Hijacked by AntiVirus Gold

[Guest]

You are using programs that are probabily bundled with spyware. I only know
about the good stuff. I never heard of AVGold, Nuker, Softspy etc. Don't buy
anything without checking with www.spywareinfo.com for a start. I use free
avast virus software, free ad-aware, free spybot s&d, free microsoft-beta
antispyware (not all at the same time) and I never had a problem. Security is
#1. My advice, download "eraser" from heidi software (free), create a floppy
nuke disk, erase the disk clean, reformat, and install a clean os. Then
install sp2 for a firewall, update at microsoft, get zone alarm
firewall-free, avast, and what I mentioned before. Before you buy an app, a
game, especially free screensavers, learn all you can about adware and
spyware. If you have a good virus program (avast updates automatically)
you'll be ok.

 

[finch21]

this thing is driving me mental!! this is what hijackthis says
Your ideas would be greatly appreciated.

Logfile of HijackThis v1.99.
Scan saved at 2:21:40 a.m., on 10/06/200
Platform: Windows XP SP2 (WinNT 5.01.2600
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180

Running processes
C:\WINDOWS\System32\smss.ex
C:\WINDOWS\system32\csrss.ex
C:\WINDOWS\system32\winlogon.ex
C:\WINDOWS\system32\services.ex
C:\WINDOWS\system32\lsass.ex
C:\WINDOWS\System32\Ati2evxx.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\system32\svchost.ex
C:\WINDOWS\System32\svchost.ex
C:\WINDOWS\System32\svchost.ex
C:\WINDOWS\System32\svchost.ex
C:\WINDOWS\system32\spoolsv.ex
C:\WINDOWS\system32\Ati2evxx.ex
C:\WINDOWS\Explorer.EX
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.ex
C:\WINDOWS\SOUNDMAN.EX
C:\Program Files\HP\HP Software Update\HPWuSchd.ex
C:\Program Files\HP\hpcoretech\hpcmpmgr.ex
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.ex
C:\Program Files\QuickTime\qttask.ex
C:\Program Files\iTunes\iTunesHelper.ex
C:\Program Files\Common Files\Real\Update_OB\realsched.ex
C:\Program Files\Java\jre1.5.0_01\bin\jusched.ex
C:\Program Files\MSN Messenger\MsnMsgr.Ex
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.ex
C:\WINDOWS\system32\hookdump.ex
C:\Program Files\Spyware Doctor\swdoctor.ex
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.ex
C:\Program Files\360Share\Gui\360Share.ex
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.ex
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EX
C:\WINDOWS\System32\svchost.ex
C:\Program Files\iPod\bin\iPodService.ex
C:\WINDOWS\System32\HPZipm12.ex
C:\WINDOWS\System32\alg.ex
C:\WINDOWS\system32\wscntfy.ex
C:\WINDOWS\system32\wuauclt.ex
C:\Documents and Settings\Pinch\Desktop\HijackThis.ex
C:\WINDOWS\notepad.ex

R3 - Default URLSearchHook is missin
O1 - Hosts: 213.219.251.78 google.co.u
O1 - Hosts: 213.219.251.78 www.google.e
O1 - Hosts: 213.219.251.78 google.e
O1 - Hosts: 213.219.251.78 google.com.a
O1 - Hosts: 66.218.75.184 mail.yahoo.co
O1 - Hosts: 213.219.251.80 www.search.msn.co
O1 - Hosts: 213.219.251.80 go.co
O1 - Hosts: 213.219.251.80 www.go.co
O2 - BHO: SuperAdBlockerBHO Class
{00000000-6C30-11D8-9363-000AE6309654} - C:\Progra
Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll (file missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3
- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dl
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB
- C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dl
O2 - BHO: PCTools Browser Monitor
{B56A7D7D-6927-48C8-A975-17DF180C71AC}
C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dl
O3 - Toolbar: Super Ad Blocker Toolbar
{B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Progra
Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll (file missing
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\AT
Control Panel\atiptaxx.ex
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EX
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\H
Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Progra
Files\HP\hpcoretech\hpcmpmgr.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Commo
Files\Sonic\Update Manager\sgtray.exe" /
O4 - HKLM\..\Run: [QuickTime Task] "C:\Progra
Files\QuickTime\qttask.exe" -atboottim
O4 - HKLM\..\Run: C:\Progra
Files\iTunes\iTunesHelper.ex
O4 - HKLM\..\Run: [Windows Cleaner] "C:\Program Files\Windows Cleane
Full/WindowsCleanerFull
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Commo
Files\Real\Update_OB\realsched.exe" -osboo
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.ex
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Progra
Files\Java\jre1.5.0_01\bin\jusched.ex
O4 - HKLM\..\Run: [Barv] C:\WINDOWS\mefkkykm.ex
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep
-
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MS
Messenger\MsnMsgr.Exe" /backgroun
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Ner
BackItUp\NBJ.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Sp
Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Intel system tool]
C:\WINDOWS\system32\hookdump.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program
Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware
Doctor\swdoctor.exe" /Q
O4 - Startup: 360Share On Startup.lnk = C:\Program
Files\360Share\Gui\360Share.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\MSOffice\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor -
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C}
- C:\Program Files\Common Files\Microsoft Shared\Encarta Search
Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload
Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader
Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
-
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{EC008768-3D34-4F3C-A557-AA4D38B10841}:
NameServer = 192.168.1.254
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program
Files\Common Files\Macromedia Shared\Service\Macromedia
Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner -
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file
missing)

 

[Ted Zieglar]

Nobody knows what "darn problem" you have because you didn't describe one.
Post HiJack This logs in one of the forums created for that purpose, like
Tom Coyote:
http://forums.tomcoyote.org/index.php?showforum=27

--
Ted Zieglar
"You can do it if you try."

this thing is driving me mental!! this is what hijackthis says:
Your ideas would be greatly appreciated..


Logfile of HijackThis v1.99.1
Scan saved at 2:21:40 a.m., on 10/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\hookdump.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\360Share\Gui\360Share.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Pinch\Desktop\HijackThis.exe
C:\WINDOWS\notepad.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 213.219.251.78 google.co.uk
O1 - Hosts: 213.219.251.78 www.google.es
O1 - Hosts: 213.219.251.78 google.es
O1 - Hosts: 213.219.251.78 google.com.au
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 213.219.251.80 www.search.msn.com
O1 - Hosts: 213.219.251.80 go.com
O1 - Hosts: 213.219.251.80 www.go.com
O2 - BHO: SuperAdBlockerBHO Class -
{00000000-6C30-11D8-9363-000AE6309654} - C:\Program
Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
- C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor -
{B56A7D7D-6927-48C8-A975-17DF180C71AC} -
C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: Super Ad Blocker Toolbar -
{B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program
Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP
Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: C:\Program
Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Windows Cleaner] "C:\Program Files\Windows Cleaner
Full/WindowsCleanerFull"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Barv] C:\WINDOWS\mefkkykm.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0
-k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero
BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Intel system tool]
C:\WINDOWS\system32\hookdump.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program
Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware
Doctor\swdoctor.exe" /Q
O4 - Startup: 360Share On Startup.lnk = C:\Program
Files\360Share\Gui\360Share.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\MSOffice\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor -
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C}
- C:\Program Files\Common Files\Microsoft Shared\Encarta Search
Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload
Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader
Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
-
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{EC008768-3D34-4F3C-A557-AA4D38B10841}:
NameServer = 192.168.1.254
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner -
C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program
Files\Common Files\Macromedia Shared\Service\Macromedia
Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner -
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file
missing)

 

[finch21]

sorry Ted its the antivirus gold like everyone else thats the problem
cant seem to get rid of that stupid little red cross on toolbar, bu
ill check out Tomecoyote, cheers:

 

[WildChild]

found a solution

Hi, I have had the problem with avgold to, now, here are several users on this pc, and I saw other users dont have problems with it, so what I have done:

I made a backup of all my files
then made a new user
putted my files in the new user
deleted the user where avgold is on andd... you are rid of the avgold problem!

 

[badabang]

Antivirus gold Fix

hi, i read all these posts and was having to same problem with that darn trojan two days ago. I have found a solution and i felt obligated to post it for all of u. I have ad-aware running on my computer and it just wasnt cutting. What i ended up doing was downloading the freeware version of Spybot Search and Destroy and the free 15-day trial of Webroot Spy Sweeper. I ran them all together and it fixed it. I think that the Webroot Spy Sweeper was the key because in the free scan that you can do on their website, it was the only program to recognize the antivirus gold as a trojan. I dont know if it worked because all three programs removed part of it but it worked. Webroot asked me to reboot the system and when i did, there was no warning in the backround and no (X) in the toolbar.

Hope that helps,
Dazed and Confused

Badabang

 

[hoosiermom]

Here is a copy of my HiJack THis Scan
Logfile of HijackThis v1.99.0
Scan saved at 10:13:12 PM, on 6/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\DOCUME~1\Pat\LOCALS~1\Temp\Rar$EX03.688\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipAlbum 6 Pro Eval\fplaunch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: WebControlDeploy - https://grouper.com/v1/GrouperSetup.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104371576812
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D1792F99-AA90-4D46-8B73-2CE45DADDD3C} (WAFDownloader Class) - https://www.web-a-file.com/webafiledownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



Can anyone tell me what to do about the AntiVirus Gold invasion on my computer?
I can not do a system restore for I undid that months ago.

Please help this black screen is driving me nuts. I finally got it to stop downloading unless I accidently click off of the icon I am trying to open.

This has been gong on for a week and I am about to throw this thing out the window.

HELP ME PLEASE

Hoosiermom

 

[funky junktion]

I was attacked by antivirus gold or last nite, ive been reading these posts and thru trial and error of using different advice given, i found that as said using spysweeper, (free 15 day trial) got rid of it , mb theyve updted it recently or something, thanx to everyone for their support and advice

 

[hoosiermom]

AntiVirus Gold

I have ran and have been running the full blown version of Webroot SpySweeper and it has done nothing. I still have it and it is driving me up a wall. Please someone has to know how to get rid of thid thing.

 

[mlv40]

Removing Antivirus Gold - Free and it works

This link tells how to remove Antivirus Gold. I first ran McAfee and Adaware, which got rid of some of the nefarious program. The following nailed the rest of it:

http://www.bleepingcomputer.com/forums/How_to_remove_Antivirus_Gold_or_AVGold-t22397.html

To avoid reinfection, practice safe sex: don't go to porn sites, or be sure to use a computer condom.

Happy deleting!

 

[sir rob]

Hey,

If i was being honest too , I also fell for the codec trick (www.vcodec.com or something, DO NOT DOWNLOAD) whilst needing to watch "Amusements". Looking through a few replies here none of you have it as bad as you do (might not have read a post that has this problem). The website that the warning is linked to in the desktop might or it might be one of the viruses shoved in, is constantly crashing my active desktop leaving me with no time to get 3 clicks in before i get the "Send Error Report" window from Windows before it crashes and flicks up again and crashes, it continues doing this until i rapid click the shutdown buttons before it crashes again . Turns out also that my brother was going to change our antivirus software but 'didn't get round to finishing the job'. And with this problem i cant even install new software or even have enough time to pay the criminals (that's gotta be able to be dealt with?). Help asap please.

Hello Terry,

I had the EXACT same problem as you (with ANTIVIRUS GOLD) and solved it
as detailed below.

I read the follow-up posts to your original email and it seems that
some of the responses missed the nail in helping you out (one guy even
criticized you for installing "off-brand" antivirus... - he missed the
WHOLE point of your email for help not realizing that you DID NOT
install ANTIVIRUS GOLD ant that it simply took over your system).

In any event, I went to antivirus-gold.com customer service and emiled
a complaint asking how to get rid of this. But of course they never
responded.

I WAS able to get rid of it though and mayby this will help you to.

I'm running under XP Pro.

In Windows "Help and Support" (accessible via Start button), I clicked
"Undo changes to your computer with System Restore".

I then selected "Restore my computer to an earlier time". When the
calendar came up, I selected an available restore point a few days
BEFORE the time when this whole problem started, rebooted as requested,
and it's fine now.

How it happened: In my case, I let my guard down by stopping both
McAfee Vscan and McAfee AntiSpyware. I stopped these because I was
burning DVD's for my business. When the burning completed, I forgot to
re-arm these guys and went surfing. I hit a site that needed to load a
CODEC to run the video. I run a film to DVD business and I try to make
sure I always have all the latest CODECS and so I loaded the new
"codec" and that's when the problem started. (ok ok, it was a porn site
;-)

I would appreciate you letting me know if this solution help you at
all.

Veliko



Kerry Brown wrote:
> "Terry Smythe" <[email protected]> wrote in message
> news:[email protected]...
> >I have now verified that my desktop has been hijacked by
> > "desktop.html" It resides in c:\windows I've tried
> > deleting it and editing it, but can't get rid of it. Keeps coming
> > back from somewhere, no matter what I do.
> >
> > It has imbedded within it a command to visit the Antivirus Gold web
> > site. It appears to be extremely malicious marketing, planting 3
> > virus that only it can remove, and itself. Its message is, 'if you
> > want to remove these virus, then buy me'
> >
> > A search for this file on my computer reveals only 1 copy. If I
> > delete it, it is replaced upon reboot. If I edit it, it is replaced
> > upon reboot.
> >
> > A 'net search suggests an incredibly convoluted procedure for getting
> > rid of it. Surely there must be an easier way.
> >
> > Along with SpyBot, AdAware, Microsoft's new parasite detector/remover
> > fails to see it. They see all kinds of things, but won't touch this
> > one. Registry First Aid finds only a single entry, deletes it, and
> > upon reboot, it's back again. It's not in Startup.
> >
> > I'm hopeful of finding some kind of specific utility to remove this
> > ugly parasite.
> >
> > Regards,
> >
> > Terry Smythe
> >
>
> Go to the following link and download HijackThis.
>
> http://www.aumha.org/freeware/freeware.php#hjt
>
> Run it and then post the log it generates to one of the forums dedicated to
> it's use. A good place to start is here:
>
> http://forum.aumha.org/viewforum.php?f=30
>
> http://www.techsupportforum.com/forumdisplay.php?f=50
>
> http://castlecops.com/forumx67-0-50.html
>
> Don't post the log here. Some malware hides very deep in the system and
> isn't detected by any of the spyware removal programs. Hijackthis and other
> tools will assist in it's manual removal. Barring that you could backup your
> data and reinstall Windows and all your programs then restore the data. If
> you are unable to do either I recommend you take your computer to a
> professional to have it fixed.
>
> Kerry

 

[konarob]

AV Gold

I have the same problem as sir rob with one of the t888ers at work who has managed to get it on his laptop. I am going to just wipe his system. I can't find anyway around it. The annoying thing is we have Symanted v9 all fully updated and on auto monitor but somehow this rubbish still got through.

BTW I checked out the AV Gold website and they aren't far from me in central London, I have a goood mind to go round there and have a serious "discussion". I can't believe the useless putrid little whores.

 

[Bert Kinney]

Hi,

Try this first.
How to remove Antivirus Gold or AVGold
http://www.bleepingcomputer.com/forums/How_to_remove_Antivirus_Gold_or_AVGold-t22397.html

 

[toiletpaper]

I had AV Gold on my computer too,and tried to do as quoted bellow,but i
my case there was no winnook.exe there,but there was a process calle
hookdump.exe. I unchekked it,and after reboot,the red little button i
the lower right corner is gone.then I ran Spybot and removed the file
that was found.rebooted and ran spybot again,I don't know much abou
computers,but it seems to me like I have got rid of this mess.