trojan and malware removal help please

hi there,
I am trying to remove a trojan and adware from a friends pc,
my antiviruis and also adware se scans keep bring up a trojan and malware alert
the trojan scan says
name: win32:small-TD (trj)
type: trojanhorse
location:c\docume~1\michelle\locals~1\temp\AAWTMP\c1200531\DASFC.
I have had a look in this folder but cannot find anything with this name.
i have tryed deleting the virus with the option in the antivirus. and also tryed to move to the virus chest.
any ideas would be wonderful thankyou.

 

Hi,
There are several things that can be done and I'm sure as we go along you will recieve those from either myself or others. Until such time can you do the following: (1) Go to Start, (2) Control Panel, (3) Folder Options, (4) Click on View, (5) Look for and select "Show hidden files & folders" (6) Click apply and then okay...Now try and re-run your virus protection and let us know what the results of that are, of course we are interested in if it was quarantined.If by chance it is, what I would do afterwards is, go back and unselect "show hidden files & folders" and select "Do not show hidden files & folders" and run your virus scan again...

 

hi, thanks for your advice, i am just doing that now, i did go an tick the show hidden files options. the virus and some new ones went to quarinteen, the new one that came up was in the system volume information\restore, that was (cnsmin), it said it could be deleted, so i hope i was correct and did that.
i have also run DR Web, combo fix, avg antispyware, i have noticed since running avg the computer has slowed right down, and the cpu is running at 100% all the time. i guess thats another scenario. have all the logs if you would like to see them, i will post a new highjackthis log. for you to have a look at, thanks



wLogfile of HijackThis v1.99.1
Scan saved at 3:31:47 p.m., on 2/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtra.co.nz
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe "
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxdm824YYNZ
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-nz\msntabres.dll.mui/229?34f22ca698094f73b80b80806516a4c2
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-nz\msntabres.dll.mui/230?34f22ca698094f73b80b80806516a4c2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

 

ok have rechecked the hidden files option as you said, re run my antivirus, things seem to be getting worse, i dont no if it is spreading, but i now have other virus in different places.
win32\pacex.gen virus in E:\windows\downloaded programm files. there are 2 different listings of the virus there, also in E:\recyclers and also in E;|windows\system32

and win32\cnsmin in E:\windows\downloaded programm files
and F:\system volume\restore has trojanwin32\trojan downloader agent rs

 

Hi,
Because you have posted a Hijack log I can not comment about anything in the log...In order for you to download anything we need to find what's causing the CPU to run so high...So can you access the taskmgr by pressing the following together "ctrl-alt-del "...You will see numerous things listed...I would like you to do "End Task" for as much as you can except for "EXPLORER.EXE -SVCHOST.EXE and anything you are familiar with that appears related to your virus protection, such as if you have AVG, any listings that start with AVG???...As you peck away take notice at the bottom of what it says about your CPU...As soon as it appears that it has lowered from 100% to say 50%, I would download "SpyBot" and run it...Post back what it says about your CPU and maybe by then we will be lucky enough to have one of the specialist jump in here and tell you what has to be done to kill some of those things in your HijackLog...I do not want to overwhelm you with specific things to do despite what I would do, so I rather assist you with what I think will help and "not compromise" what one of the speicialist will guide you in doing...

 

Hi,
For information purposes...CNSMIN is one of your computer problems and yes it does need to be removed...Also to the best of my knowledge when I see a trojan listed and in the path of it I see "system volume" to me that usually indicates that it's hidden and one of the ways to help in removing it is too "disable system restore" and run your scans again...Again I mention, I wish I could be of more help to you with your log and until some expertise arrives I can only assist you in chipping away by other methods...I know it can be frustrating but when help becomes available you will be well taken care of...

 

hi, thanks for trying to help me, yes it can be very frustrating, considering its not my pc, i disabled my system restore when i first started trying to fix it, i have run bitdefender and that has deleted 7 out of the 9 viruses,so i still have to sort the other 2 out. i am slowly getting there.

i have installed sygate firewall for my friend and taken off avast antivirus, and installed nod32. thats my personal choice .

also i went into the task manager and end what ever processes i could, but the cpu still stayed at 100% there was 39 processes running at first, there is about 10 listings of IEXPLORE.EXE running, is this normal? i had to reboot my pc for something else and now it seems to be all over the show still reaching !00% then will drop down to 5% etc.

 

Hi,
When there are issues with the CPU running like this one in particular is and nothing is showing what it is, then it's recommended to download "Process Explorer" and you will see multiple things with a few highlighted in different colors, click on where it says "CPU" and hopefully that will show who the bad boy is and you can search from there if need be to remove it...If not sure on what the culprit is, then google it for more info before totally removing it...

 

thanks master green, i will do that, i have successfully removed all the trojans, i am just running another couple of scans to make sure. thanks for your advice on the cpu issue.

 

Hi,
Your welcome and sorry once again for not being able to add my feelings on your log but at this post you get spanked if you are not certified and rightfully so...I still will be interested in how you make out and how the other suggestion about SpyBot worked out...Keep us posted if you can...

 

hi, since sorting out the trojans on the pc, it has become so slow, taking 20 mins sometimes to boot up, and 2 to 5 mins for any programms to open. nod32 still brings up the cnsmin appliction but says its in quarinteen. cpu is still at 100 % which i am still trying to sort out.

 

Hi,
Can you download "Process Explorer" and click on where it says CPU and see if it shows what is running the cpu so high and post back...Thanks

 

Hi lynette00 & welcome

I'm one of the Hijackthis readers here.

Hi Master Green
Thanks for getting this one under-way.

lynette00:

Few concerns you brought up in earlier posts. Some I can clear up.

When Ad-Aware is running a scan it will make a temporary folder in the users temp folder.
Here is where Ad-Aware unzips files to scan.
Once it is done scanning these zipped up files it deletes the stuff in the temp folder it created then deletes the AWWTemp folder itself.
This is why you could not find it when you went looking.

Best practice when running any antispyware program is to turn off the virus scanner.
Once antispyware scan is done you can turn on the virus scanner again.
In your Nod32 you would temporarily disable "AMON ".
While your virus scanner is off it is advisable not to be surfing, downloading or checking email till you get protection turned back on again.

-------------------------

For now don't worry about anything in "system volume information" folder.
As Master Green said it is part of system restore.
Windows backs up anything. It does not care if files are bad or good. It simply sees something new and backs it up.

I would rather leave system restore enabled untill malware has been removed and all is working correctly.
Nothing from restore can hurt you unless you actually use it to restore computer to infected state.
However.... I like the safety blanket of system restore there.
I would rather have to go back to infected state if something in fix goes really wrong than have nothing at all.
Sometimes malware infections can play nasty tricks on us while we are trying to remove it. I like to have something to fall back on if needed.

Once all is clean and running well then we delete old restore points and make a fresh one. Doing this will remove any malware "holed" up in there.
-------------------------------

win32\pacex.gen found in "downloaded program files "...
If that thing ran I suspect there are some other nasties kicking around as well
There are normally a few other nasties that come bundled with this one.

You mention CNSMin being quarentined by NOD32 all the time and I suspect it is still kicking around & active.
This adware is generally quite well hooked into the system and it does normally take advanced measures to remove. It protects itself well from removal.

Can I get you to post a complete startuplist please?
Open Hijackthis
Click "open misc tools options "
Check both options (full) (complete) beside the "generate startuplist log" and generate the log. Say OK & post results.

This log is quite big so it may take 2 posts to get it in.

-----------------------

Once you posted that....

Download DatFind from here:

http://virus-protect.org/zip/datFind.zip

Save it to your desktop and unzip it to its own folder.
You can delete DatFind.zip.

Double click Datfind.bat and let it run.
First log pops up.
Minimise this and hit "enter" to get next log.
Repeat the "enter" > "minimise" procedure till all logs are produced. (there will be 6)
Once done the batch exits.
Logs are created in c:\ called:
system32.txt
systemtemp.txt
system.txt
tmp.txt
down.txt
sys.txt

copy/paste the top 3 months worth of data from each log and post it back here. (top-most part of each log is newest data)

You can delete those txt files when done.

If too much trouble posting all that here you can toss all the files in a folder, zip it up and upload it here for me?:

http://www.bleepingcomputer.com/submit-malware.php?channel=19

Do include a link there to this thread so I know who the files belong to.

--------------------------------

Can you test something for me?
I want to see if you can get to safe mode OK and if things seem more "stable" in safe mode.

Restart computer
As it is starting up keep tapping F8 just after BIOS screen but before XP load screen.
Choose safe mode from list using arrow keys and hit enter.
Log into your normal account.
Things work better here? (you won't have internet and this is normal for safe mode)

Go ahead and boot back up to normal mode.

Thanks

 

hi blender,
thanks for your help and advice, unfortunately i have given the pc back to my friend, i could of sworn there were no trojans, And it was running fine, i couldnt get that cnsmin sorted out due to the time i had. and was worried about that. Anyway it now takes 30mins or so to start, and thats about all, it just seems to keep loading but not getting anyway.
i told her to go into safe mode earlier on today, and it did seem better. i think she is thinking of wiping everything, and reinstalling windows.
would that solve all the problems. she wouldnt be able to come in here and fellow the instructions. as she doesnt no much.

If she wants me to take it back again, i will do all the things you suggested and post them

 

Hi,

Hopefully you get it back from her or can go there to help.
If it takes 1/2 hour to start up there is some big issues burried in there somewhere.

If she wants to wipe it and start over that will be fine. Format/re-install will fix any trojan problems.
Good she has someone like you to help her out.

Have a read at these sites so you can set her up with some good protections:

http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I
http://boards.cexx.org/index.php?topic=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://temerc.com/hddncounttuts.html

Make sure she knows how to update the security apps and how to work them.
Installing a pile of new stuff on a beginner's PC can be confusing and all too often I see people returning because they were not taught how to use all those good progies.

And of course if she decides not to wipe all/re-install then by all means I will help you out the best I can.

Best,

Blender

 

Hi,
Well my friend has decided to do a fresh install, so i am guideing her thru it all over the phone. she is trying to run the hp restore plus disk which will wipe everything, she has put the disk in, but because it takes hours for anything to load we cant get the program up, can we do this in safe mode as the pc responds faster in safe mode? or is there another way around it.

Ok have got into safemode and running the disks, on her pc she has her C drive, but she just recently installed another 80 gb hardrive, which was spilt into two drives F and E, will these drives be wiped and reformatted also, as there are trojans in the F drive. thanks

I am starting to get a bit stressed now, lol the hp restore cd finished, and it asked her to install her windows xp home edition cd, so she did, but it keeps spitting it back out. i know its the correct cd, as i brought this copy and when i sold my pc to her i gave it to. any ideas on what i should do please.

 

HI, my friend done the fresh install of windows, but that CNSMIN is still coming up from nod32 as quaratined, but now in the C:/ drive instead of the E;/ drive
How can i remove this. thanks

 

Hi,

Sorry for delay. I'm having connection issues here.

Where exactly is NOD32 seeing CNSMIN? I need file path please. Can you check NOD logs to see where file locations are?

Lets see a new hijackthis log as well please.

Thanks

 

HI, sorry its taken so long to reply, well i have got her computer back off her, she did the fresh install, i think it only reformate the c:\ drive and not her other two drives, so could that be why there is still nasties on it?
i couldnt figure out how to copy and paste the files from the nod32 log.
but here it is.
file D:\windows\downloaded programm files\cnsminup.cab is infected with a variant of win32\cnsmin app.

file E:\ system vol information\restore infected with trojan downloader agent RS.

C:\ Docume ~1owner\locals~1temp win32\adware. yisou agent.

here is the new highjackthis log

Logfile of HijackThis v1.99.1
Scan saved at 7:37:30 PM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtra.co.nz
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

thanks

 

I have posted a new highjackthis log, as i noticed after the pc was reformated she did not install her new windows updates, so i have done this. here is the new log.

Logfile of HijackThis v1.99.1
Scan saved at 11:06:31 AM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtra.co.nz
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe