how do i get ride of a trojan horse?

[mvp]

i think i got a trojan horse. every time i deleted it i gets back on my pc. i starting to think my ani virus programs are not working, but there showing that they are work. is it possible that a virus messed up my anivirus program(norton)? what should i do? is there a free program that i can scan my pc for virus/trojan?

[boing]

Go here, download NOD32:

http://www.eset.com/

NOD32 is THE best AV software, it has a 30 day fully functional trial

I guarantee it will catch all manner of nasties that crap such as Norton will miss

[MJA]

I agree with boing.NOD32 ROCKS(Kaspersky is good too). just be sure to remove your old AV,and turn off system restore

[boing]

I agree with boing.NOD32 ROCKS(Kaspersky is good too). just be sure to remove your old AV,and turn off system restore

You cant beat the feeling you get whilst removing Norton from your system... especially if you have discovered NOD32 as a result of Nortons piss poor products, and crappy customer service LOL

[mvp]

Go here, download NOD32:

http://www.eset.com/

NOD32 is THE best AV software, it has a 30 day fully functional trial

I guarantee it will catch all manner of nasties that crap such as Norton will miss

so i should remove norton? i also have a verizon internet security, should i remove that too? before installing NOD32?

[MJA]

verizon internet security AKA CA Internet Security Suite includes

Anti-Virus,so yes. remove it too,and don't forget to turn off system restore

[mvp]

verizon internet security AKA CA Internet Security Suite includes

Anti-Virus,so yes. remove it too,and don't forget to turn off system restore

ok thanks guys ill let you know how it goes

[MJA]

after you get don't with NOD32 use spybot to scan your pc for any spyware/Adware ,and try HijackThis 1.99.1 and post the log file here http://www.hijackthis.de/

btw.whats the name of the trojan horse you got hit with ?

[The1]

I use AVG Anti Spyware the best software for trojans. Used to be called Ewido Anti Spyware was taken over by Grisoft, download here:

http://www3.grisoft.com/doc/downloads-products/us/crp/0?prd=triasw

They have also recently released AVG Anti-Rootkit free, would probably be a good idea to run that as well. Download from here:

http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0

[The1]

[quote="mvp"]i think i got a trojan horse. every time i deleted it i gets back on my pc.

If it persists after a scan start computer in safe mode and run anti spyware again

[mvp]

after you get don't with NOD32 use spybot to scan your pc for any spyware/Adware ,and try HijackThis 1.99.1 and post the log file here http://www.hijackthis.de/

btw.whats the name of the trojan horse you got hit with ?

were do i download spybot? is it free? i dont what to download the wrong spyware program i downloaded NOD32 and its working great, but im still get pop ups and i think that have alot of spyware on my pc. will spybot kill all these dam pop ups?

[Abond]

Pop ups?

[guns1inger]

Are you not able to use google ?

[mvp]

Are you not able to use google ?

whats google? never heard of it

[MJA]

after you get don't with NOD32 use spybot to scan your pc for any spyware/Adware ,and try HijackThis 1.99.1 and post the log file here http://www.hijackthis.de/
btw.whats the name of the trojan horse you got hit with ?

were do i download spybot? is it free? i dont what to download the wrong spyware program i downloaded NOD32 and its working great, but im still get pop ups and i think that have alot of spyware on my pc. will spybot kill all these dam pop ups?

spybot is free

http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html?tag=lst-0-1

also try AVG Anti-Spyware

http://www.download.com/AVG-Anti-Spyware/3000-8022_4-10610898.html?tag=lst-0-3

be sure to update both before u run them,and delete anything after the scan.


try HijackThis and post the log here

[mvp]

after you get don't with NOD32 use spybot to scan your pc for any spyware/Adware ,and try HijackThis 1.99.1 and post the log file here http://www.hijackthis.de/
btw.whats the name of the trojan horse you got hit with ?

were do i download spybot? is it free? i dont what to download the wrong spyware program i downloaded NOD32 and its working great, but im still get pop ups and i think that have alot of spyware on my pc. will spybot kill all these dam pop ups?

spybot is free

http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10401314.html?tag=lst-0-1

also try AVG Anti-Spyware

http://www.download.com/AVG-Anti-Spyware/3000-8022_4-10610898.html?tag=lst-0-3

be sure to update both before u run them,and delete anything after the scan.


try HijackThis and post the log here

thanks alot MJA

[BJ_M]

dont forget to turn off system restore first

[theewizard]

i use avg its free, and very very good, there is PRO ver suite, but I avoid suites of software.. nero was a good thing when it first came out, turning it into a suite, messed everything up

same for norton, it was once a great virus program, then it got bought and in-corporated into suite, but the programer who invented it , is no longer involved, its a mess

i know someday i'll have to DROP avg and start using something else, i won't use the pro ver because its becoming a suite, with firewall and anti-spyware included

[buttzilla]

I second the nod32 antivirus. It also not a process hog like norton or mcafee

[MJA]

dont forget to turn off system restore first

and start using firefox

http://www.mozilla.com/en-US/firefox/

[mvp]

after you get don't with NOD32 use spybot to scan your pc for any spyware/Adware ,and try HijackThis 1.99.1 and post the log file here http://www.hijackthis.de/

btw.whats the name of the trojan horse you got hit with ?

i post it in the link you gave me. should i fix all the red X org X and the (?) ? i just dont want to delete something that will mess things up

Logfile of HijackThis v1.99.1
Scan saved at 5:57:39 PM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\installs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0yahoo&bm=yh_home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\fshgotuc.dll",realset
O4 - HKLM\..\RunServices: [msconfig] C:\WINDOWS\iexplore.exe
O4 - HKLM\..\RunServices: [icq lite] C:\WINDOWS\iexplore.exe
O4 - HKLM\..\RunServices: [Update Checker] C:\WINDOWS\iexplore.exe
O4 - HKLM\..\RunServices: [AntiVir] C:\WINDOWS\iexplore.exe
O4 - HKLM\..\RunServices: [] C:\WINDOWS\iexplore.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [A00F5D0DE25.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F5D0DE25.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (HKCU)
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154740326260
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

after i posted it in the link this is what it said

Logfile of HijackThis v1.99.1
This should be the newest version.
Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
This should be the newest version.
C:\WINDOWS\System32\smss.exe
Very safe
This entry was classified from our visitors as good.
C:\WINDOWS\system32\winlogon.exe
Very safe
This entry was classified from our visitors as good.
C:\WINDOWS\system32\services.exe
Safe
This entry was classified from our visitors as good.
C:\WINDOWS\system32\lsass.exe
Very safe
This entry was classified from our visitors as good.
C:\WINDOWS\system32\svchost.exe
Safe
This entry was classified from our visitors as good.
C:\WINDOWS\System32\svchost.exe
Very safe
This entry was classified from our visitors as good.
C:\WINDOWS\system32\LEXBCES.EXE
Safe
This entry was classified from our visitors as good.
C:\WINDOWS\system32\spoolsv.exe
Safe
This entry was classified from our visitors as good.
C:\WINDOWS\system32\LEXPPS.EXE
Safe
This entry was classified from our visitors as good.
C:\WINDOWS\Explorer.EXE
Very safe
This entry was classified from our visitors as good.
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
Safe
This entry was classified from our visitors as good.
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Safe
Steganos AntiDialer
Ewido Anti-Spyware
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
Very safe
Possibly nasty! According to our database this process runs normally in c:\programme\avid\digidesign\drivers\! Check if you know this process and arrange a viruscheck where required. Digidesign Driver
C:\Program Files\Eset\nod32krn.exe
Very safe
This entry was classified from our visitors as good.
C:\WINDOWS\system32\VTTimer.exe
Safe
This entry was classified from our visitors as good.
C:\WINDOWS\LTMSG.exe
Very safe
Possibly nasty! According to our database this process runs normally in c:\windows\system32\! Check if you know this process and arrange a viruscheck where required. Modem Driver
C:\WINDOWS\ALCXMNTR.EXE
Neutral This is a nasty process! You should fix it and try to delete it manually!
Realtek AC97 Audio - Event Monitor. Sypware file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but is being used by Realtek to gather data about customers.
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Neutral

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Safe
Ulead VideoStudio 8
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
Very safe Fuzzy Algorithmcheck (4.24 / 5.00), Safe
C:\Program Files\Verizon\McciTrayApp.exe
Fuzzy Algorithmcheck (4.32 / 5.00), Safe
C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
Very safe Fuzzy Algorithmcheck (4.32 / 5.00), Safe
C:\Program Files\Eset\nod32kui.exe
Very safe
This entry was classified from our visitors as good.
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
Very safe
This entry was classified from our visitors as good.
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
Neutral Fuzzy Algorithmcheck (3.42 / 5.00), Neutral
C:\Program Files\Azureus\Azureus.exe
Very safe
Bit-Torrent client
C:\Program Files\Internet Explorer\iexplore.exe
Safe
This entry was classified from our visitors as good.
C:\installs\HijackThis.exe
Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups! Tool, mit dem sie dieses Logfile erzeugt haben. Das Programm sollte so angelegt sein ! C:\Programme\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0yahoo&bm=y h_home
This page has been identified as safe.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
Very safe This page has been identified as safe.
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
Safe Application that implements the Intel Hotkey command.
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
StorageGuard from Veritas (this version by Sonic). Free utility that integrates with Backup MyPC (formerly Backup Exec Desktop), Simple Backup and MS Backup. Provides system tray access and background monitoring - warning you of files that havent recently been backed up. Required unless you backup manually on a regular basis or have scheduled backups
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
Safe A device driver for VIA/S3G UniChrome IGP graphics controller and VIA/S3G KM400/KN400 graphics card. It is located in WINDOWSSYSTEM on Windows 95/98/ME and WINDOWSSYSTEM32 on Windows XP and WINNTSYSTEM32 on Windows NT/2000 Viaarena
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
One of the "popular" WinModem series. WinModems use software rather than hardware - hence putting a load on the CPU. Needed if you have it for loading the drivers. See here for more WinModem information
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
Neutral Must be fixed! Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
Not dangerous, but unnecessary. Autodetects when a HP camera is attached to the computer and launches the "HP Photoimaging Software". Available via Start -> Programs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
Safe This entry was classified from our visitors as good.
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Neutral Microsoft Works Shared
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
Very safe This entry was classified from our visitors as good.
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
Safe Fuzzy Algorithmcheck (4.19 / 5.00), Safe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
Very safe Digidesign Pro Tools
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
Neutral Not dangerous, but unnecessary. QuickTime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
Fuzzy Algorithmcheck (4.32 / 5.00), Safe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
Safe It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file.
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
Neutral System tray for CloneCD - the only useful option is "Hide CDR Media" only available via this tray. Has additional unknown functions in later versions
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
Very safe This entry was classified from our visitors as good.
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
Neutral Must be fixed! Spyware remover of somewhat dubious repute
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
Very safe This entry was classified from our visitors as good.
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\fshgotuc.dll",realset
Unknown application.
O4 - HKLM\..\RunServices: [msconfig] C:\WINDOWS\iexplore.exe
Fuzzy Algorithmcheck (3.23 / 5.00), Neutral
O4 - HKLM\..\RunServices: [icq lite] C:\WINDOWS\iexplore.exe
Fuzzy Algorithmcheck (3.23 / 5.00), Neutral
O4 - HKLM\..\RunServices: [Update Checker] C:\WINDOWS\iexplore.exe
Must be fixed! Added as result of a W32/Rbot-EZ worm infection
O4 - HKLM\..\RunServices: [AntiVir] C:\WINDOWS\iexplore.exe
Fuzzy Algorithmcheck (3.23 / 5.00), Neutral
O4 - HKLM\..\RunServices: [] C:\WINDOWS\iexplore.exe
Fuzzy Algorithmcheck (2.33 / 5.00), Nasty
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
Neutral nView
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
Safe This entry was classified from our visitors as good.
O4 - HKCU\..\Run: [A00F5D0DE25.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F5D0DE25.exe
Fuzzy Algorithmcheck (3.37 / 5.00), Neutral
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
Not dangerous, but unnecessary. See here -
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
The entry E&xport to Microsoft Excel has been identified as safe.
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
The entry Research has been identified as safe.
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
Neutral Fuzzy Algorithmcheck (4.33 / 5.00), Safe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
Fuzzy Algorithmcheck (4.33 / 5.00), Safe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

Unnecessary (deactivated) entry that can be fixed. The entry PartyPoker.com has been identified as safe.
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

Unnecessary (deactivated) entry that can be fixed. The entry PartyPoker.com has been identified as safe.
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
Neutral The entry Absolute Poker has been identified as safe.
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
Neutral The entry Absolute Poker has been identified as safe.
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
To be fixed if the entry 'Bodog Poker ' is unknown.
Unnecessary (deactivated) entry that can be fixed. Unknown buttons or entries in the 'Extras'-menu should be fixed.
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (HKCU)
The entry Poker.com has been identified as safe.
O15 - Trusted Zone: *.sxload.net (HKLM)
If you did not add these pages to your trusted pages, they should be fixed.
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
This entry has been identified as safe.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
Safe This entry was classified from our visitors as good.
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
This entry has been identified as safe.
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_si te.cab?1154740326260
This entry has been identified as safe.
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
Safe This entry was classified from our visitors as good.
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
Safe This service (Adobelmsvc.exe) was identified as a good one.
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
Safe This service (ALUSchedulerSvc.exe) was identified as a good one. This entry was classified from our visitors as good.
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Very safe This service (guard.exe) was identified as a good one.
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
Very safe This service (MMERefresh.exe) was identified as a good one.
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
Safe This service (IDriverT.exe) was identified as a good one. This entry was classified from our visitors as good.
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Safe This service (LEXBCES.EXE) was identified as a good one. This entry was classified from our visitors as good.
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
Very safe This service (LUCOMS~1.EXE) was identified as a good one.
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
Very safe This service (nod32krn.exe) was identified as a good one. This entry was classified from our visitors as good.
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Safe This service (nvsvc32.exe) was identified as a good one.
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Very safe This service (ULCDRSvr.exe) was identified as a good one.

[holistic]

WTF !! a dogs breakfast ....

Looks like you have a Compaq machine, Lexmark printer, HP camera and an urge to gamble :P

DISABLE the following

#^&^$^&
&$$&* arrrggghhh! (too many things to copy/paste)

(note : selecting in HiJackthis will not delete offending files)

Reboot. Run AntiVirus

WHAT A MESS !!
....FORGET THAT STUFF ABOVE ... just disable everything tagged as suspect.
Disable anything with a web link, any BHO's, any services (except your antivirus), all that (09)poker crap, your bit torrent client, messenger, Temp(_A00F5D0DE25.exe is very suspect)

Do a fresh scan and post the smaller cleaner log.

*sigh *

[MJA]

or he can just backup his stuff( not the PartyPoker.com,UltimateBet ) and format the HD

[buttzilla]

dont forget to turn off system restore first

and start using firefox

http://www.mozilla.com/en-US/firefox/

Or the best browser and safest, Opera.

[rich1842]

google for trojanscan and use firefox in future. even better change to linux - all these virus and trojan plagues are aimed at windoze...

for many reasons, people around the world including the usa are angry about capitalist colonialism and about gates as a prime example of this and attack windoze as an open (word 'open' used deliberately) target.

google for 'why I hate microsoft'

and google'Peruvian Congressman's Open Letter to Microsoft' - that was a real shock for Mr Gates...

and google also for 'grc' - Gibson was the security guy who the Pentagon called in when US security was breached by so-called hackers - his site has freebies to enable you to check your computer's online security... you will spend days at his site probably

[The1]

To start with DO NOT DELETE ANYTHING IN RED!

Remove this: O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

See why here:
http://www.castlecops.com/s12902-SpywareBot_exe.html

Now get Spybot search & destroy from here:

http://www.safer-networking.org/en/index.html

When you have installed spybot you can use advanced mode under "Mode" tab then go to Tools > system start up and uncheck stuff like this:

C:\WINDOWS\ALCXMNTR.EXE
Neutral This is a nasty process! You should fix it and try to delete it manually!
Realtek AC97 Audio - Event Monitor. Sypware file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but is being used by Realtek to gather data about customers.

If you are worried that your anti-virus has been comprimised simply uninstall/reboot/re install.

You should have a firewall >antivirus > antispyware as a minimum if you visit sites that are a high risk of infection.
In addition to this there is also Ad-Aware SE, Winpatrol also both very good apps.

And make sure you have the latest security patches for windows:
http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us

[boing]

MVP, go here: http://www.bullguard.com/forum/

Post your question in the Virus Removal > Removal Help forum there

It is THE best forum for being walked through virus removal (using several free tools including Hijack This)

The guy that helped me goes by the name of 'Touch'

Seriously, virus removal is EASY, you will be amazed how easy

Let them walk you through it

Good luck

[MJA]

he doesn't have a virus. just a nasty spyware/adware like PartyPoker.com,UltimateBet

[boing]

he doesn't have a virus. just a nasty spyware/adware like PartyPoker.com,UltimateBet

The term virus has become pretty generic, for example, most trogans are not actually viri, but in actual fact are the programs used to install the malware this guy has found himself falling victim to, its not really relevant in the pedantic sense you have mentioned

To wit, the bottom line is this, he has an unclean Hijack this log, its irrelevant what is polluting his system, the guys at Bullguard forums specialise in returning systems back to their original clean state, and it will take no more than ten minutes

They will help him far better than the guys above who seem far more interested in blowing smoke up their own egos, rather than admitting they dont have expertise in this area, some of the panic inducing replies must have had the OP running up dark alleys whilst shitting bricks about his corrupted system, not good

I recall when my box fell victim to what Norton pegged as a trogan, and was absolutely useless at removing

I visited numerous forums, where supposed experts advised all manner of half arsed methods in exactly the same fashion as above, all manner of payware was mentioned, all utterly unneccessary

Within ten mins of reading the first reply to my plea for help from a guy named 'Touch' at the Bullguard forum, I had downloaded Hijack This, created a log, he analysed it, told me what and how to delete, ten minutels later... clean system, easy

From viewing the guys log, even I can see he has several pieces of crap that need removing, thats the point, the Bullguard guys will identify them all and explain CLEARLY how to remove them

[The1]

Looks like you've been infected by a W32/Rbot-EZ worm as well follow the instructions on the recovery tab to fix:

http://www.sophos.com/virusinfo/analyses/w32rbotez.html

If you have doudts about any entry in the HyjackThis log simply google for more information.