avast found trojans-delete? or what?-in chest

[bball142023]

this is what spybot found-suprised my other softwares didnt find

Hint of the Day: Click the bar at the right of this to see more information! ()
 

SpyHunter: [SBI $6356772A] Settings (Registry key, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\EnigmaSoftwareGroup

SpyHunter: [SBI $9C5B26B3] Uninstall settings (Registry key, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{03CE1BCB-03F5-4C6A-B37E-69799AA3C544}

SpyHunter: [SBI $6B7CE99F]  Data (File, nothing done)
  C:\Program Files\Enigma Software Group\SpyHunter\SHDS.mht

SpyHunter: [SBI $5E28F58D]  Executable (File, nothing done)
  C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

SpyHunter: [SBI $3C8FFF5F]  Link (File, nothing done)
  C:\Documents and Settings\All Users\Desktop\SpyHunter.lnk

SpyHunter: [SBI $49C348C6]  Link (File, nothing done)
  C:\Documents and Settings\All Users\Start Menu\SpyHunter.lnk

SpyHunter: [SBI $49C348C6]  Link (File, nothing done)
  C:\Documents and Settings\All Users\Start Menu\Programs\SpyHunter\SpyHunter.lnk

SpyHunter: [SBI $C057F9C9] Program directory (Directory, nothing done)
  C:\Program Files\Enigma Software Group\SpyHunter\Download\

SpyHunter: [SBI $EC6FAAFE] Program directory (Directory, nothing done)
  C:\Program Files\Enigma Software Group\SpyHunter\Rollback\

SpyHunter: [SBI $48A92693] Program directory (Directory, nothing done)
  C:\Program Files\Enigma Software Group\SpyHunter\

SpyHunter: [SBI $677DC56C] Program directory (Directory, nothing done)
  C:\Program Files\Enigma Software Group\

SpyHunter: [SBI $B32145A0] Settings (Registry key, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\EnigmaSoftwareGroup\SpyHunter

SpyHunter: [SBI $13064944] Program directory (Directory, nothing done)
  C:\Documents and Settings\All Users\Start Menu\Programs\SpyHunter\

SpyHunter: [SBI $B074B714] Settings (Registry key, nothing done)
  HKEY_LOCAL_MACHINE\Software\SpyHunterConfig

MiniBug: [SBI $35005FC0] Settings (Registry key, nothing done)
  HKEY_USERS\S-1-5-21-2914288250-963918322-4271176276-1006\Software\AWS\MiniBug

WildTangent: [SBI $2740DBFD] Settings (Registry value, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Java VM\ClassPath=...;C:\Program Files\WildTangent\Apps\DRM0302Java.jar...

WildTangent: [SBI $3A3BDC07] Program directory (Directory, nothing done)
  C:\WINDOWS\wt\

WildTangent: [SBI $595CAE40]  Library (File, nothing done)
  C:\WINDOWS\wt\WDInUsePlugin.dll

WildTangent: [SBI $A3CF89BD] Program directory (Directory, nothing done)
  C:\WINDOWS\wt\wtDRM\

WildTangent: [SBI $DFEDBBEE]  Library (File, nothing done)
  C:\WINDOWS\wt\webdriver.dll

WildTangent: [SBI $76830867] Program directory (Directory, nothing done)
  C:\WINDOWS\wt\wtupdates\

WildTangent: [SBI $E30EC8B1] Program directory (Directory, nothing done)
  C:\WINDOWS\wt\updater\

WildTangent: [SBI $7E3A8D37] Program directory (Directory, nothing done)
  C:\WINDOWS\wt\webdriver\

Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Settings (Registry change, nothing done)
  HKEY_USERS\S-1-5-21-2914288250-963918322-4271176276-1006\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe

Microsoft.WindowsSecurityCenter.AntiVirusOverride: [SBI $3604910C] Settings (Registry change, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

Altnet: [SBI $383E5C9C]  Data (File, nothing done)
  C:\WINDOWS\smdat32a.sys

GAIN.Gator: [SBI $5C1A1733] Module usage (Registry key, nothing done)
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/IEGator.dll

180Solutions.SearchAssistant: [SBI $0CD53498]  Data (File, nothing done)
  C:\WINDOWS\SYSTEM32\msbb.log

180Solutions.SearchAssistant: [SBI $40DB9745]  Data (File, nothing done)
  C:\WINDOWS\SYSTEM32\msbb_kyf.dat

180Solutions.SearchAssistant: [SBI $8FBE5223]  Data (File, nothing done)
  C:\WINDOWS\SYSTEM32\msbbau.dat


--- Spybot - Search & Destroy version: 1.6.0  (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-07-07 TeaTimer.exe (1.6.0.20)
2008-07-23 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-07-07 SDHelper.dll (1.6.0.12)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-07-15 Includes\Adware.sbi (*)
2008-07-15 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-07-07 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-07-10 Includes\Hijackers.sbi (*)
2008-07-08 Includes\HijackersC.sbi (*)
2008-07-15 Includes\Keyloggers.sbi (*)
2008-07-15 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-07-23 Includes\Malware.sbi (*)
2008-07-23 Includes\MalwareC.sbi (*)
2008-07-15 Includes\PUPS.sbi (*)
2008-07-22 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-07-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-07-11 Includes\Spyware.sbi (*)
2008-07-15 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-07-23 Includes\Trojans.sbi (*)
2008-07-22 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

[bball142023]

should i delete everything except spyhunter-jusrt used its scan

also when i start my comp, the icon comes in my tray saying my firewall is turned off, but it goes away after 5 seconds and is on when i check in the security center -wondering if that may be bad

[wyrmrider]

http://antivirus.about.com/b/2004/05/05/spyhunter-ad-campaign-an-enigma.htm

http://forums.spybot.info/showthread.php?t=7028

Save your money there are better choices

[bball142023]

im not gonna buy it i only kept it because it showed some infections and was going to delete it but wanted to point out some things from its scan
it found 

zlob.trojan in HKCU/software/microsoft/windows/currentversion/internetsettings/zonemap/EscDomains/(many website names) thinking of deleting manually
(is it ok to delete all the files in the escdomians)
zlob.videoacess
wildtangent
media
gator
sidessearch
DyFuCa

was thinking of using spyhunter to remove manually what should i do?

[bball142023]

here the ht log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:50:50, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.verizon.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotDeletingA5162] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1497] cmd /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-2914288250-963918322-4271176276-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2914288250-963918322-4271176276-1003\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-2914288250-963918322-4271176276-1003\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 7024 bytes

[bball142023]

any suggestions??

[FreewheelinFrank]

Spybot needs to delete something: you need to reboot:

O4 - HKLM\..\RunOnce: [SpybotDeletingA5162] command /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1497] cmd /c del "C:\WINDOWS\wt\webdriver.dll"

http://forums.spybot.info/showpost.php?p=115123&postcount=5

[wyrmrider]

The HJT was a VERY GOOD CHOICE over removing Spyhunter hits which would take a lot of work to sort out the false positives
do what frank says for the HJT fixes
schedule a boot time scan with avast- update and reboot
then post a fresh HJT-

[bball142023]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:19:57, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.verizon.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 6208 bytes


also i was wondering if i could just delete all my system restores more found in avast scan and was wandering if i should factory format reinstall and make it like i first got it

[bball142023]

this was found by avast

Move files to temporary folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp161772369.tmp
FileID: 0000000014  Original file name: C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP289\A0087313.dll  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp161772369.tmp\14.dll
FileID: 0000000007  Original file name: C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP290\A0087349.DLL  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp161772369.tmp\7.DLL
FileID: 0000000008  Original file name: C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP292\A0087411.EXE  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp161772369.tmp\8.EXE
FileID: 0000000015  Original file name: C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP299\A0090907.exe  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp161772369.tmp\15.exe
FileID: 0000000010  Original file name: C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP304\A0091307.dll  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp161772369.tmp\10.dll
FileID: 0000000011  Original file name: C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP304\A0091308.dll  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp161772369.tmp\11.dll
FileID: 0000000012  Original file name: C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP304\A0091309.dll  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp161772369.tmp\12.dll
FileID: 0000000013  Original file name: C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP313\A0091846.exe  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp161772369.tmp\13.exe
FileID: 0000000009  Original file name: C:\RECYCLER\S-1-5-21-2914288250-963918322-4271176276-1006\Dc1.exe  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp161772369.tmp\9.exe
FileID: 0000000005  Original file name: C:\WINDOWS\WT\WTUPDATES\WTWEBDRIVER\FILES\3.3.1.001\NPWTHOST.DLL  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp161772369.tmp\5.DLL
FileID: 0000000004  Original file name: C:\WINDOWS\WT\WEBDRIVER\WTMULTI.DLL  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp161772369.tmp\4.DLL
FileID: 0000000006  Original file name: C:\WINDOWS\WT\WTUPDATES\WTWEBDRIVER\FILES\3.3.1.001\WTMULTI.DLL  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp161772369.tmp\6.DLL

[polonus]

Hi bball142023

Nothing much from the HJT log analysis, fix this:
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

It will help to ran ATF-Cleaner (all options ticked) and ClearProg on your machine:
ATF-Cleaner get from here: http://majorgeeks.com/downloadget.php?id=4949&file=15&evp=72ef5a5e927b2276e6a5bc34c89d005a
ClearProg get from here: http://www.clearprog.de/download.php?id=40&lang=en
ClearProg FAQ: http://www.clearprog.de/programme/clearprog/index_new.php?lang=en

polonus

[DavidR]

Personally I would get rid of anything with crawler.com in it like these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61005

If you do a search on crawler.com you will find some form for data gathering for marketing purposes.

[bball142023]

i deleted the crawler and wormradar.
i used atf
what should i do about the avast chest, can i delete or wait and keep scanning them, also wanted to know if i should restore my comp to factory
kind of sluggish and dont have much i need on the comp
-thks for suggestions

[DavidR]

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

Personally I hate the idea of starting from fresh or from a factory restore partition, like avoidance is my priority when it comes to that. There are just too many tweaks, settings, windows security updates, to name just a few to get it back to how I like it.

You don't have much running in HJT so I'm surprised at the sluggish comment. Your best bet is to do a check of all the programs that run and only allow those that are absolutely essential to run on boot. You have quicktime running on boot and that is a media program that only needs to run when you click on a media file that requires QT to play.

You also don't mention anything about your system specs, RAM, CPU, etc.

[bball142023]

intel pentium 4  cpu 2.00 GHz, 256mb ram, 32mb

startup is slow, takes a good minute for avast protection to pop up in system tray and another 2 minutes for firefox to get started, after that its good
i only keep programs i need, i dont really have too much, its that for like 2.3 months i forgot to do routine scans and i think the trjs got in and something called antispycheck installed itself but manageds to delete with fraudfix(was in exceptions in my firewall)