Jump to content


Photo
* * * * * 1 votes

Got a virus, need urgent help!


  • Please log in to reply
103 replies to this topic

#1 The Alpha Gamer

The Alpha Gamer

    Active WinMatrixian

  • Member
  • 996 posts

Posted 23 September 2009 - 12:48 PM

Last night I got some notifications from Avast saying it found some virus, found AV Care on my desktop and got a notification saying my firewall had been turned off. I turned my firewall back on, removed AV Care from add/remove programs and did a quick scan with Spybot S&D, I didn't let it do a full search because it overheats my laptop but it found 3 malware entries in the registry. I removed them with Spybot S&D. I just did a full scan with spybot and it found the same 3 malware entries that it removed last night. Win32.agent.pz.

Can someone help me get rid of it please! D=

#2 coldemone

coldemone

    Sleeping Winmatrixian

  • Member
  • 2,029 posts

Posted 23 September 2009 - 01:20 PM

spybot sd has limited protection to common unchanging viruses, It's like vaccine. But those viruses that change affinities (like how AIDS is much incurable) can't be.

Oh, try using DOS to delete folder of AV Care or it's application data found in Document Settings.

#3 Munkypoo7

Munkypoo7

    Proud WinMatrix Member

  • Member
  • 1,015 posts

Posted 23 September 2009 - 01:39 PM

Use MalwareBytes, not Spybot <_<

#4 The Alpha Gamer

The Alpha Gamer

    Active WinMatrixian

  • Member
  • 996 posts

Posted 23 September 2009 - 01:57 PM

I can't find any AVCare folders. I just did a scan with Avast and it found malware in startup so I did a bootscan and it didn't find anything, then when windows started my firewall was turned off again, did another scan and Avast found the same thing it deleted last time. Should MalwareBytes fully remove it?

#5 The Alpha Gamer

The Alpha Gamer

    Active WinMatrixian

  • Member
  • 996 posts

Posted 23 September 2009 - 03:32 PM

Ok I ran Malwarebytes and it found Malware, some of which it said I needed to restart my computer for it to get rid of. I did that and my computer froze, I turned it off and back on and it froze again. I turned it off and left it a few minutes then turned it back on again and I've managed to get online obviously but I dunno if there's still viruses on here. What do I do now?

#6 AMIRZ

AMIRZ

    Loyal Member and Friend

  • Member
  • 2,033 posts

Posted 23 September 2009 - 04:16 PM

Just found this on google: :ph34r:
http://www.2-spyware...ove-avcare.html

Manual removal:

Open TaskManager

Kill processes:

AVCare.exe
PP.exe
Uninstall.exe

Open Regedit:

Delete registry values:

HKEY_LOCAL_MACHINE\SOFTWARE\AV Care
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AV Care
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AV Care"

(just go to folder options to show hidden files/folders and also protected system files)

Delete files:

avc.ico
AVCare.dat
AVCare.exe
AVCare.ini
PP.exe
Uninstall.exe
AV Care.lnk

Delete directories with all the contents:
c:\Program Files\AV Care
%UserProfile%\Start Menu\Programs\AV Care

Also to make sure: just go to folder options to show hidden files/folders and also protected system files, then do search any file which has name/is related to "AVCare" and/or "AV Care" in all directories/drives (especially the main drive C: / where the Windows is installed). Open regedit and do search to remove any registry entries which has name/is related to "AVCare" and/or "AV Care".

#7 The Alpha Gamer

The Alpha Gamer

    Active WinMatrixian

  • Member
  • 996 posts

Posted 23 September 2009 - 04:21 PM

Open TaskManager

Kill processes:

AVCare.exe
PP.exe
Uninstall.exe


I haven't even got those processes

and is AV Care related to Win32.agent.pz then?

#8 AMIRZ

AMIRZ

    Loyal Member and Friend

  • Member
  • 2,033 posts

Posted 23 September 2009 - 04:29 PM

^ Mmmm possible, as you said that it was AV Care before you also found Win32.agent.pz :blink: (i meant seems it's just a variant of win32.agent)

Edited by AMIRZ, 23 September 2009 - 04:47 PM.


#9 poolsharkzz

poolsharkzz

    XP - 'till the world blows up!

  • Member
  • 403 posts

Posted 23 September 2009 - 05:04 PM

Wow! If I were in your shoes, I would do the following:

Scan my brains out with the latest versions (fully updated) following programs:

AVG Free 8.5
Spyware Terminator
SUPERAntiSpyware
Hijack This!

Then, once you feel that you are completely clean of any infection or nasty, I would do the following:

1.) Download to either an external hard drive, free e-mail account (Yahoo or Gmail), USB Pen Drive, or burn to a CD or DVD everything you would want to save off that computer, including: photos, pictures, images, docs, music, favorites, bookmarks, etc.

* I personally use the Iomega 250 GB USB 2.0 Prestige Portable External Hard Drive.

2.) After you have unplugged everything, open up the case to your Tower and spend a little time with a vacum and oh so very gently clean all the crap you will find there.

I would also spend some time looking at the fan blades and side vents and make sure they are not loaded up and clogged with crap, dust bunnies, spider webs, and gunk.

* You can use a damp rag but remember - be gentle!

3.) How much Memory does your rig have? I would use this as a guide:

XP Home or Professional -

You should have a minimum of 1 Gig RAM - I ride with 2 Gigs

Vista (all versions) -

You should have a minimun of 2 Gigs - I would ride with 4 Gigs

Before unplugging and tearing apart your rig, I would go to www.crucial.com and download the Crucial System Scanner Tool and the Crucial Memory Advisor Tool -

These tools will show you exactly what you currently have on your system now and what you need in terms of upgrading the RAM on your system - this way you will have no more crashes when running Spybot!

Then, I would call the OEM of your system (Dell, HP, Acer, etc.) and confirm your findings from Crucial and while you have them on the phone you can get a second quote on pricing - they should both be in the same ball park.

When upgrading your RAM, it's all about maxing-out the MHz and the MB...

The more - the merrier - RAM is very, very cheap these days!

4.) Okay, after installing your new RAM upgrade and putting your Tower back together - It's time to reformat your Operating System. F8 is your new best friend!

5.) Then, spend some time at this Forum and the many, many others online and learn "the tricks of the trade" and how to go about customizing, tweaking, tuning up, and slimming down your system...

6.) That is, after you run Windows Update about 50 times!

7.) Finally, I would spend some serious time learning about Security and your system - there are just too many solid and free kick-ass programs out there to take care of this as well as harden your system so that this doesn't happen again.

Research, Research, Research!

In fact - Spend the time and learn everything you can about your system!

Once I understood the basics, I have never (knock on wood) received a major infection or nasty - just the occasional tracking cookie - which are very easy to deal with.

This will get you going in the right direction.

Good Luck!

poolsharkzz

Edited by poolsharkzz, 23 September 2009 - 05:16 PM.


#10 poolsharkzz

poolsharkzz

    XP - 'till the world blows up!

  • Member
  • 403 posts

Posted 23 September 2009 - 05:28 PM

Edit to my last post:

I gave you directions if you had a Tower - I see now you have a laptop:

http://www.computerh...es/ch000780.htm

I just googled: "cleaning my laptop" and "upgrading RAM for my Laptop"

FYI -

poolsharkzz

Edited by poolsharkzz, 23 September 2009 - 05:30 PM.


#11 CommonSense

CommonSense

    Super WinMatrixian

  • Member
  • 2,620 posts

Posted 23 September 2009 - 07:32 PM

I'm sorry poolsharkzz but how does that help The Alpha Gamer? He has a virus, not a dust bunny.

The Alpha Gamer, I suppose this is your Hijack This Log. Would be nice to have that posted. Anyway, I'm looking through it, and what is?:
[Bin ante] C:\DOCUME~1\RJ\APPLIC~1\GLOBAL~1\more eggs.exe
Maybe I'm just being stupid, but that looks weird, what developer would name their EXE that. Unless that is something you know about.

Also according to About.com's HJT article, 017 is dedicated to lop.com hijackers. I don't know if you should worry or not, but you have an entry for that.
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6BF7724-1577-4EEA-B1FF-557F46FB7E22}: NameServer = 217.171.135.1 217.171.132.1

Those are the only suspicious entries in that log you posted.

#12 The Alpha Gamer

The Alpha Gamer

    Active WinMatrixian

  • Member
  • 996 posts

Posted 23 September 2009 - 07:36 PM

I'm sorry poolsharkzz but how does that help The Alpha Gamer? He has a virus, not a dust bunny.

The Alpha Gamer, I suppose this is your Hijack This Log. Would be nice to have that posted. Anyway, I'm looking through it, and what is?:

[Bin ante] C:\DOCUME~1\RJ\APPLIC~1\GLOBAL~1\more eggs.exe
Maybe I'm just being stupid, but that looks weird, what developer would name their EXE that. Unless that is something you know about.

Also according to About.com's HJT article, 017 is dedicated to lop.com hijackers. I don't know if you should worry or not, but you have an entry for that.
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6BF7724-1577-4EEA-B1FF-557F46FB7E22}: NameServer = 217.171.135.1 217.171.132.1

Those are the only suspicious entries in that log you posted.


I have not idea what either of those are =/

#13 CommonSense

CommonSense

    Super WinMatrixian

  • Member
  • 2,620 posts

Posted 23 September 2009 - 07:47 PM

EDIT: After looking around for "more eggs.exe" on Google. I came across a list of processes that are related to adware. And 6 of the entries have "eggs" in the name of the process. So just delete that; either delete it in Safe Mode or just normally. Then restart and scan again with Malwarebytes, HJT, and any other security programs you have installed.

Just some of my thoughts before research:
Go to C:\Documents and Settings\RJ\Application Data\

Then there should be something with Global in the folder name. That just looks really suspicious. You could delete it, I suppose, since I doubt any major program has any links to another EXE named "more eggs". It's up to you. See if there is a developer signature in the properties of that file.

Uhm as for the 017, just leave it. It does not direct your internet connection to any malicious site. If the NameServer = ao.lop.com then that's a problem. That would just be your DNS connections, so that's not a problem.

I'm narrowing it down to "more eggs.exe" so unless you can find out that it does not harm your computer, I would delete it.

Edited by CommonSense, 23 September 2009 - 08:05 PM.


#14 hab

hab

    Active WinMatrixian

  • Member
  • 996 posts

Posted 23 September 2009 - 08:08 PM

I also randomly found AV Care on my desktop 1 day - not even sure how it got there - and I just watching some videos of family guy

#15 CommonSense

CommonSense

    Super WinMatrixian

  • Member
  • 2,620 posts

Posted 23 September 2009 - 08:14 PM

I also randomly found AV Care on my desktop 1 day - not even sure how it got there - and I just watching some videos of family guy

They just show up. Even just looking for videos can infect your computer. There may be a script on the website that opens up the user's computer to more vulnerabilities and then programs like AV Care will just appear. That's how I got infected with some malware that redirected my Google links and didn't allow my antivirus to update, among other things.

I was cleaning my friend's computer last year and I have never seen so much spyware, adware, trojans, etc on a machine! I had maybe 2 hours with it and was able to remove about half of it. It's just so interesting to try and solve these puzzles. :D

#16 The Alpha Gamer

The Alpha Gamer

    Active WinMatrixian

  • Member
  • 996 posts

Posted 23 September 2009 - 08:37 PM

Just some of my thoughts before research:
Go to C:\Documents and Settings\RJ\Application Data\

Then there should be something with Global in the folder name. That just looks really suspicious.


"Global free junk" but it's empty

#17 CommonSense

CommonSense

    Super WinMatrixian

  • Member
  • 2,620 posts

Posted 23 September 2009 - 08:48 PM


Just some of my thoughts before research:
Go to C:\Documents and Settings\RJ\Application Data\

Then there should be something with Global in the folder name. That just looks really suspicious.


"Global free junk" but it's empty

Have you ran another HJT scan since you posted it on the other forum? If not, please do, and post here. Or just see if that file is still listed in the log. If it is, delete the folder even if it's empty. Have you ran another Malwarebytes or Spybot scan? So you can see where Win32.agent.pz is getting picked up.

#18 The Alpha Gamer

The Alpha Gamer

    Active WinMatrixian

  • Member
  • 996 posts

Posted 23 September 2009 - 08:58 PM

Just deleted it, didn't know if you wanted it gone from my recycle bin too though so it's still there. Here's a fresh HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:53:56 PM, on 23/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\slmdmsr.exe
C:\WINDOWS\system32\svchost.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\drivers\STDSB.exe
C:\WINDOWS\system32\drivers\Icon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\PixArt\PAC207\Monitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\RJ\My Documents\Programs\Taskbar shuffle\taskbarshuffle.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\STK02N\STK02NM.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Documents and Settings\Sally\Desktop\Desktop stuffs\Gmail Notifier\gnotify.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\RJ\Desktop\Desktop stuff\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\system32\drivers\STDSB.exe
O4 - HKLM\..\Run: [Icon] C:\WINDOWS\system32\drivers\Icon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Documents and Settings\RJ\My Documents\Programs\Taskbar shuffle\taskbarshuffle.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\RJ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Bin ante] C:\DOCUME~1\RJ\APPLIC~1\GLOBAL~1\more eggs.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: gnotify.lnk = C:\Documents and Settings\Sally\Desktop\Desktop stuffs\Gmail Notifier\gnotify.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: STK02N 2.2 PNP Monitor.lnk = ?
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com/
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} (FavImport Class) - https://favorites.li...?v=13,0,1609,00
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.image...hackToolbar.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6BF7724-1577-4EEA-B1FF-557F46FB7E22}: NameServer = 194.168.4.100 194.168.8.100
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe

--
End of file - 12708 bytes



And no I haven't done anymore scans. I'm abit scared to do another one with Malwarebytes since it kept freezing my laptop, and Spybot makes my laptop overheat and it's already getting abit warm.

#19 CommonSense

CommonSense

    Super WinMatrixian

  • Member
  • 2,620 posts

Posted 23 September 2009 - 09:10 PM

He's still there.
O4 - HKCU\..\Run: [Bin ante] C:\DOCUME~1\RJ\APPLIC~1\GLOBAL~1\more eggs.exe
Open up the Run command (WinKey + R) and type msconfig. Go to the Startup tab and see if that program is listed. If it is delete it (or disable it). Have you tried Ad-Aware?

#20 The Alpha Gamer

The Alpha Gamer

    Active WinMatrixian

  • Member
  • 996 posts

Posted 23 September 2009 - 09:21 PM

Yeah it's there, how do I disable it?

Want to comment?

Register or Sign In to go completely ad-free!