Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

2 Problems + Hjt Log


  • This topic is locked This topic is locked
4 replies to this topic

#1 whitzle

whitzle

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 09 May 2007 - 08:19 AM

Hi,

The 2 problems I'm having are:

1) this warning message that I receive a few times every day from Trend Micro (PC-cillin):

"you have attempted to open a dangerous website":

http://209.167.111.1...1176279494.html

- the last part of it (the 10-digit number right before the second html) changes to a new number each time

2) sometimes as often as 60 times in one minute I will receive this other warning from Trend Micro:

c:\windows\system32\aut711.dll (infected file)
troj_conhook.cr

When I click on "more information", I get this:

"If unable to quarantine the file, try deleting the infected file if you do not need to keep it.

Your security software found a virus in one of your files & now needs your help"

"unable to quarantine the file - please delete the file if y don't need it"

I found this file in my system 32 folder, but when I tried to delete it, it would say that it can't be deleted because another person or program was using it -- but I didn't have any other program open, and I'm the only one who uses this personal computer.

Thanks for helping me on this.

Here's the log:

_______________________________________

Logfile of HijackThis v1.99.1
Scan saved at 8:47:01 AM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide

.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security

2007\TMAS_OE\TMAS_OEMon.exe
C:\Program

Files\Olympus\DSSPlayerPro\DevDtct.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCo

m.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.

exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.e

xe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.

exe
C:\Program Files\PowerQuest\Drive Image

7.0\Agent\PQV2iSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSr

v.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3

} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{da216364-990c-484e-92d7-a110b55bf259} -

C:\WINDOWS\system32\aut711.dll
O2 - BHO: (no name) -

{E3215F20-3212-11D6-9F8B-00D0B743919D} -

(no file)
O4 - HKLM\..\Run: [NvCplDaemon]

RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TPP Auto Loader]

C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Omnipage] C:\Program

Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program

Files\Common Files\Scansoft

Shared\SSBkgdUpdate\SSBkgdupdate.exe"

-Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program

Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.e

xe"
O4 - HKLM\..\Run: [Opware14] "C:\Program

Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program

Files\ScanSoft\OmniPagePro14.0\OpScheduler.ex

e"
O4 - HKLM\..\Run: [OP14 Reminder] "C:\Program

Files\ScanSoft\OmniPagePro14.0\EregEng\Ereg.ex

e" -r "C:\Program

Files\ScanSoft\OmniPagePro14.0\EregEng\ereg.ini

"
O4 - HKLM\..\Run: [BCMSMMSG]

BCMSMMSG.exe
O4 - HKLM\..\Run: [TraySantaCruz]

C:\WINDOWS\System32\tbctray.exe
O4 - HKLM\..\Run: [pccguide.exe]

C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide

.exe
O4 - HKCU\..\Run: [NvMediaCenter]

RUNDLL32.EXE

C:\WINDOWS\System32\NVMCTRAY.DLL,NvT

askbarInit
O4 - HKCU\..\Run: [Mozilla Quick Launch]

"C:\Program

Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend

Micro\Internet Security

2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk =

C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma

Loader.exe
O4 - Global Startup: Adobe Reader Speed

Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: DeviceDetect.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk =

C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Highlight -

C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List -

C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: E&xport to

Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXC

EL.EXE/3000
O8 - Extra context menu item: I&mages List -

C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in

&New Window -

C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: StumbleUpon:

&Blog This -

res://C:\WINDOWS\DOWNLO~1\CONFLICT.1\S

TUMBL~1.DLL/blogimage
O8 - Extra context menu item: Zoom &In -

C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut -

C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263}

-

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBA

R.DLL
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file

missing)
O9 - Extra 'Tools' menuitem:

@xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network Diagnostic\xpnetdiag.exe (file

missing)
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger

- {FB5F1910-F110-11d2-BB9E-00C04F795683}

- C:\WINDOWS\System32\shdocvw.dll
O11 - Options group: [INTERNATIONAL]

International*
O16 - DPF:

{62475759-9E84-458E-A1AB-5D2C442ADFDE

} -

http://a1540.g.akama.../52/20031216/qt

install.info.apple.com/mickey/us/win/QuickTimeIn

staller.exe
O16 - DPF:

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3

} (MUWebControl Class) -

http://update.micros...softupdate/v6/V

5Controls/en/x86/client/muweb_site.cab?1135970

673656
O16 - DPF:

{74C861A1-D548-4916-BC8A-FDE92EDFF62C

} -

http://mediaplayer.w...ller/install.ca

b
O16 - DPF:

{8EDAD21C-3584-4E66-A8AB-EB0E5584767D

} -

http://toolbar.googl...gleActivate.cab
O16 - DPF:

{95844941-7934-4693-92D9-8202EA7B20ED} -

http://www.stumbleupon.com/stumble.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: aut711 -

C:\WINDOWS\SYSTEM32\aut711.dll
O20 - Winlogon Notify: WgaLogon -

C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5

} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: GBPoll - Unknown owner -

C:\Program Files\Norton SystemWorks\Norton

GoBack\GBPoll.exe (file missing)
O23 - Service: InstallDriver Table Manager

(IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service

(NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control

Component (PcCtlCom) - Trend Micro Inc. -

C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCo

m.exe
O23 - Service: Trend Micro Protection Against

Spyware (PcScnSrv) - Trend Micro Inc. -

C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSr

v.exe
O23 - Service: STOPzilla Local Service -

Unknown owner - C:\Program

Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: Trend Micro Real-time Service

(Tmntsrv) - Trend Micro Inc. -

C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.

exe
O23 - Service: Trend Micro Personal Firewall

(TmPfw) - Trend Micro Inc. -

C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.e

xe
O23 - Service: Trend Micro Proxy Service

(tmproxy) - Trend Micro Inc. -

C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.

exe
O23 - Service: V2i Protector - PowerQuest

Corporation - C:\Program Files\PowerQuest\Drive

Image 7.0\Agent\PQV2iSvc.exe

    Advertisements

Register to Remove


#2 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 09 May 2007 - 07:01 PM

whitzle,

Welcome to the forum, that IP address is leading me to MCI

209.167.0.0 - 209.167.255.255
MCI Communications Services, Inc. d/b/a Verizon Business
22001 Loudoun County Pkwy
Ashburn, VA
US



I can't read your log the way you posted it so do it this way.
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread.
  • Please use Posted Imageand not Posted Image
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#3 whitzle

whitzle

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 10 May 2007 - 08:30 AM

Hi Ken,

Thank you very much for your reply.

I forgot to mention, that with the IP address that you identified as MCI, I am getting that warning screen from Trend Micro when I'm not even on the internet (I mean, the warning screen, or box, appears when I don't have my browser open -- Firefox -- but the warning also appears when I'm in Firefox and I'm on some website like, say, the New York Times or livejournal or a blog or just anywhere -- in other words, I've never tried to get to MCI's website).

Also, another thing I tried yesterday & today, with the other problem, is: I went into Regedit, and went to HKEY_LOCAL_MACHINE> SOFTWARE>
Microsoft> Windows NT> CurrentVersion> Winlogon> Notify -- and then I deleted aut711.dll -- but it came back later and was there again, and I deleted it again, but it reappears.

Here is the HJT log without wordwrap:

___________________________________


Logfile of HijackThis v1.99.1
Scan saved at 9:14:59 AM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Olympus\DSSPlayerPro\DevDtct.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {da216364-990c-484e-92d7-a110b55bf259} - C:\WINDOWS\system32\aut711.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [OP14 Reminder] "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPagePro14.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~3\pccguide.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DeviceDetect.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\CONFLICT.1\STUMBL~1.DLL/blogimage
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1135970673656
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: aut711 - C:\WINDOWS\SYSTEM32\aut711.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: GBPoll - Unknown owner - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcScnSrv.exe
O23 - Service: STOPzilla Local Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe

#4 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 10 May 2007 - 10:35 AM

whitzle :D

Your log is now readable, Thank You !!

Print out the following instructions as you will not have Internet Access for the rest of this fix.

Download Process Explorer to your desktop. <-- The download link is at the bottom of the page


Download Pocket Killbox to your desktop.

Reboot into Safemode

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
    this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode

  • Unzip Process Explorer and double click on procexp.exe
  • In the top section of the Process Exlporer screen double-click on winlogon.exe to bring up the winlogon.exe properties screen.
  • Click on the Threads tab at the top.
  • Once you see this screen click on each instance of: aut711.dll once.
  • Then click the Kill button.
  • After you have killed all of: aut711.dll under winlogon click OK.
BE SURE TO KILL ONLY THIS FILE
  • Next double-click on explorer.exe.
  • Select the Threads tab.
  • and again click once on each instance of: aut711.dll
  • Then click the Kill button.
  • Once you have done that click OK again.
BE SURE TO KILL ONLY THIS FILE


Next run Hijackthis Scan Only and place a check beside each of the following.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {da216364-990c-484e-92d7-a110b55bf259} - C:\WINDOWS\system32\aut711.dll

O20 - AppInit_DLLs:
O20 - Winlogon Notify: aut711 - C:\WINDOWS\SYSTEM32\aut711.dll





Highlight the file with the complete path in the Quote Box and press Ctrl C on your keyboard.

C:\WINDOWS\SYSTEM32\aut711.dll

  • Open Pocket Killbox
  • Go to File > Paste from clipboard
  • Set it to Delete on Reboot
  • Tick the box that says End Explorer shell while killing file
  • If its not greyed out..Click the radio button that say Unregister .dll before deleting.
  • Make sure Single File is selected
  • Click on the Red circle with the white X
  • It will ask you to confirm the deletion...Say yes
  • It will ask you to reboot, say yes

Run this system cleaner.

If you don't want the Yahoo Toolbar, be sure to uncheck it during installation
Download and Install CCleaner
* Click on Run Cleaner
* Run the Issues Scan < -- After it scans your system, when you click on the Fix button and it asks you to backup the Registry..Say Yes
Tutorial for CCleaner


Post a new HJT log please.

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#5 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 18 May 2007 - 04:49 AM

This topic is being closed due to lack of response, if you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.

If this is not your thread please start a New Topic.


 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users