Jump to content
Sign in to follow this  
plea

[Solved] Winfixer

Recommended Posts

Good Job

 

use Add/Remove Programs and remove Ewido unless you want to keep it. It's only a 14 day trial version.

 

 

Log looks good :D :thumbup: How is it running any issues?

 

Note: This will remove all previous Restore Points

 

Turn off System Restore:

 

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

 

Restart your computer, turn it back on.

 

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Remove the Check Turn off System Restore.

Click Apply, and then click OK.

 

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Check "Hide file extensions for known file types."

Under the "Hidden files" folder, Uncheck "Show hidden files and folders."

Check "Hide protected operating system files."

Click Apply, and then click OK.

 

 

 

 

 

If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

 

It is critical to have both a firewall and anti virus to protect your system.

 

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

 

Safe Surfing. :D

 

I would also suggest you read this:

So how did I get infected in the first place?

by Tony Klein

Share this post


Link to post
Share on other sites

Thanks so much for your help and advice. I hate to be the bearer of bad news, but I got another Winfixer pop-up today! :( I just don't know what's going on.

 

I'm taking your advice and I'm going to download all those programs. I don't think I have a proper firewall - I was just relying on the Windows one.

Share this post


Link to post
Share on other sites

One thing I just noticed is it looks like you're running Nortons Anti-Virus as well as Grisoft. You need to use Add/Remove Programs and remove one of them. Running more then 1 AV can cause conflicts and lookups.

 

I don't see any signs of Winfixer in your log. Lets see if this will find anything.

 

Download this one and let me know if it finds anything.

RootkitRevealer

http://www.sysinternals.com/Utilities/RootkitRevealer.html

 

When it's done, go to file->save

save the logfile to the desktop, and then paste the contents here.

Share this post


Link to post
Share on other sites

I deleted Norton antivirus.

 

Here's the results of the RootKitRevealer scan:

 

HKLM\S-1-5-21-2652750081-1960961407-4008380475-1006\RemoteAccess\InternetProfile 03/10/2003 17:09 7 bytes Data mismatch between Windows API and raw hive data.

HKLM\S-1-5-21-2652750081-1960961407-4008380475-1006\Software\Google\NavClient\1.1\History\flood of 16 August 2004 was more extreme than 1 in 100 and therefore our advice to the planning authority will be based upon consideration of a lesser event. This wi 22/04/2006 16:50 4 bytes Hidden from Windows API.

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 22/04/2006 19:07 80 bytes Data mismatch between Windows API and raw hive data.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\43FZQOHT\gateway[11].php 22/04/2006 19:25 77 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\43FZQOHT\gateway[12].php 22/04/2006 19:29 77 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\43FZQOHT\gateway[13].php 22/04/2006 19:34 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\43FZQOHT\gateway[4].php 22/04/2006 19:14 77 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\43FZQOHT\gateway[5].php 22/04/2006 19:20 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\456V89AB\gateway[11].php 22/04/2006 19:16 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\456V89AB\gateway[12].php 22/04/2006 19:22 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\456V89AB\gateway[13].php 22/04/2006 19:27 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\456V89AB\gateway[14].php 22/04/2006 19:31 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\456V89AB\gateway[15].php 22/04/2006 19:35 77 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\4T6ZS5UV\gateway[14].php 22/04/2006 19:27 77 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\4T6ZS5UV\gateway[15].php 22/04/2006 19:31 77 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\4T6ZS5UV\gateway[16].php 22/04/2006 19:36 327 bytes Visible in directory index, but not Windows API or MFT.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\4T6ZS5UV\gateway[8].php 22/04/2006 19:17 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\4T6ZS5UV\gateway[9].php 22/04/2006 19:22 77 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\D8O3P9KL\gateway[15].php 22/04/2006 19:11 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\D8O3P9KL\gateway[16].php 22/04/2006 19:18 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\D8O3P9KL\gateway[17].php 22/04/2006 19:23 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\D8O3P9KL\gateway[18].php 22/04/2006 19:28 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\D8O3P9KL\gateway[19].php 22/04/2006 19:32 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\D8O3P9KL\gateway[20].php 22/04/2006 19:36 77 bytes Visible in directory index, but not Windows API or MFT.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\D8O3P9KL\index[2].php 22/04/2006 19:05 20.01 KB Visible in Windows API, but not in MFT or directory index.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\IP3OPKRQ\gateway[14].php 22/04/2006 19:28 77 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\IP3OPKRQ\gateway[15].php 22/04/2006 19:32 77 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\IP3OPKRQ\gateway[6].php 22/04/2006 19:12 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\IP3OPKRQ\gateway[7].php 22/04/2006 19:19 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\IP3OPKRQ\gateway[8].php 22/04/2006 19:23 77 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\O1E3GHIJ\gateway[15].php 22/04/2006 19:30 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\O1E3GHIJ\gateway[17].php 22/04/2006 19:34 77 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\O1E3GHIJ\gateway[7].php 22/04/2006 19:20 77 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\O1E3GHIJ\gateway[9].php 22/04/2006 19:26 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\RZ97Z9GW\gateway[15].php 22/04/2006 19:12 77 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\RZ97Z9GW\gateway[17].php 22/04/2006 19:19 77 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\RZ97Z9GW\gateway[18].php 22/04/2006 19:25 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\RZ97Z9GW\gateway[19].php 22/04/2006 19:29 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\RZ97Z9GW\gateway[20].php 22/04/2006 19:33 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\WLMZOPE3\gateway[13].php 22/04/2006 19:21 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\WLMZOPE3\gateway[14].php 22/04/2006 19:26 77 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\WLMZOPE3\gateway[15].php 22/04/2006 19:30 77 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\WLMZOPE3\gateway[16].php 22/04/2006 19:35 327 bytes Hidden from Windows API.

C:\Documents and Settings\Phoebe\Local Settings\Temporary Internet Files\Content.IE5\WLMZOPE3\gateway[8].php 22/04/2006 19:15 327 bytes Hidden from Windows API.

Share this post


Link to post
Share on other sites

No not really any warning, just every 5 days or so, I go to click a link and it pops up and even when I click cancel it redirects me to its page and tries to download so I have to close the page down quick.

Share this post


Link to post
Share on other sites

Good Job :clap:

 

Log looks good :D

 

Note: This will remove all previous Restore Points

 

Turn off System Restore:

 

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

 

Restart your computer, turn it back on.

 

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Remove the Check Turn off System Restore.

Click Apply, and then click OK.

 

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Check "Hide file extensions for known file types."

Under the "Hidden files" folder, Uncheck "Show hidden files and folders."

Check "Hide protected operating system files."

Click Apply, and then click OK.

 

 

 

 

 

If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

 

It is critical to have both a firewall and anti virus to protect your system.

 

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

 

Safe Surfing. :D

 

I would also suggest you read this:

So how did I get infected in the first place?

by Tony Klein

Share this post


Link to post
Share on other sites

Thanks for your suggestions. I've downloaded most of the programs although I can't seem to get IESPY AD to run. I ran Spybot again and it found some Winfixer tracking cookies so I got rid of them. I hope my computer stays free from it!!!

Share this post


Link to post
Share on other sites

I'm sorry to be a nuisance but Winfixer just popped up again!!

Were you visiting a certain web site when it popped up? What exactlydoes it say when the winfixer pops up?

Share this post


Link to post
Share on other sites

Actually it always pops up when I'm on Myspace. Would that have something to do with it? It says something like "your computer is at risk....errors on your computer....install Winfixer to fix these problems. Press Ok or Cancel" and both link to the winfixer mainpage.

Share this post


Link to post
Share on other sites

You can go through this fix again and see if it finds anything.

 

 

Download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
Please download the trial version of ewido anti-malware 3.5 here:

http://www.ewido.net/en/download/

Install it, and update the definitions to the newest files. Do NOT run a scan yet.

 

 

Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

 

 

Then please run Ewido, click on the Scanner run a full scan and let it clean everything it finds. Save the logfile from the scan.

 

 

While still in Safe Mode:

 

Open C:\Windows\Prefetch\ Delete ALL files in this folder.

 

 

 

Do this also if these Temp Folders are part of your OS.

 

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

 

 

Next navigate to the C:\Documents and Settings\(EVERY LISTED PROFILE USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

 

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply

 

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Share this post


Link to post
Share on other sites

Thanks for your help. Here's the HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 22:22:18, on 30/04/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SYSTEM32\acs.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\DSentry.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe

C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe

C:\Program Files\NETGEAR\WPN311\wlancfg5.exe

C:\Program Files\Hyperteams\framework.exe

C:\MSOffice\Office10\msoffice.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\Virgin Radio Player\VRPlayer.EXE

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: AltaVista Toolbar - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - C:\WINDOWS\DOWNLO~1\ALTAVI~1.DLL

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [boots Insert Detect] C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe

O4 - Startup: Hyperteams.lnk = C:\Program Files\Hyperteams\framework.exe

O4 - Startup: IMsecure.lnk = C:\Program Files\IMsecure\IMsecure.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Startup: Virgin Radio Player Tray Icon.lnk = C:\Program Files\Virgin Radio Player\TrayLoad.exe

O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE

O4 - Global Startup: NETGEAR WPN311 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WPN311\wlancfg5.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: AltaVista Search - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextSearch.htm

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOffice\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate - file://C:\Program Files\ALTAVISTA Toolbar\Cache\SelectedContextTranslation.htm

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: ConferenceRoom Java Client - http://java.irc.liveharmony.org:8080/java/cr.cab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {0EB1CA3E-C9C7-42B6-8016-B0CBA435E291} (ImclCtl Class) - http://www.messenger.lycos.co.uk/messenger...veXMsgrCore.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab

O16 - DPF: {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} (AltaVista Toolbar) - http://toolbar.altavista.com/static/toolba...ab?r=1080846961

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37710.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\SYSTEM32\acs.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

 

And the Ewido scan:

 

ewido anti-malware - Scan report

---------------------------------------------------------

 

+ Created on: 10:18:12, 30/04/2006

+ Report-Checksum: 24F1F7A8

 

+ Scan result:

 

C:\Documents and Settings\Janet\Cookies\janet@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup

C:\Documents and Settings\Janet\Cookies\janet@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup

C:\Documents and Settings\Janet\Cookies\janet@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup

C:\Documents and Settings\Janet\Cookies\janet@sel.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup

C:\Documents and Settings\Janet\Cookies\janet@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup

C:\Documents and Settings\Janet\Cookies\janet@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup

C:\Documents and Settings\Janet\Cookies\janet@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup

C:\Documents and Settings\Phoebe\Cookies\phoebe@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\Phoebe\Cookies\phoebe@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup

C:\Documents and Settings\Phoebe\Cookies\phoebe@com[1].txt -> TrackingCookie.Com : Cleaned with backup

C:\Documents and Settings\Phoebe\Cookies\phoebe@e-2dj6wjlioidzilp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup

C:\Documents and Settings\Phoebe\Cookies\phoebe@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup

C:\Documents and Settings\Phoebe\Cookies\phoebe@oewabox[1].txt -> TrackingCookie.Oewabox : Cleaned with backup

C:\Documents and Settings\Phoebe\Cookies\phoebe@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup

C:\Documents and Settings\Phoebe\Cookies\phoebe@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup

C:\Documents and Settings\Phoebe\Cookies\phoebe@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned with backup

C:\Documents and Settings\Phoebe\Cookies\phoebe@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup

C:\Documents and Settings\Phoebe\Cookies\phoebe@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup

C:\Documents and Settings\Phoebe\Cookies\phoebe@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup

C:\Documents and Settings\Phoebe\Cookies\phoebe@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup

 

 

::Report End

Share this post


Link to post
Share on other sites

Unless you know what this is;

 

use Add/Remove Programs and remove:

Hyperteams

 

Scan with HJT and kill this one:

O4 - Startup: Hyperteams.lnk = C:\Program Files\Hyperteams\framework.exe

 

 

Delete this file is still listed

C:\Program Files\Hyperteams\framework.exe

 

Reboot and let me know how it's working.

Share this post


Link to post
Share on other sites

I unistalled the Hyperteams as it was a program I no longer used. My computer works fine apart from the intermittent Winfixer pop-ups.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×