Hijack this log - can anyone help?

  georgemac © 14:09 18 Mar 05
Locked

My sons PC has been infected by virus/malware - I have mamaged to remove most of it but there is still something there - think it is MSN Messenger related. Will post the hijack this log in sections and will be grateful for any help - The r1 entry keeps coming back even if I delete it.

Logfile of HijackThis v1.99.1
Scan saved at 13:48:00, on 18/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\system32\CTsvcCDA.EXE
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
D:\Program Files\Ahead\InCD\InCD.exe
D:\WINDOWS\system32\LVCOMSX.EXE
D:\Program Files\Logitech\Video\LogiTray.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\D-Tools\daemon.exe
D:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
D:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
D:\Program Files\MSI\Live Update 3\LMonitor.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\MSI\PC Alert 4\PCAlert4.exe
D:\Program Files\United Devices\ud_mon.exe
D:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
d:\progra~1\intern~1\iexplore.exe
D:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
D:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
D:\Program Files\Microsoft Office\Office10\msoffice.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Logitech\Video\FxSvr2.exe
D:\Program Files\United Devices\UD.exe
D:\Program Files\United Devices\ud_7174683.exe
D:\Program Files\United Devices\ud_7174683_0.dir\ud_ligfit_Release.exe
D:\DOCUME~1\KRISTO~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

  georgemac © 14:09 18 Mar 05

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = click here
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 64.233.167.104 click here
O1 - Hosts: 64.233.167.104 click here
O1 - Hosts: 64.233.167.104 click here
O1 - Hosts: 64.233.167.104 click here
O1 - Hosts: 64.233.167.104 click here
O1 - Hosts: 64.233.167.104 click here
O1 - Hosts: 64.233.167.104 click here
O1 - Hosts: 64.233.167.104 click here
O1 - Hosts: 64.233.167.104 click here
O1 - Hosts: 64.233.167.104 click here
O1 - Hosts: 64.233.167.104 click here
O1 - Hosts: 64.233.167.104 click here
O1 - Hosts: 64.233.167.104 click here
O1 - Hosts: 64.233.167.104 securityresponse.symantec.com
O1 - Hosts: 64.233.167.104 symantec.com
O1 - Hosts: 64.233.167.104 sophos.com
O1 - Hosts: 64.233.167.104 mcafee.com
O1 - Hosts: 64.233.167.104 liveupdate.symantecliveupdate.com
O1 - Hosts: 64.233.167.104 viruslist.com
O1 - Hosts: 64.233.167.104 f-secure.com
O1 - Hosts: 64.233.167.104 kaspersky.com
O1 - Hosts: 64.233.167.104 kaspersky-labs.com
O1 - Hosts: 64.233.167.104 avp.com
O1 - Hosts: 64.233.167.104 networkassociates.com
O1 - Hosts: 64.233.167.104 ca.com
O1 - Hosts: 64.233.167.104 mast.mcafee.com
O1 - Hosts: 64.233.167.104 my-etrust.com
O1 - Hosts: 64.233.167.104 download.mcafee.com
O1 - Hosts: 64.233.167.104 dispatch.mcafee.com
O1 - Hosts: 64.233.167.104 secure.nai.com
O1 - Hosts: 64.233.167.104 nai.com
O1 - Hosts: 64.233.167.104 update.symantec.com
O1 - Hosts: 64.233.167.104 updates.symantec.com
O1 - Hosts: 64.233.167.104 us.mcafee.com
O1 - Hosts: 64.233.167.104 liveupdate.symantec.com
O1 - Hosts: 64.233.167.104 customer.symantec.com
O1 - Hosts: 64.233.167.104 rads.mcafee.com
O1 - Hosts: 64.233.167.104 trendmicro.com
O1 - Hosts: 64.233.167.104 grisoft.com
O1 - Hosts: 64.233.167.104 sandbox.norman.no
O1 - Hosts: 64.233.167.104 click here
O1 - Hosts: 64.233.167.104 uk.trendmicro-europe.com

  georgemac © 14:10 18 Mar 05

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] D:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] D:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [LiveMonitor] D:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [serpe] D:\WINDOWS\system32\serbw.exe
O4 - HKLM\..\RunServices: [serpe] D:\WINDOWS\system32\serbw.exe
O4 - HKCU\..\Run: [LDM] D:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "D:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [PcSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [safe dead] D:\DOCUME~1\KRISTO~1\APPLIC~1\PROGRA~1\spam this.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PC Alert 4.lnk = D:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: Shortcut to ud_mon.exe.lnk = D:\Program Files\United Devices\ud_mon.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = D:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - click here

  georgemac © 14:11 18 Mar 05

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - click here
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - click here
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - click here
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - click here
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - click here
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - click here
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - click here
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - click here
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

now that all looks a mess to me - should I have posted it differently?

  Yoda Knight 14:31 18 Mar 05

run regedit, navigate to HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar right click, alter value

  Yoda Knight 14:37 18 Mar 05

serpe] D:\WINDOWS\system32\serbw.exe O4 - HKLM\..\RunServices: [serpe] D:\WINDOWS\system32\serbw.exe O4 - HKCU\..\Run:

click here is about the serbw.exe file you have

  Yoda Knight 14:38 18 Mar 05

When u install Mess With MSN Messenger, if u install the sponsor software u are opening a huge can of whip ass on yourself... !!!! :)

  Yoda Knight 14:41 18 Mar 05

try start in safe mode with networking and then click here

  georgemac © 14:43 18 Mar 05

I know - I previously had uninstalled it and reinstalled it without the sponsor software - I don't know what he has done this time! I have used the symantec cleaning tool fixsflog.exe to try and get rid of that file

I will go and try your suggestions, thanks

  georgemac © 15:04 18 Mar 05

I had used the symantec tool click here already but it had left one registry entry which I found thanks to this click here

I also copied a new hosts file from click here which I normally use but I have now locked the hosts file so it cannot be altered

I also changed the internet explorer search bar entry as you advised and it looks a whole lot better now, thanks for the input, will tick the box.

This thread is now locked and can not be replied to.

How to get Windows 10 for free | How to install Windows 10: There is still a way to avoid paying…

1995-2015: How technology has changed the world in 20 years

Alex Chinneck’s giant ice cube Christmas tree at Kings Cross

Apple rumours & predictions 2017: The iPhone 8, new iPads, and everything else you should expect fr7…