Win32:Trojano-213........... Please help

Viruses and worms
1

Hello everyone,

I have tried to get rid of this thing but nothing is working.

I keep getting a virus was found message with the following info:

Virus name: Win32: Trojano-213 [Trj]
File name: C:\temp\Installer2.exe
VPS Version: 0440-3, 10/01/2004

I’m running version 4.1 Home Edition.

Things I did to try and solve it:
Move/Rename
Delete
Repair
Move to chest
I even tried manualy deleting the file myself but nothing gets rid of it.

Could anyone please offer me some help? Thank you in advance.

2

Installer2.exe is malware. Click on the link in my signature and follow all steps on that page. Let us know if you still have problems after doing so.

3

Update:

After posting I did a boot scan. It said Installer2.exe was deleted. Not only that but it also deleted something called Kuang2 and Adware-002.

I’m very impressed with Avast, I’ve had Norton, Mcafee, AVG and a few others but this one seems to be the best out of all.

Thank you Eddy for replying. I’m going to check out your link now.

4

Thanks for the link. I have every one of those but AVG. I try to keep up on all this to keep things like this from happening. By the way, I posted in 2 other forums the other day and no one ever helped me. I dont know if you can tell but is there anything in my log that you think shouldnt be here?

Logfile of HijackThis v1.98.2
Scan saved at 1:47:52 PM, on 10/1/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Documents and Settings\Angela Jones\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM..\Run: [ZTgServerSwitch] “c:\program files\support.com\client\bin\tgcmd.exe” /server
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM..\Run: [Lexmark 2200 Series] “C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe”
O4 - HKLM..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=64276fb9efc3565fee97b287d3b2a64de55b67e90e1783d691843786455d914c50f6d13edd6d8d887becaac6a09aa805fc5355c30eed521e15dd92da31dc:3c1049dbc81820f00dc048e710a78631
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.sony.com/support/pops/mdldetect/PCInfo.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4387/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - AppInit_DLLs: PAVWAIT.DLL

5

Delete the entire folder C:\Program Files\Windows SyncroAd\ the contents is malware.

Also fix these lines with HijackThis:
O4 - HKLM..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

All lines starting with 016 - DPF

and this one:
O20 - AppInit_DLLs: PAVWAIT.DLL

I have every one of those but AVG
AVG was not properly removed. Fix this line also with HJT. O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
6

I also have this virus and don’t seem to be able to get it off my PC.

I have followed all the steps above and gone through all the programs from Eddy’s signature. I don’t know what to do next, so any help would be appreciated.

I have also posted a screen schot of my avast pop-up notifying me of the virus (which it says is in C:\Temp). I have also included a screen shot of some files that are in my temp folder that I cannot delete and I don’t know if they’re related in anyway to the virus.

This is the virus it picks up:

Virus name: Win32: Trojano-213 [Trj]
File name: C:\temp\INSTAL~1.EXE
VPS Version: 0443-3, 22/10/2004

I also get the same message but with the virus infecting file C:\temp\Installer2.exe

I have Windows XP if that matters at all. And I have run Ad-aware, Spybot S&D and Hijackthis. I am running Avast antivirus and have the on-access scanner. I have also tried the avast free download cleaner and McAfee stinger and nothing works.

I ran Hijackthis, but I don’t know what needs to be removed or not, so I have included my log file:

Logfile of HijackThis v1.97.7
Scan saved at 17:36:17, on 26/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
F:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\AWUSGSTA.exe
C:\Program Files\Win Comm\WinComm.exe
F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Win Comm\WinLock.exe
E:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\program files\internet explorer\iexplore.exe
C:\temp\msbb.exe
C:\Documents and Settings\Iain\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe //ICWLaunch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [MessengerPlus3] “C:\Program Files\Messenger Plus! 3\MsgPlus.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [AWUSGSTA.EXE] C:\WINDOWS\system32\AWUSGSTA.exe /CONFIGUAR
O4 - HKLM..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM..\Run: [msbb] c:\temp\msbb.exe
O4 - HKCU..\Run: [MessengerPlus3] “C:\Program Files\Messenger Plus! 3\MsgPlus.exe” /WinStart
O4 - HKCU..\Run: [LDM] F:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - Global Startup: Logitech Desktop Messenger.lnk = F:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra ‘Tools’ menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094155610421
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

Any help would be greatly appreciated as I have no idea what to do about this.

If you need any more information just let me know and I’ll try and provide you with it.

Many thanks,
Iain

7

You can only attach one at a time, so here’s the files in my temp folder I can’t remove.

Thanks,
Iain

8

Please start a new thread next time.

Here is the result of my HJT analyzer:

CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:

You are using a old version of Hijackthis, please update.
You are using the latest version of Internet Explorer.
Software firewall detected.

THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

\windows\system32\awusgsta.exe
\temp\msbb.exe
r1 - hkcu\software\microsoft\windows\currentversion\internet settings,proxyoverride = localhost
o2 - bho: (no name) - {a5366673-e8ca-11d3-9cd9-0090271d075b} - (no file)
o4 - hklm..\run: [bjcfd] c:\program files\broadjump\client foundation\cfd.exe
o4 - hklm..\run: [awusgsta.exe] c:\windows\system32\awusgsta.exe /configuar
o4 - hklm..\run: [msbb] c:\temp\msbb.exe
o16 - dpf: {6414512b-b978-451d-a0d8-fcfdf33e833c} (wuwebcontrol class) - http://v5.windowsupdate.microsoft.com/v5consumer/v5controls/en/x86/client/wuweb_site.cab?1094155610421
o16 - dpf: {70ba88c8-dae8-4ce9-92bb-979c4a75f53b} (gsdactl class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
o16 - dpf: {8e0d4de5-3180-4024-a327-4dfad1796a8d} (messengerstatsclient class) - http://messenger.zone.msn.com/binary/messengerstatsclient.cab31267.cab
o16 - dpf: {d27cdb6e-ae6d-11cf-96b8-444553540000} (shockwave flash object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
o16 - dpf: {f6bf0d00-0b2a-4a75-bf7b-f385591623af} (solitaire showdown class) - http://messenger.zone.msn.com/binary/solitaireshowdown.cab31267.cab

THE FOLLOWING ITEMS ARE NOT NEEDED FOR THE SYSTEM TO WORK
PROPERLY. WE RECOMMEND THEM TO BE REMOVED FROM STARTUP :

o4 - hklm..\run: [messengerplus3] “c:\program files\messenger plus! 3\msgplus.exe”
o4 - hklm..\run: [sunjavaupdatesched] c:\program files\java\j2re1.4.2_05\bin\jusched.exe
o4 - hklm..\run: [bjcfd] c:\program files\broadjump\client foundation\cfd.exe
o4 - hkcu..\run: [ldm] f:\program files\logitech\desktop messenger\8876480\program\backweb-8876480.exe
o4 - hkcu..\run: [msmsgs] “c:\program files\messenger\msmsgs.exe” /background
o4 - global startup: logitech desktop messenger.lnk = f:\program files\logitech\desktop messenger\8876480\program\ldmconf.exe
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office10\osa.exe

9

i have asimilar problem,please help

here is my log from hijack this.exe

Logfile of HijackThis v1.98.0
Scan saved at 15:05:44, on 27/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\SMSS.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Saqib Riaz\My Documents\Saqibs Downloads\Installation programs\Using\Spyware removers\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: CnfSearch Class - {D7CD08F0-D691-11D8-9669-0800200C9A66} - c:\windows\system32\ConfuSearch.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: TChkBHO Class - {EFDD2979-B981-4ECE-8600-040D585A5F74} - C:\WINDOWS\system32\tmkiut.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM..\Run: [MessengerPlus3] “C:\Program Files\Messenger Plus! 3\MsgPlus.exe”
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM..\Run: [Debug ] C:\WINDOWS\SMSS.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
O4 - HKLM..\RunOnce: [AAW] “C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe” “+b1”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU..\Run: [FreeRAM XP] “C:\Documents and Settings\Saqib Riaz\Local Settings\Temp\FreeRAM XP Pro 1.40.exe” -win
O4 - Global Startup: Accurate Popup Killer.lnk = C:\Program Files\ZZZ\Accurate Popup Killer\popupkiller.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {173F3521-8FBE-4d0c-B14D-C4D8513A06C0} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {173F3521-8FBE-4d0c-B14D-C4D8513A06C0} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9D614E8E-03AA-11D3-90FC-0040C7157029} (PDMSInstallerCtl Class) - http://cityislam.com/download/PDMSInstaller.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

10

If you have a problem:

Search this board to see if the answer/solution already is given in another thread prior to posting.

Posting your problem(s) in the thread of some else can lead to confusion and that is not what we want here. It will help noone.

saqibriaz, this is what my analyzer has to say about it:

CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:

You are using a old version of Hijackthis, please update.
Old version of Internet Explorer detected, please update.
Your Operating System is not up-to-date. (Latest service pack not installed)
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.

THESE ITEMS ARE HARMFULL AND SHOULD BE FIXED/REMOVED :

\windows\smss.exe
r3 - urlsearchhook: cnfsearch class - {d7cd08f0-d691-11d8-9669-0800200c9a66} - c:\windows\system32\confusearch.dll
o2 - bho: tchkbho class - {efdd2979-b981-4ece-8600-040d585a5f74} - c:\windows\system32\tmkiut.dll (file missing)
o4 - hklm..\run: [bjcfd] c:\program files\broadjump\client foundation\cfd.exe
o4 - hklm..\run: [debug ] c:\windows\smss.exe
o4 - hklm..\run: [windupdates] c:\program files\windupdates\winupdt.exe
o9 - extra button: (no name) - {173f3521-8fbe-4d0c-b14d-c4d8513a06c0} - (no file)
o9 - extra button: (no name) - {173f3521-8fbe-4d0c-b14d-c4d8513a06c0} - (no file) (hkcu)
o16 - dpf: {00b71cfb-6864-4346-a978-c0a14556272c} (checkers class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
o16 - dpf: {1d6711c8-7154-40bb-8380-3dea45b69cbf} (web p2p installer) -
o16 - dpf: {23b7a816-3647-49d2-9756-6f41ce8f9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.cab
o16 - dpf: {8e0d4de5-3180-4024-a327-4dfad1796a8d} (messengerstatsclient class) - http://messenger.zone.msn.com/binary/messengerstatsclient.cab
o16 - dpf: {90c9629e-cd32-11d3-bbfb-00105a1f0d68} (installshield international setup player) - http://www.installengine.com/engine/isetup.cab
o16 - dpf: {9d614e8e-03aa-11d3-90fc-0040c7157029} (pdmsinstallerctl class) - http://cityislam.com/download/pdmsinstaller.cab
o16 - dpf: {f6bf0d00-0b2a-4a75-bf7b-f385591623af} (solitaire showdown class) - http://messenger.zone.msn.com/binary/solitaireshowdown.cab

THE FOLLOWING ITEMS ARE NOT NEEDED FOR THE SYSTEM TO WORK
PROPERLY. WE RECOMMEND THEM TO BE REMOVED FROM STARTUP :

o4 - hklm..\run: [messengerplus3] “c:\program files\messenger plus! 3\msgplus.exe”
o4 - hklm..\run: [bjcfd] c:\program files\broadjump\client foundation\cfd.exe
o4 - hklm..\run: [tkbellexe] “c:\program files\common files\real\update_ob\realsched.exe” -osboot
o4 - hklm..\runonce: [aaw] “c:\program files\lavasoft\ad-aware se personal\ad-aware.exe” “+b1”
o4 - hkcu..\run: [tracks eraser pro] c:\program files\acesoft\tracks eraser pro\te.exe min
o4 - hkcu..\run: [freeram xp] “c:\documents and settings\saqib riaz\local settings\temp\freeram xp pro 1.40.exe” -win

Also analyze your log HERE