Viruses and such

[greenslime89]

I've used blueyonder's PCGuard for a long time now, and have recently discovered that it is useless at protecting my computer from viruses, spyware and various other internet nasties. I uninstalled the "all in one solution" from blueyonder and installed AVG, Zonealarm and spybot S&D. AVG found trojans and worms and, I thought, got rid of them. Spybot S&D found about 60 spyware and, I thought, sorted it. However, when a friend looked at a HJT log I sent them, they said I still had problems, but didn't specify what the problems were. They're now away on holiday and I want this sorted as soon as possible and I was hoping someone could tell me what's wrong with my computer, what program to use to remove it and how to do it. I realise it's alot to ask but I would really appreciate this.

 

 

 

[hide=HiJackThis log]Logfile of Trend Micro HijackThis v2.0.2

 

Scan saved at 20:24:15, on 01/09/2007

 

Platform: Windows XP SP2 (WinNT 5.01.2600)

 

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Boot mode: Normal

 

 

 

Running processes:

 

C:\WINDOWS\System32\smss[Caution: Executable File]

 

C:\WINDOWS\system32\winlogon[Caution: Executable File]

 

C:\WINDOWS\system32\services[Caution: Executable File]

 

C:\WINDOWS\system32\lsass[Caution: Executable File]

 

C:\WINDOWS\system32\svchost[Caution: Executable File]

 

C:\Program Files\Windows Defender\MsMpEng[Caution: Executable File]

 

C:\WINDOWS\System32\svchost[Caution: Executable File]

 

C:\WINDOWS\system32\ZONELABS\vsmon[Caution: Executable File]

 

C:\WINDOWS\Explorer[Caution: Executable File]

 

C:\WINDOWS\system32\spoolsv[Caution: Executable File]

 

C:\PROGRA~1\Grisoft\AVG7\avgamsvr[Caution: Executable File]

 

C:\PROGRA~1\Grisoft\AVG7\avgupsvc[Caution: Executable File]

 

C:\WINDOWS\System32\svchost[Caution: Executable File]

 

C:\WINDOWS\system32\pctspk[Caution: Executable File]

 

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient[Caution: Executable File]

 

C:\Program Files\QuickTime\qttask[Caution: Executable File]

 

C:\Program Files\Java\jre1.5.0_10\bin\jusched[Caution: Executable File]

 

C:\Program Files\Windows Defender\MSASCui[Caution: Executable File]

 

C:\Program Files\TomTom HOME\TomTomHOME[Caution: Executable File]

 

C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw[Caution: Executable File]

 

C:\PROGRA~1\Grisoft\AVG7\avgcc[Caution: Executable File]

 

C:\Program Files\Zone Labs\ZoneAlarm\zlclient[Caution: Executable File]

 

C:\Program Files\MSN Messenger\msnmsgr[Caution: Executable File]

 

C:\Program Files\WinZip\WZQKPICK[Caution: Executable File]

 

C:\Program Files\Mozilla Firefox\firefox[Caution: Executable File]

 

C:\Program Files\blueyonder IST\bin\mpbtn[Caution: Executable File]

 

C:\Program Files\Microsoft Office\Office\WINWORD[Caution: Executable File]

 

C:\WINDOWS\msagent\AgentSvr[Caution: Executable File]

 

C:\Program Files\Trend Micro\HijackThis\HijackThis[Caution: Executable File]

 

 

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dial.blueyonder.co.uk/

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;

 

O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper\CCHelper.dll

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

 

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

 

O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\Program Files\Panicware\Pop-Up Stopper\pstopper.dll

 

O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll

 

O4 - HKLM\..\Run: [PCTVOICE] pctspk[Caution: Executable File]

 

O4 - HKLM\..\Run: [sUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\Status[Caution: Executable File]

 

O4 - HKLM\..\Run: [Microsoft Service Pack] WindowsSP[Caution: Executable File]

 

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE[Caution: Executable File] /AUTORUN

 

O4 - HKLM\..\Run: [HLL Data Parameter] hllcxpa[Caution: Executable File]

 

O4 - HKLM\..\Run: [statusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient[Caution: Executable File] /auto

 

O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp[Caution: Executable File]

 

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper[Caution: Executable File]"

 

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: Executable File]" -atboottime

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched[Caution: Executable File]"

 

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui[Caution: Executable File]" -hide

 

O4 - HKLM\..\Run: [TomTomHOME[Caution: Executable File]] "C:\Program Files\TomTom HOME\TomTomHOME[Caution: Executable File]" -s

 

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc[Caution: Executable File] /STARTUP

 

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient[Caution: Executable File]"

 

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr[Caution: Executable File]" /background

 

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'LOCAL SERVICE')

 

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'NETWORK SERVICE')

 

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'SYSTEM')

 

O4 - HKUS\S-1-5-18\..\RunServices: [HLL Data Parameter] hllcxpa[Caution: Executable File] (User 'SYSTEM')

 

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw[Caution: Executable File] /RUNONCE (User 'Default user')

 

O4 - HKUS\.DEFAULT\..\RunServices: [HLL Data Parameter] hllcxpa[Caution: Executable File] (User 'Default user')

 

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9[Caution: Executable File]

 

O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli[Caution: Executable File]

 

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK[Caution: Executable File]

 

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl[Caution: Executable File]

 

O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003

 

O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002

 

O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000

 

O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001

 

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

 

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File]

 

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: Executable File]

 

O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/

 

O15 - Trusted Zone: http://toolbar.imageshack.us

 

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... poti_x.cab

 

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab

 

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

 

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab

 

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 8738638657

 

O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/Im ... oolbar.cab

 

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8738622013

 

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab

 

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab

 

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr[Caution: Executable File]

 

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc[Caution: Executable File]

 

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT[Caution: Executable File]

 

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService[Caution: Executable File]

 

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12[Caution: Executable File]

 

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon[Caution: Executable File]

 

 

 

--

 

End of file - 7871 bytes

 

[/hide]

[Rhys]

I had a quick look over and the only thing I could find were these:

 

 

 

O4 - HKLM\..\Run: [HLL Data Parameter] hllcxpa[Caution]

 

O4 - HKUS\S-1-5-18\..\RunServices: [HLL Data Parameter] hllcxpa[Caution] (User 'SYSTEM')

 

O4 - HKUS\.DEFAULT\..\RunServices: [HLL Data Parameter] hllcxpa[Caution] (User 'Default user')

 

 

 

Boot into Safemode and run HijackThis to get rid of those entries.

[greenslime89]

That's fantastic, I'll get right on it.

 

 

 

Thanks again! :)