[yub1]

Hello, im new here, i really need some help.

Im a gamer, by nature, i have what id like to think of as a high spec PC. It has Windows XP Proffesional, SP2. I keep it very clean, anyway enuff of my sadness.

Jus recently i was hit by a virus. AVG free, finally cleaned it up, and now im receiving Windows Security Alerts. The exact message is "To help protect your computer, Your registry has to be fixed. To resolve theis problem, obtain the latest update." only trouble is, i click accept, it downloads this program called System Registry Cleaner 2.4, and then i have to pay for it before i can use it. Unfortunately it doesnt accept solo, so i went ahead and purchased a registry cleaner from somewhere else.

It cleaned up around about 712 registry problems (and i said i keep it clean...pfff) and then said there was no more. The alert still comes off (and interrupts my gaming) I have tried EVERYTHING. I keep the actual program running (Registry cleaner 2.4) and it still tries to install it. I disabled the security center, and re-enabled it. I disabled the fire wall, i changed the way the firewall alerts me, I Turned off Auto updates, im outta ideas.

It keeps on coming back and trying to install a program i have installed about 300 times. lol. Im not even joking.

Sorry this is a long Q, but if anyone has the slightest hint of how to disable this annoying little thing, please let me know. (as long as it doesnt involve run -> msconfig -> services | run ->services.msc -> security center -> staup: disable | control panel -> security center -> automatic updates, or change the way firewall alerts me) Becasue i have tried ALL of these until im blue in the face.

Help would be much appriciated.

Ash

 

[Alex Ethridge]

System Registry Cleaner is probably goadware/fraudware. Your computer has been penetrated by a program attempting to goad you into buying something to clean up something they really aren't going to clean up. If you buy it and use it, your problems will go away for a while and then you'll get another pop-up saying you have some other problem with your computer and if you buy something else, it'll "fix" that problem.

All along, the problem is really this fraudware taking your money.

Your system is not clean.

Post a Hijack This log. Download Hijack This from www.Download.com. Run the program and paste the log here. DO NOT FIX ANYTHING. Just post the log.

 

[yub1]

Ok so heres the log. sorry its really big. i didnt know how much you wanted.

Logfile of HijackThis v1.99.1
Scan saved at 11:37:26, on 10/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\CTPMON.EXE
C:\WINDOWS\system32\CTPMON.EXE
C:\program files\steam\steam.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\xerox\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Yubi\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTPMON] CTPMON.EXE
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.freepgs.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C665639-EBFB-41C5-8E82-9D6A68F5FFD6}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D0D0C48-BDA9-4A4A-B07E-3F9971D9ACA4}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0926352-2643-4285-9AED-403C699B2EE5}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C665639-EBFB-41C5-8E82-9D6A68F5FFD6}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0C665639-EBFB-41C5-8E82-9D6A68F5FFD6}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: IEFilter - {D0A520B0-E9C9-431F-B29C-0E851138FCC8} - (no file)
O21 - SSODL: SysTray.Exgr - {5368D1FC-4F5C-4f1b-B134-E67214FC78E9} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

 

[ozrom1e]

Welcome to TSG....

Are you using a firewall?

If so what is the name of the firewall?

Please wait and one of our HJT experts with the little gold shield to the right of their name will diagnose the log file properly for you.

 

[yub1]

Hello. I am using windows firewall. Seriously believe me when i say, i have done everything i can regarding the firewall and automatic updates. I have disabled it, re-enabled it, and changed the way it alerts me of security risks.

I think my router has an in built firewall, but i have had the router for 2 years, and this problem has been occuring as of recently (2 dyas ago). Just incase this helps, my router is a Linksys WAG54GS.

SPI Firewall Protection: Enabled
Block Anonymous Internet Requests : Enabled

Thanks for the help.

 

[ozrom1e]

Keep an eye for the HJT team one of those fine folks will diagnose your log file and they have the little gold shield and are the only ones authorized to do this.

 

[Alex Ethridge]

To further explain what ozrom1e is writing, there are certain users of this board who are certified by TechGuy.org to interpret the HJT log and recommend changes. This extra precaution is taken because making the wrong change can actually leave you in much worse condition than most malware.

So, just sit tight until one of those guys (whom I envy their knowledge) comes along.

 

[yub1]

Ok. Thanks

I will await the words from the all-mighty ones.