Computer suspected to be infected by spyware

[mumbai_pune_guy]

My comp has slowed down a lot.. and i am getting irritating pop ups.
Also not able to view hidden files and task manager. Please help me as I am not having much knowledge abt spyware removal.
Here is a log file of HJT (which i have renamed to Crusty.exe):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:43 AM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\WgaTray.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\windows\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\ntdetec1\shell32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\ntdetec1\cmrss.exe
C:\ntdetec1\ntdetec1.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\ntdetec1\run.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://rajivdisha.spaces.live.com/PhotoUpload/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F5EB82E-A1B4-4261-A4E7-421CECA6517A}: NameServer = 203.187.217.203 203.187.215.35
O21 - SSODL: Systemcheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\windows\system32\vbsys2.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

--
End of file - 4931 bytes

 

[kritius]

Hi mumbai_pune_guy, :wave:

I need you to follow all the steps HERE and then post back with the three requested logs as attachments

• AVG antispyware
• ComboFix
• Hijackthis (step 15)

Dont forget to make sure that AVG is set to quarantine the results, that HJT is the last step and to let us know the results of the antirootkit scan.

Good luck and welcome to techspot.

This thread is for the use of mumbai_pune_guy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[mumbai_pune_guy]

My net has slowed down soo much that i cant download big files...it ll take ages to download AVG...(((
Isnt there any alternative?

 

[kritius]

No really this is your best bet, sometimes the quick fix isnt the best fix. Take your time.

 

[mumbai_pune_guy]

ok partner!
i ll try n get some other antivirus software from a friend n install it.
Will send the 3 requested log files in 2 hrs.

 

[mumbai_pune_guy]

Hi Dude,

I have run almost all the steps.
I have attached the Combofix, AVG antisoyware and HJT logs in the attachment logs.txt
Let me know if my comp is still infected and exactly what is to be done!

Thanks in Advance!

 

[kritius]

Hi mumbai_pune_guy,

Download to your Desktop this self-extracting ZIP archive FixPolicies.exe

• Double-click FixPolicies.exe
• Click the Install button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies
• Double-click to Open the new Folder, and then double-click the file named Fix_Policies.cmd
• A black box will briefly appear and then close. This will enable your Control Panel, Task Manager and stop any Administrative warnings.

Create an unistall list,

1. Open HijackThis.
2. Click on the Open the Misc Tools section button.
3. Look under System tools.
4. Click on the Open Uninstall Manager... button.
5. Click on the Save list... button.
6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
7. Notepad will open. Please post this log in your next reply.

Open Hijackthis again and put a check next to the following entries,
O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\ntdetec1\run.exe
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://rajivdisha.spaces.live.com/Ph...d/MsnPUpld.cab
O21 - SSODL: Systemcheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\windows\system32\vbsys2.dll (file missing)

Close all browser windows, including this one and select fix checked.

Reboot into safe mode and show all hidden files and folders.

Delete the following files and folders,
C:\ntdetec1 <----------- This folder
C:\windows\system32\vbsys2.dll<----------- This file

Reboot into normal mode and rehide your protected files

#) Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  o Scan using the following Anti-Virus database:
  + Extended (If available, otherwise use standard)
  o Scan Options:
  + Scan Archives
  + Scan Mail Bases
• Click OK
• Under select a target to scan, select My Computer
• The scan will take a while so be patient and let it run.
• Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
• Click the Save Report As... button (see red arrow below)
  
  
  
  
  
• In the Save as... prompt, select Desktop
• In the File name box, name the file KasScan-ddmmyy (or similar)
• In the Save as type prompt, select Text file (see below)
  
  
  
  
  
• Include the report in your next post.

Run Hijackthis and select Do a system scan and save a log file, post that log back here.

So in your next post you should post back,
1)HijackThis Uninstall list
2)Kaspersky report
3)New Hijackthis scan

Post them back as seperate attachments please


This thread is for the use of mumbai_pune_guy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[mumbai_pune_guy]

Thanks a lot for the support dude. I executed all the steps except the internet scan which wasnt running on my system.

The problem looks to be solved..no more pop ups and am able to access hidden files n task manager..

"So in your next post you should post back,"
1)HijackThis Uninstall list- attached
2)Kaspersky report- Cudnt run this..tried multiple times..the process was getting aborted due to my slow internet speed.
3)New Hijackthis scan-attached

Delete the following files and folders,
C:\ntdetec1 <----------- This folder
C:\windows\system32\vbsys2.dll<----------- This file

Couldnt find any file by the name vbsys2.dll. Deleted the folder C:\ntdetec1 .

Is there anything else that needs to be done or is my comp free of the spyware?

 

[mumbai_pune_guy]

Bad news!!!
Some pop ups are back

 

[kritius]

Do you recognise this IP?
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F5EB82E-A1B4-4261-A4E7-421CECA6517A}: NameServer = 203.187.217.203 203.187.215.35

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update TAb at the top
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

Go to add/remove programs and remove
J2SE Runtime Environment 5.0 Update 3

Open HijackThis and select do a system scan and save a log file,
put a check next to the following entries,
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
if you dont know it this one as well,
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F5EB82E-A1B4-4261-A4E7-421CECA6517A}: NameServer = 203.187.217.203 203.187.215.35

Reboot

Download the ATF cleaner programme and save it to your desktop.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

Double-click ATF-Cleaner.exe to run the program.

• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

Reboot into normal mode.


Download FireFox and start to use it, its a safer browser

Get a firewall
firewall

• Zone Alarm
• Comodo

Are you still subscribed to Norton? If not then use the Norton Removal Tool

Then get ONE of these
Avast:
AVG:
AntiVir:

Once installed, Update it, run full system scan with it and allow it to fix up what it wants.
Reboot if it fixed anything.

Run Hijackthis and select do a system scan and save a log, post the log

This thread is for the use of mumbai_pune_guy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[mumbai_pune_guy]

Hi Kritius,

Thanks for the support.
The ip addresses are known to me.
I have followed all the steps.
Updated java, removed the old version. Ran ATF cleaner programme. Downloaded AVG Antivirus and rebooted my system after the scan (since some files were fixed by AVG).
Here is the HJT log file.
Let me know what is to be done next.

 

[kritius]

Hi mumbai_pune_guy,

You still need to get a firewall
firewall

• Zone Alarm
• Comodo

The log looks cleaner,

Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please attach that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Try that, are the pop ups still coming back?

In your next post you should have,
1)One firewall installed
2)The SmitfraudFix Report.

This thread is for the use of mumbai_pune_guy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[mumbai_pune_guy]

Hi Kritius,

I dont want to install a firewall since it will slow down my internet even more.
I have dwnloaded smitfraudfix n run it.
The log file is attached.
I havent encountered pop ups till now..but will update u in case i encounter any.. is anything left to be done???
Thanks for the support.

 

[kritius]

Please copy this set of instructions or print it out as you will not have internet access during the fix.

Restart the computer in Safe Mode

1. When you see the BIOS screen, start pressing F8.
2. A boot menu will appear shortly.
3. Using the up down arrows, select Safe Mode and press the Enter key.
4. Windows will now load.
5. Log in to your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe.

Press 2 and press Enter to delete infected files.

You will be prompted: Registry cleaning - Do you want to clean the registry ?; press Y and press Enter in order to start cleaning the cleaning process. Your desktop will be gone for a while cleaning.

The tool will now check if wininet.dll is infected. You will be prompted to replace the infected file (if found); press Y and press Enter.

The tool will restart your computer to finish the cleaning process; if it doesn't, please restart manually into Normal Mode.

A text file will appear onscreen, with results from the cleaning process; please copy and paste the contents of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt

Note to users: Running option 2 on a clean machine will remove your desktop background.

 

[mumbai_pune_guy]

Hi Kritius,

FIrst some good news ))
"Note to users: Running option 2 on a clean machine will remove your desktop background."---My desktop background was removed )

Here is the Smitfraudfix report:

SmitFraudFix v2.307

Scan done at 9:55:36.21, Sun 03/23/2008
Run from D:\AVG Antivirus n Antispyware\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\config.sy_ Deleted
C:\windows\Tasks\At?.job Deleted
C:\windows\Tasks\At??.job Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

 

[kritius]

It did get rid of some stuff though, any more problems?

Run HJT and post a log for me to see.

 

[mumbai_pune_guy]

No problems as of yet
Heres the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:23 PM, on 3/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\windows\RTHDCPL.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\WgaTray.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Crusty.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F5EB82E-A1B4-4261-A4E7-421CECA6517A}: NameServer = 203.187.217.203 203.187.215.35
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

--
End of file - 6076 bytes



Need another piece of help ..is there anyway we can undo the Windows Genuine software notification. Its not allowing me to download the updates for windows.

 

[kritius]

HJT log looks clean enough,

Remove Combofix

Click on Start > Run. Copy and paste in ComboFix /u and click OK. An image is below for reference.

Delete the three tools from step 10 by dragging them to the recycle bin, and then emptying it.

How to keep yourself safe on the internet.

Is your copy of windows genuine? What error messages are you getting?

 

[mumbai_pune_guy]

Nopes, My windows copy is not genuine.
I get the message that I am a victime of software counterfieting.
I am not able to download windows updates.

 

[kritius]

if your copy of windows is not genuine then im not going to help you any more then.

 

[mumbai_pune_guy]

Hey Kritius,

I fought with my comp dealer and got him to install a genuine copy of Windows on my machine.


Thanks a lot for the support