispyware
    • ComboFix
    • Hijackthis (step 15)

    Dont forget to make sure that AVG is set to quarantine the results, that HJT is the last step and to let us know the results of the antirootkit scan.

    Good luck and welcome to techspot.

    This thread is for the use of mumbai_pune_guy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. mumbai_pune_guy

    mumbai_pune_guy TS Rookie Topic Starter Posts: 16

    My net has slowed down soo much that i cant download big files...it ll take ages to download AVG...:((((
    Isnt there any alternative?
     
  4. kritius

    kritius TS Guru Posts: 2,084

    No really this is your best bet, sometimes the quick fix isnt the best fix. Take your time.
     
  5. mumbai_pune_guy

    mumbai_pune_guy TS Rookie Topic Starter Posts: 16

    ok partner!
    i ll try n get some other antivirus software from a friend n install it.
    Will send the 3 requested log files in 2 hrs.
     
  6. mumbai_pune_guy

    mumbai_pune_guy TS Rookie Topic Starter Posts: 16

    Hi Dude,

    I have run almost all the steps.
    I have attached the Combofix, AVG antisoyware and HJT logs in the attachment logs.txt
    Let me know if my comp is still infected and exactly what is to be done!

    Thanks in Advance!
     
  7. kritius

    kritius TS Guru Posts: 2,084

    Hi mumbai_pune_guy,

    Download to your Desktop this self-extracting ZIP archive FixPolicies.exe
    • Double-click FixPolicies.exe
    • Click the Install button on the bottom toolbar of the box that will open.
    • The program will create a new Folder called FixPolicies
    • Double-click to Open the new Folder, and then double-click the file named Fix_Policies.cmd
    • A black box will briefly appear and then close. This will enable your Control Panel, Task Manager and stop any Administrative warnings.
    Create an unistall list,
    1. Open HijackThis.
    2. Click on the Open the Misc Tools section button.
    3. Look under System tools.
    4. Click on the Open Uninstall Manager... button.
    5. Click on the Save list... button.
    6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
    7. Notepad will open. Please post this log in your next reply.

    Open Hijackthis again and put a check next to the following entries,
    O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\ntdetec1\run.exe
    O16 - DPF: {33331111-1111-1111-1111-611111193423} -
    O16 - DPF: {33331111-1111-1111-1111-615111193427} -
    O16 - DPF: {33331111-1131-1111-1111-611111193428} -
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://rajivdisha.spaces.live.com/Ph...d/MsnPUpld.cab
    O21 - SSODL: Systemcheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\windows\system32\vbsys2.dll (file missing)


    Close all browser windows, including this one and select fix checked.

    Reboot into safe mode and show all hidden files and folders.

    Delete the following files and folders,
    C:\ntdetec1 <----------- This folder
    C:\windows\system32\vbsys2.dll<----------- This file

    Reboot into normal mode and rehide your protected files

    #) Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      + Extended (If available, otherwise use standard)
      o Scan Options:
      + Scan Archives
      + Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file KasScan-ddmmyy (or similar)
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.

    Run Hijackthis and select Do a system scan and save a log file, post that log back here.

    So in your next post you should post back,
    1)HijackThis Uninstall list
    2)Kaspersky report
    3)New Hijackthis scan

    Post them back as seperate attachments please


    This thread is for the use of mumbai_pune_guy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. mumbai_pune_guy

    mumbai_pune_guy TS Rookie Topic Starter Posts: 16

    Thanks a lot for the support dude. I executed all the steps except the internet scan which wasnt running on my system.

    The problem looks to be solved..no more pop ups and am able to access hidden files n task manager..

    "So in your next post you should post back,"
    1)HijackThis Uninstall list- attached

    2)Kaspersky report- Cudnt run this..tried multiple times..the process was getting aborted due to my slow internet speed.
    3)New Hijackthis scan-attached

    Delete the following files and folders,
    C:\ntdetec1 <----------- This folder
    C:\windows\system32\vbsys2.dll<----------- This file


    Couldnt find any file by the name vbsys2.dll. Deleted the folder C:\ntdetec1 .

    Is there anything else that needs to be done or is my comp free of the spyware?
     
  9. mumbai_pune_guy

    mumbai_pune_guy TS Rookie Topic Starter Posts: 16

    Bad news!!!
    Some pop ups are back :(
     
  10. kritius

    kritius TS Guru Posts: 2,084

    Do you recognise this IP?
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1F5EB82E-A1B4-4261-A4E7-421CECA6517A}: NameServer = 203.187.217.203 203.187.215.35

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

    Go to add/remove programs and remove
    J2SE Runtime Environment 5.0 Update 3

    Open HijackThis and select do a system scan and save a log file,
    put a check next to the following entries,
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    if you dont know it this one as well,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1F5EB82E-A1B4-4261-A4E7-421CECA6517A}: NameServer = 203.187.217.203 203.187.215.35

    Reboot

    Download the ATF cleaner programme and save it to your desktop.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    • Click Exit on the Main menu to close the program.
    Reboot into normal mode.


    Download FireFox and start to use it, its a safer browser

    Get a firewall
    firewall

    Are you still subscribed to Norton? If not then use the Norton Removal Tool

    Then get ONE of these
    Avast:
    AVG:
    AntiVir:

    Once installed, Update it, run full system scan with it and allow it to fix up what it wants.
    Reboot if it fixed anything.

    Run Hijackthis and select do a system scan and save a log, post the log

    This thread is for the use of mumbai_pune_guy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. mumbai_pune_guy

    mumbai_pune_guy TS Rookie Topic Starter Posts: 16

    Hi Kritius,

    Thanks for the support.
    The ip addresses are known to me.
    I have followed all the steps.
    Updated java, removed the old version. Ran ATF cleaner programme. Downloaded AVG Antivirus and rebooted my system after the scan (since some files were fixed by AVG).
    Here is the HJT log file.
    Let me know what is to be done next.
     
  12. kritius

    kritius TS Guru Posts: 2,084

    Hi mumbai_pune_guy,

    You still need to get a firewall
    firewall

    The log looks cleaner,

    Please download SmitfraudFix (by S!Ri)

    Double-click SmitfraudFix.exe.
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please attach that report into your next reply.

    **If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

    Try that, are the pop ups still coming back?

    In your next post you should have,
    1)One firewall installed
    2)The SmitfraudFix Report.

    This thread is for the use of mumbai_pune_guy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. mumbai_pune_guy

    mumbai_pune_guy TS Rookie Topic Starter Posts: 16

    Hi Kritius,

    I dont want to install a firewall since it will slow down my internet even more.
    I have dwnloaded smitfraudfix n run it.
    The log file is attached.
    I havent encountered pop ups till now..but will update u in case i encounter any.. is anything left to be done???
    Thanks for the support.
     
  14. kritius

    kritius TS Guru Posts: 2,084

    Please copy this set of instructions or print it out as you will not have internet access during the fix.

    Restart the computer in Safe Mode

    1. When you see the BIOS screen, start pressing F8.
    2. A boot menu will appear shortly.
    3. Using the up down arrows, select Safe Mode and press the Enter key.
    4. Windows will now load.
    5. Log in to your usual account.

    Once in Safe Mode, double-click on SmitfraudFix.exe.

    Press 2 and press Enter to delete infected files.

    You will be prompted: Registry cleaning - Do you want to clean the registry ?; press Y and press Enter in order to start cleaning the cleaning process. Your desktop will be gone for a while cleaning.

    The tool will now check if wininet.dll is infected. You will be prompted to replace the infected file (if found); press Y and press Enter.

    The tool will restart your computer to finish the cleaning process; if it doesn't, please restart manually into Normal Mode.

    A text file will appear onscreen, with results from the cleaning process; please copy and paste the contents of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Note to users: Running option 2 on a clean machine will remove your desktop background.
     
  15. mumbai_pune_guy

    mumbai_pune_guy TS Rookie Topic Starter Posts: 16

    Hi Kritius,

    FIrst some good news :)))
    "Note to users: Running option 2 on a clean machine will remove your desktop background."---My desktop background was removed :))

    Here is the Smitfraudfix report:

    SmitFraudFix v2.307

    Scan done at 9:55:36.21, Sun 03/23/2008
    Run from D:\AVG Antivirus n Antispyware\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is FAT32
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    127.0.0.1 localhost

    »»»»»»»»»»»»»»»»»»»»»»»» VACFix

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\config.sy_ Deleted
    C:\windows\Tasks\At?.job Deleted
    C:\windows\Tasks\At??.job Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» DNS



    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  16. kritius

    kritius TS Guru Posts: 2,084

    It did get rid of some stuff though, any more problems?

    Run HJT and post a log for me to see.
     
  17. mumbai_pune_guy

    mumbai_pune_guy TS Rookie Topic Starter Posts: 16

    No problems as of yet :)
    Heres the HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:39:23 PM, on 3/23/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\windows\System32\smss.exe
    C:\windows\system32\winlogon.exe
    C:\windows\system32\services.exe
    C:\windows\system32\lsass.exe
    C:\windows\system32\Ati2evxx.exe
    C:\windows\system32\svchost.exe
    C:\windows\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\windows\system32\Ati2evxx.exe
    C:\windows\Explorer.EXE
    C:\windows\system32\spoolsv.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\windows\RTHDCPL.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\windows\system32\wscntfy.exe
    C:\windows\system32\WgaTray.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\Crusty.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\windows\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: VPN Client.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1F5EB82E-A1B4-4261-A4E7-421CECA6517A}: NameServer = 203.187.217.203 203.187.215.35
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

    --
    End of file - 6076 bytes



    Need another piece of help ..is there anyway we can undo the Windows Genuine software notification. Its not allowing me to download the updates for windows.
     
  18. kritius

    kritius TS Guru Posts: 2,084

    HJT log looks clean enough,

    Remove Combofix

    Click on Start > Run. Copy and paste in ComboFix /u and click OK. An image is below for reference.

    [​IMG]

    Delete the three tools from step 10 by dragging them to the recycle bin, and then emptying it.

    How to keep yourself safe on the internet.

    Is your copy of windows genuine? What error messages are you getting?
     
  19. mumbai_pune_guy

    mumbai_pune_guy TS Rookie Topic Starter Posts: 16

    Nopes, My windows copy is not genuine.
    I get the message that I am a victime of software counterfieting.
    I am not able to download windows updates.
     
  20. kritius

    kritius TS Guru Posts: 2,084

    if your copy of windows is not genuine then im not going to help you any more then.
     
  21. mumbai_pune_guy

    mumbai_pune_guy TS Rookie Topic Starter Posts: 16

    Hey Kritius,

    I fought with my comp dealer and got him to install a genuine copy of Windows on my machine.
    :)

    Thanks a lot for the support
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...