MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: something is eating my computer
June 03, 2020, 10:11:18 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 03, 2020, 10:11:18 AM

Login with username, password and session length
 Featured Sites:
News
Article Writers We are looking for quality, informational articles to add to our Computer Articles
Please contact us if you are interested in submitting some....
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: something is eating my computer  (Read 5932 times)
ineedhelp
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 4


Bookmark and Share

View Profile
« on: December 18, 2004, 03:56:44 PM »

Hi,

It seems I've acquired a virus that I cannot get rid of. The most obvious presence of the virus are two system processes WinCtlAD.exe and WinCtlAdAlt.exe that I cannot delete from my windows task manager. I also cannot delete their folder.

Thing that I have done to get rid of them:

Run AVGFree Virus Scanner v7.0- detects no virus now

searched these forums for information- but the previous posts do not seem to apply as either some of the programs are missing or I cannot do certain tasks ie delete the above programs

Here is the log file

Logfile of HijackThis v1.99.0
Scan saved at 10:17:36 AM, on 12/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spss_lmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\SahAgent.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\PRISMIQ\MediaManager\mctrl.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Program Files\PRISMIQ\MediaManager\winvod.exe
C:\Program Files\PRISMIQ\MediaManager\prismiq_xcode.exe
C:\Program Files\PRISMIQ\MediaManager\JRE\1.4.1\bin\javaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Documents and Settings\Head\Local Settings\Temporary Internet Files\Content.IE5\G7QRO3MV\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.queensu.ca:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe
O1 - Hosts: 66.172.72.150 www.worlds*x.com
O1 - Hosts: 66.172.72.150 worlds*x.com
O1 - Hosts: 66.172.72.150 www.0190-dialer.com
O1 - Hosts: 66.172.72.150 0190-dialer.com
O1 - Hosts: 66.172.72.150 www.mtreexxx.net
O1 - Hosts: 66.172.72.150 mtreexxx.net
O1 - Hosts: 66.172.72.150 network.nocreditcard.com
O1 - Hosts: 66.172.72.150 www.online-dialer.com
O1 - Hosts: 66.172.72.150 www.s*x-explorer.com
O1 - Hosts: 66.172.72.150 s*x-explorer.com
O1 - Hosts: 66.172.72.150 www.al4a.com
O1 - Hosts: 66.172.72.150 al4a.com
O1 - Hosts: 66.172.72.150 www.thumbnail-post.com
O1 - Hosts: 66.172.72.150 thumbnail-post.com
O1 - Hosts: 66.172.72.150 www.madthumbs.com
O1 - Hosts: 66.172.72.150 madthumbs.com
O1 - Hosts: 66.172.72.150 www.thumbzilla.com
O1 - Hosts: 66.172.72.150 thumbzilla.com
O1 - Hosts: 66.172.72.150 www.s*xocean.com
O1 - Hosts: 66.172.72.150 s*xocean.com
O1 - Hosts: 66.172.72.150 www.sublimedirectory.com
O1 - Hosts: 66.172.72.150 sublimedirectory.com
O1 - Hosts: 66.172.72.150 www.exitforcash.com
O1 - Hosts: 66.172.72.150 exitforcash.com
O1 - Hosts: 66.172.72.150 exit.xitcash.com
O1 - Hosts: 66.172.72.150 top.darkcollection.com
O1 - Hosts: 66.172.72.150 www.cybernymphets.com
O1 - Hosts: 66.172.72.150 smutserver.com
O1 - Hosts: 66.172.72.150 www.smutserver.com
O1 - Hosts: 66.172.72.150 www2.smutserver.com
O1 - Hosts: 66.172.72.150 www3.smutserver.com
O1 - Hosts: 66.172.72.150 www4.smutserver.com
O1 - Hosts: 66.172.72.150 www5.smutserver.com
O1 - Hosts: 66.172.72.150 www6.smutserver.com
O1 - Hosts: 66.172.72.150 www7.smutserver.com
O1 - Hosts: 66.172.72.150 www8.smutserver.com
O1 - Hosts: 66.172.72.150 www9.smutserver.com
O1 - Hosts: 66.172.72.150 www10.smutserver.com
O1 - Hosts: 66.172.72.150 www11.smutserver.com
O1 - Hosts: 66.172.72.150 www12.smutserver.com
O1 - Hosts: 66.172.72.150 www13.smutserver.com
O1 - Hosts: 66.172.72.150 www14.smutserver.com
O1 - Hosts: 66.172.72.150 www15.smutserver.com
O1 - Hosts: 66.172.72.150 www16.smutserver.com
O1 - Hosts: 66.172.72.150 www17.smutserver.com
O1 - Hosts: 66.172.72.150 www18.smutserver.com
O1 - Hosts: 66.172.72.150 www19.smutserver.com
O1 - Hosts: 66.172.72.150 www20.smutserver.com
O1 - Hosts: 66.172.72.150 www21.smutserver.com
O1 - Hosts: 66.172.72.150 www22.smutserver.com
O1 - Hosts: 66.172.72.150 www23.smutserver.com
O1 - Hosts: 66.172.72.150 www24.smutserver.com
O1 - Hosts: 66.172.72.150 www25.smutserver.com
O1 - Hosts: 66.172.72.150 www.kinghost.com
O1 - Hosts: 66.172.72.150 www2.kinghost.com
O1 - Hosts: 66.172.72.150 www3.kinghost.com
O1 - Hosts: 66.172.72.150 www4.kinghost.com
O1 - Hosts: 66.172.72.150 www5.kinghost.com
O1 - Hosts: 66.172.72.150 www6.kinghost.com
O1 - Hosts: 66.172.72.150 www7.kinghost.com
O1 - Hosts: 66.172.72.150 www8.kinghost.com
O1 - Hosts: 66.172.72.150 www9.kinghost.com
O1 - Hosts: 66.172.72.150 www10.kinghost.com
O1 - Hosts: 66.172.72.150 www11.kinghost.com
O1 - Hosts: 66.172.72.150 www12.kinghost.com
O1 - Hosts: 66.172.72.150 www13.kinghost.com
O1 - Hosts: 66.172.72.150 www.89.com
O1 - Hosts: 66.172.72.150 89.com
O1 - Hosts: 66.172.72.150 www.sleazydream.com
O1 - Hosts: 66.172.72.150 sleazydream.com
O1 - Hosts: 66.172.72.150 www.s*x.com
O1 - Hosts: 66.172.72.150 s*x.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WHVLXD] C:\WINDOWS\WHVLXD.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [BackgroundSwitcher] C:\WINDOWS\System32\bgswitch.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\system32\SahAgent.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [xwd] C:\WINDOWS\xwd.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [msmsgs] c:\windows\system32\msmsgs.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PRISMIQ MediaManager Launcher.lnk = C:\Program Files\PRISMIQ\MediaManager\mctrl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c11.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {473EB4B9-6641-4FE4-9A0D-AB0EFAE34FA8} (ELSReg Class) - http://mobile.mdconsult.com/installer/ELSProxy.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0591a4108a5c97940816/netzip/RdxIE601.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {94B6A838-7EA3-4C3C-B768-D260DDD685B6} (GetFQDN.ctlTrace) - http://www.rogershelp.com/help/content/how/home_network/getfqdn.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Spss License Manager - Unknown - C:\WINDOWS\System32\spss_lmd.exe
O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

Could someone please help me get control of my computer again?

Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #1 on: December 18, 2004, 04:02:47 PM »

Hi ineedhelp ...

I noticed you Downloaded HJT to a TEMP folder,always download to a folder OTHER than Temp/Temorary Internet Folders.

EG---- Open MyDocuments----Right click an empty spot and select NEW---Folder----Name the new folder HJT ---this is where you will want to save Hijackthis too, also, backups will be stored there.
Download a fresh copy from here:
http://www.spywareinfo.com/~merijn/files/HijackThis.exe
or here:
http://aumha.org/downloads/hijackthis.exe

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #2 on: December 18, 2004, 04:28:42 PM »

Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.



**(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders. This is where it will save the backup files needed if there's a problem.)**

Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

SahAgent.exe
bargains.exe
WinCtlAdAlt.exe
WinCtlAd.exe
WHVLXD.exe
fast.exe
wupdater.exe
WebRebates0.exe
salm.exe
xwd.exe
zeta.exe

Turn off System Restore WinXP WinME. (Turn it back on after this is repaired and you've rebooted.) Close all other open Windows and have HiJackThis Fix:


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.queensu.ca:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe
O1 - Hosts: 66.172.72.150 www.worlds*x.com
O1 - Hosts: 66.172.72.150 worlds*x.com
O1 - Hosts: 66.172.72.150 www.0190-dialer.com
O1 - Hosts: 66.172.72.150 0190-dialer.com
O1 - Hosts: 66.172.72.150 www.mtreexxx.net
O1 - Hosts: 66.172.72.150 mtreexxx.net
O1 - Hosts: 66.172.72.150 network.nocreditcard.com
O1 - Hosts: 66.172.72.150 www.online-dialer.com
O1 - Hosts: 66.172.72.150 www.s*x-explorer.com
O1 - Hosts: 66.172.72.150 s*x-explorer.com
O1 - Hosts: 66.172.72.150 www.al4a.com
O1 - Hosts: 66.172.72.150 al4a.com
O1 - Hosts: 66.172.72.150 www.thumbnail-post.com
O1 - Hosts: 66.172.72.150 thumbnail-post.com
O1 - Hosts: 66.172.72.150 www.madthumbs.com
O1 - Hosts: 66.172.72.150 madthumbs.com
O1 - Hosts: 66.172.72.150 www.thumbzilla.com
O1 - Hosts: 66.172.72.150 thumbzilla.com
O1 - Hosts: 66.172.72.150 www.s*xocean.com
O1 - Hosts: 66.172.72.150 s*xocean.com
O1 - Hosts: 66.172.72.150 www.sublimedirectory.com
O1 - Hosts: 66.172.72.150 sublimedirectory.com
O1 - Hosts: 66.172.72.150 www.exitforcash.com
O1 - Hosts: 66.172.72.150 exitforcash.com
O1 - Hosts: 66.172.72.150 exit.xitcash.com
O1 - Hosts: 66.172.72.150 top.darkcollection.com
O1 - Hosts: 66.172.72.150 www.cybernymphets.com
O1 - Hosts: 66.172.72.150 smutserver.com
O1 - Hosts: 66.172.72.150 www.smutserver.com
O1 - Hosts: 66.172.72.150 www2.smutserver.com
O1 - Hosts: 66.172.72.150 www3.smutserver.com
O1 - Hosts: 66.172.72.150 www4.smutserver.com
O1 - Hosts: 66.172.72.150 www5.smutserver.com
O1 - Hosts: 66.172.72.150 www6.smutserver.com
O1 - Hosts: 66.172.72.150 www7.smutserver.com
O1 - Hosts: 66.172.72.150 www8.smutserver.com
O1 - Hosts: 66.172.72.150 www9.smutserver.com
O1 - Hosts: 66.172.72.150 www10.smutserver.com
O1 - Hosts: 66.172.72.150 www11.smutserver.com
O1 - Hosts: 66.172.72.150 www12.smutserver.com
O1 - Hosts: 66.172.72.150 www13.smutserver.com
O1 - Hosts: 66.172.72.150 www14.smutserver.com
O1 - Hosts: 66.172.72.150 www15.smutserver.com
O1 - Hosts: 66.172.72.150 www16.smutserver.com
O1 - Hosts: 66.172.72.150 www17.smutserver.com
O1 - Hosts: 66.172.72.150 www18.smutserver.com
O1 - Hosts: 66.172.72.150 www19.smutserver.com
O1 - Hosts: 66.172.72.150 www20.smutserver.com
O1 - Hosts: 66.172.72.150 www21.smutserver.com
O1 - Hosts: 66.172.72.150 www22.smutserver.com
O1 - Hosts: 66.172.72.150 www23.smutserver.com
O1 - Hosts: 66.172.72.150 www24.smutserver.com
O1 - Hosts: 66.172.72.150 www25.smutserver.com
O1 - Hosts: 66.172.72.150 www.kinghost.com
O1 - Hosts: 66.172.72.150 www2.kinghost.com
O1 - Hosts: 66.172.72.150 www3.kinghost.com
O1 - Hosts: 66.172.72.150 www4.kinghost.com
O1 - Hosts: 66.172.72.150 www5.kinghost.com
O1 - Hosts: 66.172.72.150 www6.kinghost.com
O1 - Hosts: 66.172.72.150 www7.kinghost.com
O1 - Hosts: 66.172.72.150 www8.kinghost.com
O1 - Hosts: 66.172.72.150 www9.kinghost.com
O1 - Hosts: 66.172.72.150 www10.kinghost.com
O1 - Hosts: 66.172.72.150 www11.kinghost.com
O1 - Hosts: 66.172.72.150 www12.kinghost.com
O1 - Hosts: 66.172.72.150 www13.kinghost.com
O1 - Hosts: 66.172.72.150 www.89.com
O1 - Hosts: 66.172.72.150 89.com
O1 - Hosts: 66.172.72.150 www.sleazydream.com
O1 - Hosts: 66.172.72.150 sleazydream.com
O1 - Hosts: 66.172.72.150 www.s*x.com
O1 - Hosts: 66.172.72.150 s*x.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll

O4 - HKLM\..\Run: [WHVLXD] C:\WINDOWS\WHVLXD.exe

O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe


O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\system32\SahAgent.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [xwd] C:\WINDOWS\xwd.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c11.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0591a4108a5c97940816/netzip/RdxIE601.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB

O23 - Service: WLTRYSVC - Unknown - C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe



Go to Control Panel / Add/Remove Programs and remove the
 following if they are there:



BullsEye Network
Windows ControlAd
updater
SAHAgent
Web_Rebates



Now delete these Folders or Files that are Highlighted: (You may need enable "Show all Files" and disable "Hide System Files" in Windows Explorer / Tools / Folder Options / View Tab) (You may have to boot to "Safe Mode" in order to delete some Files/Folders)

C:\WINDOWS\system32\SahAgent.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\WINDOWS\system32\msbe.dll
C:\WINDOWS\WHVLXD.exe
C:\WINDOWS\System32\fast.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\xwd.exe
C:\WINDOWS\zeta.exe



Now, empty all your TEMP Folders (WinXp has up to 4 of them) / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.

In Xp, here are some locations of Temp files

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Username\Local Settings\Temporary Internet Files
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files

Turn on System restore,before opening your browser goto START>CONTROL PANEL>INTERNET OPTIONSand make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.

Now re-run HJT and post a new logfile back here.


Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
ineedhelp
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 4


Bookmark and Share

View Profile
« Reply #3 on: December 18, 2004, 04:54:12 PM »

Thank you so much for your quick replies. So far I've done the following:

DL and ran licensed version of Spyware Doctor
Ran Hijack this and deleted the suggested files.

Unfortunately, I cannot seem to remove WinCtlAD.exe and WinCtlADAlt.exe from my task manager. They seem to reload instantaneously.

Here is my new log info:

e of HijackThis v1.99.0
Scan saved at 11:51:43 AM, on 12/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spss_lmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\PRISMIQ\MediaManager\mctrl.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\PRISMIQ\MediaManager\winvod.exe
C:\Program Files\PRISMIQ\MediaManager\prismiq_xcode.exe
C:\Program Files\PRISMIQ\MediaManager\JRE\1.4.1\bin\javaw.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows ControlAd\WinCtlAd.exe
C:\Documents and Settings\Head\My Documents\Zips\HiJackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.queensu.ca:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [BackgroundSwitcher] C:\WINDOWS\System32\bgswitch.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [msmsgs] c:\windows\system32\msmsgs.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PRISMIQ MediaManager Launcher.lnk = C:\Program Files\PRISMIQ\MediaManager\mctrl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {473EB4B9-6641-4FE4-9A0D-AB0EFAE34FA8} (ELSReg Class) - http://mobile.mdconsult.com/installer/ELSProxy.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0591a4108a5c97940816/netzip/RdxIE601.cab
O16 - DPF: {94B6A838-7EA3-4C3C-B768-D260DDD685B6} (GetFQDN.ctlTrace) - http://www.rogershelp.com/help/content/how/home_network/getfqdn.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Spss License Manager - Unknown - C:\WINDOWS\System32\spss_lmd.exe


Could you please advise again?

Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #4 on: December 18, 2004, 05:14:47 PM »

Well your log looks way better now...Grin
Let's get the rest.. Lips Sealed

Make sure you still have Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

*** ALL WINDOWS MUST BE CLOSED INCLUDING THIS ONE ***

Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

WinCtlAdAlt.exe
WinCtlAd.exe
spss_lmd.exe

Turn off System Restore WinXP WinME. (Turn it back on after this is repaired and you've rebooted.) Close all other open Windows and have HiJackThis Fix:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.queensu.ca:8080
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL

O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe

O16 - DPF: {473EB4B9-6641-4FE4-9A0D-AB0EFAE34FA8} (ELSReg Class) - http://mobile.mdconsult.com/installer/ELSProxy.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0591a4108a5c97940816/netzip/RdxIE601.cab

O23 - Service: Spss License Manager - Unknown - C:\WINDOWS\System32\spss_lmd.exe



The next are optional, but recommended for removal,Resource hogs and not needed on startup, but does not disable the program:


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE



Go to Control Panel / Add/Remove Programs and remove the
 following if they are there:


Windows ControlAd

Now delete these Folders or Files that are Highlighted: (You may need enable "Show all Files" and disable "Hide System Files" in Windows Explorer / Tools / Folder Options / View Tab) (You may have to boot to "Safe Mode" in order to delete some Files/Folders)

C:\Program Files\Windows ControlAd\WinCtlAdAlt.exe
C:\WINDOWS\System32\spss_lmd.exe


Now, empty all your TEMP Folders (WinXp has up to 4 of them) / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.

In Xp, here are some locations of Temp files

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Username\Local Settings\Temporary Internet Files
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files

Turn on System restore,before opening your browser goto START>CONTROL PANEL>INTERNET OPTIONSand make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.

Now re-run HJT and post a new logfile back here.

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
ineedhelp
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 4


Bookmark and Share

View Profile
« Reply #5 on: December 18, 2004, 05:30:08 PM »

Hi!

Thanks once again for all the help. I cant seem to get by the one step where i need to delete WinCtlAd.exe and WinCtlAdAlt.exe in my task manager. All the steps before that are fine. I did close all the windows and every other program I could find before trying to stop them. The biggest problem is that they keep reappearing immediately. There appear to be several other suspicious files that keep showing up ie:

winlogon
wuauclt

the rest of the files in the tm are as such:

akg
apntEx
Apoint
avgamsvr
avgcc
avgupsvc
BAsfIpM
carpserv
csrss
Directcd
DLG
DSentry
explorer
fxssvc
HOTSYNC
hpotdd01
iexplorer
lsass
nvsvc32
PSFree
realsched
rundll32
scardsvr
services
smss
sploolsv
svchost
swdoctor
system
system idle process
taskmgr
taskswitch
wdfmgr

Thank you for any advice you may have.

Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #6 on: December 18, 2004, 05:50:30 PM »

Reboot into SAFE MODE and DELETE the files and folders for WinAdCtrls.

Once you do that...rerun HJT and post another Logfile


Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
ineedhelp
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 4


Bookmark and Share

View Profile
« Reply #7 on: December 18, 2004, 06:29:30 PM »

YES!

Those programs are all gone! Frisky little buggers they were. I hope this looks clean now. I've added on a few more spyware/ antivirus/ adware/ popupblockers to protect my computer in the future. It just seems that there's no way to really avoid this though Wink. Thank you once again for all your help. Here is my latest log file:

Logfile of HijackThis v1.99.0
Scan saved at 1:26:29 PM, on 12/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\PRISMIQ\MediaManager\mctrl.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\PRISMIQ\MediaManager\winvod.exe
C:\Program Files\PRISMIQ\MediaManager\prismiq_xcode.exe
C:\Program Files\PRISMIQ\MediaManager\JRE\1.4.1\bin\javaw.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Head\My Documents\Zips\HiJackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [BackgroundSwitcher] C:\WINDOWS\System32\bgswitch.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [msmsgs] c:\windows\system32\msmsgs.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: PRISMIQ MediaManager Launcher.lnk = C:\Program Files\PRISMIQ\MediaManager\mctrl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {94B6A838-7EA3-4C3C-B768-D260DDD685B6} (GetFQDN.ctlTrace) - http://www.rogershelp.com/help/content/how/home_network/getfqdn.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Hmmmmm wauclt.exe seems to still be there. Is this a necessary program?

Thank you.

Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #8 on: December 18, 2004, 06:39:12 PM »

Your logfile looks good... Grin

Nice job ineedhelp..

 
quote:
Hmmmmm wauclt.exe seems to still be there. Is this a necessary program?


wauclt.exe

Wuauclt.exe is a process managing automatic updates for Windows. This process continuously checks for the latest updates by going online. This process should not be removed if you want to get informed about new updates.

Happy Holidays!!

Cactus  
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page June 14, 2018, 08:06:30 AM