Win32.trojanVGB0FHa0364

[Eddy]

svchost.exe is a process which is registered as the W32.Welchia.Worm.

That is BS !!!!
Read my post and that website again.
The Welchia worm takes advantage of an exploit in Windows.
For which MS has released a patch a long time ago.

[jazzymina]

How the hell should I understand what files are normal and what which are infected.  Avast didn´t get rid off the crap that infects my computer, I was just worried that there was another stupid virus.

I am deeply sorry if I am not a computerexpert like you are...

[lee16]

Hi again jazzymina,

How the hell should I understand what files are normal and what which are infected.  Avast didn´t get rid off the crap that infects my computer, I was just worried that there was another stupid virus.

I am deeply sorry if I am not a computerexpert like you are...

We understand your not a computer expert, so don't worry, ill try to clear things up 

C:\WINDOWS\System32\svchost.exe is a normal running/windows process what is in your C:\WINDOWS\System32, the W32.Welchia.Worm which you speak of  exploits an unpatched windows system, and for it to be the W32.Welchia.Worm (worm) it would have to be outside of the C:\WINDOWS\System32 folder (in the Temp folder etc).
So in this case it is fine. 

Hope i have had things clearer for you.

--lee

[jazzymina]

Thank you Lee for the info

I am just a bit sensitive about my computer because I have bought it for school. Since I am a student, and obviously don't have the money to buy a new computer of  E 1400,-,  I tend to freak out a bit when it comes to viruses and such.

[jazzymina]

Hi again,

Yep, the same virus is back. This time this virus is named Win32.trojan.VC77CHa0368. I don't understand how I keep getting the same virus over and over again. Apparently I can't remove it from my computer no matter what I do. This virus is also not very well known, there is not much information about it available and that makes it harder to remove the damn thing.

All I know is that it's ALWAYS a Win32.trojanV (something something) virus. It's difficult for me to locate the virus,  Avast says it's in my temp. folder but I don't know where else it may be hiding.

Why do I get the same virus all the time?? For a while I think that's everything is okay (after running several scans) but then Avast mentions it again. I had noticed that my computer had slowed down at startup, so I knew something fishy was going on.

Can somebody please tell me how I can finally get rid off it ? Really, I don't know what to do anymore, I have been dealing with this virus for a couple of months now!!! I move the virus to the virus chest, but the virus apparently is still present on my computer.

I do have a suspicous file on it hsperfdata, is this the file that keeps causing trouble? I have another question, are the viruses that you put in the virus chest, suppose to stay here all the time? I mean should I delete them? I did deleted the virus once, but that didn't work.

Please help!! I am lost, could it be a false positive or am I in serious trouble here?

Note: I am almost through scanning my computer online, and so far nothing has been found.

[lee16]

Hi again jazzymina,

Please provide us with another Hijackthis log.

--lee

[jazzymina]

Hi Lee,

I am running a second online scan at bitdefender.com. in safe mode. Bitdefender found the Trojan.downloader.Swizzor.CR. virus on my computer in my Local Settings/ All users/ApplicationData-folder.

I removed the infected file manually (don't know if that was the smartest thing to do) and looked in the registry if there was a trojan.downloader registry key (on instructions of a computer security website)

Fortunately I don't have the downloader.trojan registry key on my computer, although I don't really know what that means??

Anyway, please have a look at my hijackthis log, maybe you can find something else weird going on. I must say that I am a bit dissapointed in Avast, because the virus was on my computer for several months and Avast couldn't remove it. Who knows how much damage the virus has done to my computer...

Thanks for your help.

Logfile of HijackThis v1.99.1
Scan saved at 23:32:55, on 24-3-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E6DA8678-2095-CA84-8A20-983A6726D192} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O18 - Protocol hijack: mhtml - 
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[Spyros]

--------------------------------------------------------------------------------
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
o2 - bho: popup manager - {08e74c67-99a6-45c7-94da-a397a8fd8082} - (no file)
o2 - bho: (no name) - {e6da8678-2095-ca84-8a20-983a6726d192} - (no file)
o16 - dpf: {17492023-c23a-453e-a040-c7c580bbf700} (windows genuine advantage validation tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
o16 - dpf: {74d05d43-3236-11d4-bdcd-00c04f9a3b61} (housecall besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
o16 - dpf: {80dd2229-b8e4-4c77-b72f-f22972d723ea} (avxscanonline control) - http://www.bitdefender.com/scan/msie/bitdefender.cab

I would also advise you to use ewido & a-squared (trojan scanners, freeware, links can be found at my website) and this: http://www.mwti.net/antivirus/mwav.asp (it will not clean anything, just report it's findings).

[jazzymina]

Hi Sypros,

Thanks for the tips, I already had A2 but was new to MicroWorld Antivirus toolkit. I ran it and unfortunately a virus was found??

[C: WINDOWS/RESTORE.INS is tagged as a not-a virus: NetTool. PsKill. No action taken.  I am so confused now, what should I do?  :'(

[xistenz]

Run a boot-time scan.

Start avast! Antivirus --> Click on the "Menu" button towards the top left of the avast! program window --> The click on "Schedule Boot-Time Scan"

[lee16]

About the hijackthis log, if you look carfully Spyros, you can see that Eddy's analyzer missed some stuff  , here what needed to be removed:

O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: (no name) - {E6DA8678-2095-CA84-8A20-983A6726D192} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)    
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall /xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O18 - Protocol hijack: mhtml -


However there is nothing bad there related to your temp folder, but try running ccleaner anyway (i see you already have it from your log).
Also where is this 'hsperfdata' located?

And about the malware 'Swizzor', i have sent in 3 different samples of this malware myself over the last couple of months, only 2 where added so far, most likely because it is Spyware/Adware and not a virus/worm (Avast is a virus scanner, however Alwil does add them sometimes), and all the Friends/family machines that they were on where using 'Warez P2P' (which is what Swizzor is bundled with), are you running it as well?, the location you provided was also a common one for the Swizzor i found on these machines. (sometimes removing this infection disabled warez as well).
Also from your log i can see signs of Swizzor, they are the 4 running 'iexplorer' processes, they are used to update the malware and download even more to your computer.
Normally you can only terminate/kill the processes for a few seconds before they start themselfs back up again.
The only way to stop this is to delete the files without the processes being enabled (this was quite difficult even for me), maybe try killing the processes from Task Manager (Alt + Ctrl + Delete) then run ccleaner very quickly.

Good luck

--lee

[jazzymina]

Hi Lee and other forummembers ,

Sorry if I am asking so many questions, your help and that of other forum members is greatly appreciated since I am  when it comes to computers. 

As for Trojan Swizzor:

I did use Warez P2P Client (uninstalled it yesterday). I followed your advice about Crapcleaner and I think it worked. I am posting another hijack log at the end of the text, so please have a look it. I haven't removed the checked items that needed to be removed yet, that's why these are still present. But why are these items dangerous for my computer?


As for VGB0FHa0364:

I mentioned that Microworld Antivirus Toolkit came up with restore.ins NetTool.PsKill is not-a-virus. When I looked for restore.ins in the registry there was a registry key of VGB0FHa0364.  present and I deleted it.

As for Hsperfdata

This file is always in my temporary folder, sometimes it appears and sometimes not. Now I also have Perflib_Perfdata_838 which is a Dat.file in my temporary folder. I surfed the internet what Hsperfdata is and found a website about it.

http://www.javakb.com/Uwe/Forum.aspx/java-jvm/25/hsperfdataS
So, hsperfdata is harmless to your computer?

Here is my Hijack thislog. Thanks a million (again) for your help..

Logfile of HijackThis v1.99.1
Scan saved at 13:43:16, on 25-3-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\regedit.com
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E6DA8678-2095-CA84-8A20-983A6726D192} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O18 - Protocol hijack: mhtml - 
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[lee16]

Hi jazzymina,

Sorry if I am asking so many questions, your help and that of other forum members is greatly appreciated since I am    when it comes to computers.

No problem, were here to help 

As for Trojan Swizzor:

I did use Warez P2P Client (uninstalled it yesterday). I followed your advice about Crapcleaner and I think it worked. I am posting another hijack log at the end of the text, so please have a look it.

Make sure 'C:\PROGRAM FILES\WAREZ P2P CLIENT' is gone as well, if not delete the folder in bold.
I also see one more iexplorer.exe running, but if you ran Hijackthis when Internet Explorer was open, thats what it is.

I haven't removed the checked items that needed to be removed yet, that's why these are still present. But why are these items dangerous for my computer?

O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)     
O2 - BHO: (no name) - {E6DA8678-2095-CA84-8A20-983A6726D192} - (no file)

The above are Unnecessary/deactivated files (or just not there anymore)

O18 - Protocol hijack: mhtml -

The one above is just very suspicious, and almost certain its bad.

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall /xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -
http://www.bitdefender.com/scan/Msie/bitdefender.cab

The above are Unneeded/junk reg keys/files that will automatically come back when they are needed anyway.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

The above is unneeded start up items that will open when needed or manually anyway.

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

If you don't want the soundman/soundcard diagnostic feature in your taskbar then delete the above one.

As for VGB0FHa0364:

I mentioned that Microworld Antivirus Toolkit came up with [/b]restore.ins NetTool.PsKill is not-a-virus. When I looked for restore.ins in the registry there was a registry key of VGB0FHa0364.  present and I deleted it.

Disable System Restore and reboot your PC, then go to the location where restore.ins and NetTool.PsKill are and delete both instances of them.

As for Hsperfdata

This file is always in my temporary folder, sometimes it appears and sometimes not. Now I also have Perflib_Perfdata_838 which is a Dat.file in my temporary folder. I surfed the internet what Hsperfdata is and found a website about it.

Seems there both harmless yes.

Don't forget to run ccleaner once more after you have done the above.

--lee

[jazzymina]

Hi Lee  ,

I removed all restore.ins files on my computer (I think) and deleted the NetTool and PsKill registry key. But I don't know if I am doing the right thing, because I don't know if these registry keys are legitimate or not. I am afraid I'm going to remove something important and my computer will crash.

I looked for NetTool and PsKill on my computer but there were no files named like that on the computer itself (only wish it would be that easy to remove a virus). However, they did pop up in the registry under the search query 'restore ins' and as I said were deleted.  But why does Microsoft Antivirus Toolkit still mention the virus if I have deleted all of the restore.ins files ? Virus still present?

Also when I look at my HijackThis Log there are 3  running processes of Internet Explorer open even I am offline while running Hijack This. What I wanted to know is: how many internet explorer processes should there be running normally? You said earlier that if there several running processes of Internet Explorer this is a result of the Trojan.Downloader Swizzor???
I'll follow your earlier advice and use CrapCleaner, for now do you think I am still infected?

I have another (little) question for you if you don't mind. Since I am a bit paranoid I downloaded a lot of software for protection of my computer. But maybe a few of them are redundant and interfere with other protection programmes. Could you please tell me which programme is unnessary?

I have the following programmes on my computer:

FREEWARE

Avast
BHODemon
Ad-Aware
A2 Free
Spybot
Crapcleaner
Spywareblaster  (quite good so far)
SpywareGuard
Windows Beta Antispyware 1 ( Downloaded it yesterday. Good for protecting you from trojan.downloaders like Swizzor I read somewhere)
Sygate Personal Firewall


Shareware (free Trial)

The Cleaner and TDS, but these will be removed eventually.

I won't remove Sygate, Avast, Spybot, Crapcleaner and Windows AntiSpyware and maybe Spywareblaster. What is your opinion?? 

[jazzymina]

gfile of HijackThis v1.99.1
Scan saved at 23:38:44, on 25-3-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\regedit.com
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe