friends problem

**jimmymac** · 09-14-2006, 07:40 PM

friend of mine is having issues with his system......

Quote:

Every time I log onto the internet I get a message from my avast saying that a trojan was found trying to access my computer under the name of Win32ownloader-gen [Trj]. Has anyone any idea how I can stop this from happening please. I have done a virus and spyware scan but nothing comes up. Any help would be appreciated. Thanks

he has run some anti virus and spyware but to no avail, asked him for a hi jack this lg and here it is, any suggestions would be appreciated

Today, 06:53 PM

--------------------------------------------------------------------------------

I got into safe mode and used 4 antivirus programs and one reg cleaner. This is my logfile for HJT

Logfile of HijackThis v1.99.1
Scan saved at 18:52:22, on 14/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\AOL\1154083679\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\1154083679\ee\AOLServiceHost.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\AOL 9.0b\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
c:\program files\common files\aol\1154083679\ee\services\antiSpywareApp\ve r2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1154083679\ee\AOLServiceHost.exe
C:\Program Files\AOL 9.0b\waol.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\AOL 9.0b\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154083679\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F4BE2C7-E7B5-41F7-8A0D-6D98E35B91E5}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

leetkyle · 09-14-2006, 08:31 PM

C:\Program Files\AOL 9.0b\shellmon.exe

Someone explain what this is please? ..

Bobo · 09-14-2006, 08:33 PM

Description:
shellmon.exe is an application from AOL which belongs to the Eolithic Task. It is installed with AOL version 8 and later. This program is a non-essential process, but should not be terminated unless suspected to be causing problems.

Recommendation for shellmon.exe:
Not a critical component, but see the information above before disabling it.

Author: America Online, Inc.
Part Of: AOL Connection Software
Security Risk (0-5): 0
Spyware: No
Virus: No
Trojan: No
Memory Usage: N/A
System Process: No
Background Process: Yes
Uses Network: No
Hardware Related: No
Common Errors: N/A

edifier · 09-15-2006, 06:22 AM

First go to ADD/REMOVE Programs and uninstall all 'Java' versions. Then proceed here and install 'Java Runtime Environment (JRE) 5.0 Update 8' http://java.sun.com/javase/downloads/index.jsp

Go to 'Control Panel/folder options/view' and check 'show hidden files and folders'.While there, UNCHECK 'hide protected operating system files(recommended)'. Click Apply and Okay.

Download Ewido http://www.ewido.net/en/download/ then set it up this way http://rstones12.geekstogo.com/ewidosetup.htm You will need this later in safe mode
Make sure to update this program.

Next, download, install and update 'A-squared' here http://www.emsisoft.com/en/software/free/

Download, install and update this excellent freebie- Superantispyware here http://www.superantispyware.com/download.html

Download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ You will need it later in safe mode.

Download 'Killbox' here http://www.downloads.subratam.org/KillBox.exe to your desktop.You will need it later in safe mode.

Reboot your computer in Safe Mode

Very Important:
Make sure all security programs like Avast, Spybot, Ewido, etc are DISABLED until they are needed. They will interfere with the cleaning process.

From safemode, run HijackThis and put a check by the following entries if still present, close all open windows and browsers except HijackThis and click 'Fix Checked'

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab

Exit Hijack This but remain in safe mode.

Double-click on Killbox.exe to run it.
Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines if still present one at a time.

C:\WINDOWS\system32\ntsystem.exe

Click on the button that has the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file.
Click Yes.

Begin running your scans in this order.

Ewido
A-squared
Superantispyware

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Reboot into normal windows, run ATF cleaner, empty the recycle bin and post a new HJT log.Please update me on the scans and how your system is responding after the cleaning.

**jimmymac** · 09-20-2006, 04:56 PM

apologies for not getting back to you sooner edifier, had not heard from the other guy for a while and this thread completely slipped my mind, i will try and get back to him and find out how he is getting on.

thanks for the help so far

SirKenin · 09-20-2006, 10:45 PM

The only thing you have to worry about in all of that is getting rid of C:\windows\system32\ntsystem.exe. Use Killbox.php for that.

There is nothing wrong with the rest of those entries and the greatest majority of those steps and programs can be ignored. It appears to be a cut and paste response without any actual thought put into the problem.

Avast will delete the trojan, but do it in safe mode and update the definitions first.

23.07.2006

http://www.avast.com/eng/vps-content-2006.html

edifier · 09-21-2006, 12:05 AM

Quote:

Originally Posted by SirKenin

The only thing you have to worry about in all of that is getting rid of C:\windows\system32\ntsystem.exe. Use Killbox.php for that.

There is nothing wrong with the rest of those entries and the greatest majority of those steps and programs can be ignored. It appears to be a cut and paste response without any actual thought put into the problem.

Avast will delete the trojan, but do it in safe mode and update the definitions first.

Avast already blew that opportunity and allowed the infection in the first place. So don't think so. I ask for cleaning with the other programs for 2 reasons. In case other infections are present that have not shown yet and to hope the poster will keep and use them on a regular basis so maybe they won't have to post here again with an infection. If you are the 'All Knowledgeable One' and would like to check in a few times a day to help out with the logs, i'll stand aside. So as you can see, there was thought to the process. And drop the attitude next time. It certainly doesn't match your posted age!.

SirKenin · 09-21-2006, 02:55 AM

Can you tell me where it specifies that Avast was used?

You told him to delete a bunch of stuff that wasn't necessary. Only one thing was a rogue entry.

If you say you put thought into it, fine, but knowing the infection I don't see what kind of thought it was to be truthful. It just looks like a bunch of cut and paste that would have ended up getting him nowhere.

I don't help out with this section much on purpose. This is my business. I do this shit for a living. Tons of them. I don't want to come on here between calls and do the same thing on here, but I stumbled upon this thread and realized that what you were telling him to do was not right.

edifier · 09-21-2006, 04:40 AM

I guess i must be blind then.Isn't Avast installed and running on that machine?. As for the other entries, it's called cleaning up the minor things that are really not a necessity at startup, cut down the resource use and help speed things up a bit. That certainly isn't a Light Log. And if you do that for a living, your clients would appreciate it too!.

edifier · 09-21-2006, 04:47 AM

Quote:

Originally Posted by SirKenin

I don't help out with this section much on purpose. This is my business. I do this shit for a living. Tons of them. I don't want to come on here between calls and do the same thing on here.

Why not. It's called 'Helping Others'. Not Yourself!.

09-20-2006, 04:56 PM	#5 (permalink)
jimmymac Moderator Join Date: Apr 2006 Location: Chester, UK Age: 28 Posts: 3,688	apologies for not getting back to you sooner edifier, had not heard from the other guy for a while and this thread completely slipped my mind, i will try and get back to him and find out how he is getting on. thanks for the help so far __________________ I tried to put my signature in here but my pen ruined the monitor. http://www.peytonmusic.com/ http://forum.peytonmusic.com/ the most uplifting soulful music you will ever hear...

09-20-2006, 10:45 PM	#6 (permalink)
SirKenin banned Join Date: Aug 2006 Posts: 4,711	The only thing you have to worry about in all of that is getting rid of C:\windows\system32\ntsystem.exe. Use Killbox.php for that. There is nothing wrong with the rest of those entries and the greatest majority of those steps and programs can be ignored. It appears to be a cut and paste response without any actual thought put into the problem. Avast will delete the trojan, but do it in safe mode and update the definitions first. 23.07.2006 http://www.avast.com/eng/vps-content-2006.html Last edited by SirKenin; 09-20-2006 at 10:54 PM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Nero DVD Data Burning Problem. Please help.	GeneraznXz	General Software	8	06-02-2006 05:03 PM
Cold Boot Problem	ryanbgstl	Desktop Computers	3	09-10-2005 07:53 AM
Possible Motheroard Problem	jpwarz	Motherboards	6	08-04-2005 12:34 AM
Small, but very annoying, HD problem	cdmjr	Computer Memory and Hard Drives	22	01-10-2005 07:59 PM

09-14-2006, 08:31 PM	#2 (permalink)
leetkyle Platinum Member Join Date: Aug 2006 Location: Northern Ireland Age: 16 Posts: 587	C:\Program Files\AOL 9.0b\shellmon.exe Someone explain what this is please? ..

09-14-2006, 08:33 PM	#3 (permalink)
Bobo banned Join Date: Nov 2004 Location: Pittsburgh Age: 16 Posts: 6,623	Description: shellmon.exe is an application from AOL which belongs to the Eolithic Task. It is installed with AOL version 8 and later. This program is a non-essential process, but should not be terminated unless suspected to be causing problems. Recommendation for shellmon.exe: Not a critical component, but see the information above before disabling it. Author: America Online, Inc. Part Of: AOL Connection Software Security Risk (0-5): 0 Spyware: No Virus: No Trojan: No Memory Usage: N/A System Process: No Background Process: Yes Uses Network: No Hardware Related: No Common Errors: N/A

09-15-2006, 06:22 AM	#4 (permalink)
edifier Platinum Member Join Date: Jan 2006 Posts: 567	First go to ADD/REMOVE Programs and uninstall all 'Java' versions. Then proceed here and install 'Java Runtime Environment (JRE) 5.0 Update 8' http://java.sun.com/javase/downloads/index.jsp Go to 'Control Panel/folder options/view' and check 'show hidden files and folders'.While there, UNCHECK 'hide protected operating system files(recommended)'. Click Apply and Okay. Download Ewido http://www.ewido.net/en/download/ then set it up this way http://rstones12.geekstogo.com/ewidosetup.htm You will need this later in safe mode Make sure to update this program. Next, download, install and update 'A-squared' here http://www.emsisoft.com/en/software/free/ Download, install and update this excellent freebie- Superantispyware here http://www.superantispyware.com/download.html Download ATF-Cleaner to your desktop from this link http://www.atribune.org/content/view/19/2/ You will need it later in safe mode. Download 'Killbox' here http://www.downloads.subratam.org/KillBox.exe to your desktop.You will need it later in safe mode. Reboot your computer in Safe Mode Very Important: Make sure all security programs like Avast, Spybot, Ewido, etc are DISABLED until they are needed. They will interfere with the cleaning process. From safemode, run HijackThis and put a check by the following entries if still present, close all open windows and browsers except HijackThis and click 'Fix Checked' R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab Exit Hijack This but remain in safe mode. Double-click on Killbox.exe to run it. Put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines if still present one at a time. C:\WINDOWS\system32\ntsystem.exe Click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Begin running your scans in this order. Ewido A-squared Superantispyware Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Reboot into normal windows, run ATF cleaner, empty the recycle bin and post a new HJT log.Please update me on the scans and how your system is responding after the cleaning.

09-21-2006, 02:55 AM	#8 (permalink)
SirKenin banned Join Date: Aug 2006 Posts: 4,711	Can you tell me where it specifies that Avast was used? You told him to delete a bunch of stuff that wasn't necessary. Only one thing was a rogue entry. If you say you put thought into it, fine, but knowing the infection I don't see what kind of thought it was to be truthful. It just looks like a bunch of cut and paste that would have ended up getting him nowhere. I don't help out with this section much on purpose. This is my business. I do this shit for a living. Tons of them. I don't want to come on here between calls and do the same thing on here, but I stumbled upon this thread and realized that what you were telling him to do was not right.

09-21-2006, 04:40 AM	#9 (permalink)
edifier Platinum Member Join Date: Jan 2006 Posts: 567	I guess i must be blind then.Isn't Avast installed and running on that machine?. As for the other entries, it's called cleaning up the minor things that are really not a necessity at startup, cut down the resource use and help speed things up a bit. That certainly isn't a Light Log. And if you do that for a living, your clients would appreciate it too!.