Sign in to follow this  
niallmcl

Need Help!

Recommended Posts

From the RootkitRevealer log (which shows some legitimate items as well, so not all are bad), this entry:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll 10/07/2006 19:26 60.00 KB Visible in Windows API, but not in MFT or directory index.

 

The presence of that file indicates that what you downloaded on July 10th was a backdoor trojan with a rootkit which give it stealth capability to hide from you. This trojan has the capability of doing much damage to a computer, some of which is hidden and can't be seen or corrected. This trojan is much more than Adaware is designed to handle, in fact most AVs cannot handle rootkits correctly or repair the damage done. You should probably consider a reformat/ reinstall on this system, as it may not be trustworthy at this point.

 

Here is the trojan involved (or one similar to it). Many of the Torpig trojan variant install keyloggers, password stealers, and other really nasty activity in addition to the damage done to a PC.

 

http://www.sophos.com/virusinfo/analyses/trojtorpigai.html

Troj/Torpig-AI is a Trojan for the Windows platform.

 

Troj/Torpig-AI includes functionality to

 

- capture keystrokes

- steal email login information

- steals information from protected storage areas

- access the internet and communicate with a remote server via HTTP.

 

When Troj/Torpig-AI is installed the following files are created:

 

<Common Files>\Microsoft Shared\Web Folders\ibm00001.dll

<Common Files>\Microsoft Shared\Web Folders\ibm00001.exe

<Common Files>\Microsoft Shared\Web Folders\ibm00002.dll

 

These files are also detected as Troj/Torpig-AI.

 

The following registry entry is created to run ibm00001.exe on startup:

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Shell

<Common Files>\Microsoft Shared\Web Folders\ibm00001.exe

 

The following registry entry is changed to run ibm00001.exe on startup:

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Shell

explorer.exe <spaces> "<Common Files>\Microsoft Shared\Web Folders\ibm00001.exe"

 

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

 

The following registry entries are also set:

 

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN\0000\Control\

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV\0000\Control\

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control\

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control\

 

There are 4 pages of possible variants in the database provided at Sophos, you could have had any one of them.

http://www.sophos.com/security/analyses/se...p;x=60&y=12

........................

If a reformat/reinstall isn't possible for you, I think you should try the free trial evaluation version of this tool is one place to start:

http://www.greatis.com/unhackme/download.htm

 

Also the Microsoft Malicious Software Removal tool might be worth a try.

http://www.microsoft.com/security/malwareremove/default.mspx

 

Save any reports from those to post back here if you are not going to follow the recommendation to reformat/reinstall your operating system.

 

And if you do, I suspect many of the programs you downloaded are infected. I would not recommend saving those infected files, lest you infect yourself again as you did here in this instance.

Share this post


Link to post
Share on other sites

I am not sure i know where my restore factory setting CD is. or my software for windows. Can i reboot my system without these?

Share this post


Link to post
Share on other sites

No, you can't reformat/reinstall without your original install CDs. You need to be aware of the risk though. I would change all accounts and passwords, take caution with any sensitive data you may have stored on that PC.

 

Delete this file (if found)

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll

The output message from Rootkit revealer indicates the file may have already been deleted.

 

Run an free online scan at both of these (save the log from each at the end to post back here with results, if any infections are found)

 

eTrust Antivirus Web Scanner

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)

It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.

 

Ewido free online scanner

http://www.ewido.net/en/onlinescan/

.................................

Then can you run the scan with Blacklight again and post a fresh log

 

Also post a fresh HijackThis log after the two online scans

Share this post


Link to post
Share on other sites

That took a little while...

 

Here is Back light

 

 

 

07/18/06 21:30:15 [info]: BlackLight Engine 1.0.42 initialized

07/18/06 21:30:15 [info]: OS: 5.1 build 2600 (Service Pack 2)

07/18/06 21:30:16 [Note]: 7019 4

07/18/06 21:30:16 [Note]: 7005 0

07/18/06 21:30:20 [Note]: 7006 0

07/18/06 21:30:20 [Note]: 7011 1744

07/18/06 21:30:21 [Note]: 7026 0

07/18/06 21:30:21 [Note]: 7026 0

07/18/06 21:30:29 [Note]: FSRAW library version 1.7.1019

07/18/06 21:32:58 [info]: Hidden file: c:\WINDOWS\system32\protector.exe.ren

07/18/06 21:32:58 [Note]: 7002 0

07/18/06 21:32:58 [Note]: 7003 1

07/18/06 21:32:58 [Note]: 10002 1

07/18/06 21:36:07 [Note]: 7007 0

Share this post


Link to post
Share on other sites

HJT

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 21:37:35, on 18/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\S3hotkey.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe

C:\Program Files\UnHackMe\hackmon.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Do######ents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll

O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKCU\..\Run: [unHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?50999bcc6db0478f8ec160e942594214

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: BZK - Sysinternals - www.sysinternals.com - C:\DO######E~1\NIALLM~1\LOCALS~1\Temp\BZK.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Share this post


Link to post
Share on other sites

I can deal with some rootkits but am no rootkit expert by any means.

 

That renamed file should show in windows, and since it doesn't I can't examine to see if it is legit or not.

 

The Ewido log would be named: ewido-report.log

 

Please search for that file. It should open up in Notepad so you can copy the results back here.

 

I have to shut down at the moment for an approaching lightning storm. So I may be absent for a bit.

Share this post


Link to post
Share on other sites

I'm waiting to see the ewido-report.log from the scan you did yesterday.

You said you couldn't find it, so I gave you the name to search for: ewido-report.log

You had posted that it found some things yesterday. That's what I want to see :P

Share this post


Link to post
Share on other sites

I am sorry CJ i could find that log when i searched for it...

 

so i ran it again this morning and it didnt show up with anything. I will scan it edwido again and post a log

Share this post


Link to post
Share on other sites
I am sorry CJ i could find that log when i searched for it...

 

so i ran it again this morning and it didnt show up with anything. I will scan it edwido again and post a log

 

 

Sorry i meant to say couldn't find it when i searched for the log

Share this post


Link to post
Share on other sites

Darn, would have really helped to know what it found.

 

Let's try this tool next please:

 

Download haxfix.exe

and save it to your desktop.

  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"

A red "dos window" (dos box) will open with options:

1. Make logfile

2. Run auto fix

3. Run manual fix

E. Exit Haxfix

  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
  • Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt)

Share this post


Link to post
Share on other sites

here is result, it removed whatever it found last night

 

i will try next tool now.

 

Thanks CJ :)

 

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 21:29:38 19/07/2006

 

+ Scan result:

 

 

 

Nothing found.

 

 

 

::Report end

Share this post


Link to post
Share on other sites

HAXFIX logfile - by Marckie

______________

version 3.07

19/07/2006 21:33:27.32

 

checking for haxdoor

--------------------

checking for a3d files....

a3d files not found

 

checking for matching notify keys....

no matching notify keys found

 

checking for matching services....

matching services found

CmBatt

 

checking for matching safeboot services....

no matching safeboot services found

 

 

Checking for goldun

-------------------

checking for notify keys....

no notify keys found

 

checking for services....

ddirectxt

Share this post


Link to post
Share on other sites

Option 2: Autofix

  • Double click on My Computer -> C:\ -> Program Files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
  • Close all other open windows since this step requires a reboot
  • Select option 2. Run auto fix by typing 2 and then pressing Enter

If an infection is found, you'll get a message to close all other open windows.

  • Close all open windows except the red dos window from haxfix and then press Enter
  • The computer will reboot
  • After reboot a logfile will open > (c:\haxfix.txt)
  • Post the contents of that logfile along with a new HijackThis log.

Share this post


Link to post
Share on other sites

There was no infection found....

 

Here is HJT

 

Logfile of HijackThis v1.99.1

Scan saved at 22:22:54, on 19/07/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\WINDOWS\system32\S3hotkey.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\UnHackMe\hackmon.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Documents and Settings\niall mclaughlin\Desktop\Adware stuff\Hijack download\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [s3hotkey] S3hotkey.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\RunServices: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ÿ_zsknk_un]oqsfyonyn[niwmdksz_] c:\windows\system32\_zskdmwin[nynoyfsqo]nu_kn.exe

O4 - HKCU\..\Run: [unHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://ebanking.northernbank.co.uk/html/ac...B/e-Safekey.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: BZK - Sysinternals - www.sysinternals.com - C:\DOCUME~1\NIALLM~1\LOCALS~1\Temp\BZK.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Share this post


Link to post
Share on other sites

I'm calling in the cavalry, since I have done all I can do on this. I've asked miekiemoes to take a look here and see if she can lend any advices. :)

 

It may be tomorrow because she is in Europe and could be retired for the evening at this late hour there.

Share this post


Link to post
Share on other sites

No problem Jane thanks so much for all your help!!! I am in Europe as well so we will be on the same time,

I am Irish.

 

Thanks again!! :)

Share this post


Link to post
Share on other sites
Sign in to follow this