Author Topic: referred by GR@ph<"S" (Read 12581 times)

irishsupplyguy · « **on:** October 17, 2005, 02:05:56 PM »

Good morning:
My original post is "eaten alive" in your forum. GR@PH<"S" ask me to post a HJT log here. Also at start up I get and error message: isactiveguard: RegopenKeyEx faiLogfile of HijackThis v1.99.1
Scan saved at 9:07:08 AM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\apiqe32.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\apimt32.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zwgun.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zwgun.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zwgun.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zwgun.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zwgun.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zwgun.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zwgun.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=irishsupplyguy&login=ff7dd50d38554aacc7f54e2f02101075/irishsupplyguy:netzero.net/1128621779/30/sss.1.51174/&ts=434566d3&A=0&B=1120892400000&C=1120892400000&D=1125471600000&I=7.NH3&N=PLHS&O=I&UT=
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {109212EC-3F75-38A1-64AA-DD6F914869B6} - C:\WINDOWS\system32\apiqg.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: Class - {ABFCA22A-1BD4-07E3-7B76-3B4A8BCD96EE} - C:\WINDOWS\iplo32.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [win1B.tmp] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win1B.tmp.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [apimt32.exe] C:\WINDOWS\apimt32.exe
O4 - HKLM\..\RunOnce: [apiqe32.exe] C:\WINDOWS\apiqe32.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A4542EE-4F48-45FF-94D0-1B433FED1E0F}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: style32 - C:\WINDOWS\
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntln.exe (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

led 5 0. Thank you for your help!

Rawe · « **Reply #1 on:** October 18, 2005, 04:52:05 AM »

Hello..

Please print these instructions out, or write them down, as you can't read them during the fix.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Unzip CWShredder to its own folder (ie c:\CWShredder)

Unzip AboutBuster to its own folder (ie c:\Aboutbuster)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster

Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update" then click the X to close that window.
Now close About:Buster

Update CWShredder

Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Please run about:buster by RubbeRDuckY:

Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp

Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
When CleanUp starts go to the Options button (right side of CleanUp screen)
Move the arrow down to "Custom CleanUp!"
Now place a checkmark next to the following (Make sure nothing else is checked!):

Delete Cookies
This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
Empty Recycle Bins
Delete Prefetch files
Cleanup! All Users

Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp

Reboot back into normal mode..

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

irishsupplyguy · « **Reply #2 on:** October 18, 2005, 01:30:19 PM »

Good morning Rawe:
Thank you for your reply. I printed your instructions and will reply after I have followed your advice.
I appreciate your help!

irishsupplyguy · « **Reply #3 on:** October 18, 2005, 03:58:01 PM »

Hello Rawe:
I am a newbie, hope I dAboutBuster 5.1, reference file 32
Scan started on [10/18/2005] at [10:40:25 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\WINDOWS\system32\fntzq.dat
Removed File! : C:\WINDOWS\system32\zhzfd.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:41:17 AM

AboutBuster 5.1, reference file 32
Scan started on [10/18/2005] at [10:44:29 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:45:21 AM

(10/18/05 10:49:41 AM) SPSeHjFix started v1.1.2
(10/18/05 10:49:41 AM) OS: WinXP Service Pack 2 (5.1.2600)
(10/18/05 10:49:41 AM) Language: english
(10/18/05 10:49:41 AM) Win-Path: C:\WINDOWS
(10/18/05 10:49:41 AM) System-Path: C:\WINDOWS\system32
(10/18/05 10:49:41 AM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(10/18/05 10:49:49 AM) Disinfection started
(10/18/05 10:49:49 AM) Bad-Dll(IEP): (not found)
(10/18/05 10:49:49 AM) Bad-Dll(IEP) in BHO: (not found)
(10/18/05 10:49:49 AM) UBF: 7 - UBB: 2 - UBR: 12
(10/18/05 10:49:49 AM) UBF: 7 - UBB: 2 - UBR: 12
(10/18/05 10:49:49 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
(10/18/05 10:49:49 AM) Stealth-String not found
(10/18/05 10:49:49 AM) Not infected->END
Logfile of HijackThis v1.99.1
Scan saved at 11:03:41 AM, on 10/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\apimt32.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\apiqe32.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\system32\wpabaln.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=irishsupplyguy&login=ff7dd50d38554aacc7f54e2f02101075/irishsupplyguy:netzero.net/1128621779/30/sss.1.51174/&ts=434566d3&A=0&B=1120892400000&C=1120892400000&D=1125471600000&I=7.NH3&N=PLHS&O=I&UT=
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {51516028-FA3B-8261-B4D3-346C6B349CAE} - C:\WINDOWS\system32\mszm32.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [apimt32.exe] C:\WINDOWS\apimt32.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A4542EE-4F48-45FF-94D0-1B433FED1E0F}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: style32 - C:\WINDOWS\
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apiqe32.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

id everything properly. Thank you for your patience!
Hope this makes sense. Thank you Rawe

irishsupplyguy · « **Reply #4 on:** October 21, 2005, 01:08:08 PM »

Good morning experts:
I know you good folks are extremely busy but my last post is three days old and my computer is getting funkier by the minute. Could someone please help?
Tkank you!!!

Rawe · « **Reply #5 on:** October 21, 2005, 04:25:46 PM »

Hi, sorry, I didn't first notice to track the topic. Thank Corrine, she's the one who pointed me out here now

Can you post a fresh log for me here, please, and we'll continue

irishsupplyguy · « **Reply #6 on:** October 21, 2005, 05:47:22 PM »

Thank you Corrine!!! Thank you Rawe!!!
I am posting a new AAw log and HJT log. Hope I do this properly. T
Ad-Aware SE Build 1.06r1
Logfile Created on:Friday, October 21, 2005 12:33:29 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R71 19.10.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt(TAC index:3):2 total references
Tracking Cookie(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects

10-21-2005 12:33:29 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 600
ThreadCreationTime : 10-21-2005 3:44:35 PM
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 672
ThreadCreationTime : 10-21-2005 3:44:37 PM
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 696
ThreadCreationTime : 10-21-2005 3:44:37 PM
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 740
ThreadCreationTime : 10-21-2005 3:44:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 752
ThreadCreationTime : 10-21-2005 3:44:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 908
ThreadCreationTime : 10-21-2005 3:44:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 964
ThreadCreationTime : 10-21-2005 3:44:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1056
ThreadCreationTime : 10-21-2005 3:44:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1108
ThreadCreationTime : 10-21-2005 3:44:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1348
ThreadCreationTime : 10-21-2005 3:44:39 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1452
ThreadCreationTime : 10-21-2005 3:44:39 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:12 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1588
ThreadCreationTime : 10-21-2005 3:44:40 PM
BasePriority : Normal
FileVersion : 7.4
ProductVersion : 7.4
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : (C) 1993 - 2002 Lexmark International, Inc.
OriginalFilename : LexBceS.exe

#:13 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1612
ThreadCreationTime : 10-21-2005 3:44:40 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:14 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1640
ThreadCreationTime : 10-21-2005 3:44:40 PM
BasePriority : Normal
FileVersion : 7.4
ProductVersion : 7.4
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : (C) 1993 - 2002 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)

#:15 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_01\bin\
ProcessID : 1768
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal

#:16 [realplay.exe]
FilePath : C:\Program Files\Real\RealPlayer\
ProcessID : 1776
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal
FileVersion : 6.0.9.584
ProductVersion : 6.0.9.584
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : REALPLAY.EXE

#:17 [drgtodsc.exe]
FilePath : C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\
ProcessID : 1784
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal
FileVersion : 7.1.0.217
ProductVersion : 7.1.0.217
ProductName : Drag-to-Disc
CompanyName : Roxio
FileDescription : Drag To Disc Application
InternalName : D2D
LegalCopyright : Copyright (c) 1994-2004 Roxio, Inc.
LegalTrademarks : Copyright (c) 1994-2004 Roxio, Inc.
OriginalFilename : BurnCtrl.EXE

#:18 [aoldial.exe]
FilePath : C:\Program Files\Common Files\AOL\ACS\
ProcessID : 1792
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal
FileVersion : 2.0.20.1.US.1
ProductVersion : 2.0.20.1.US.1
ProductName : AOL Connectivity Service
CompanyName : America Online, Inc
FileDescription : AOL Connectivity Service Dialer
LegalCopyright : Copyright © 2003 America Online, Inc.
OriginalFilename : AOLDial.exe

#:19 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1800
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal
FileVersion : 6.5
ProductVersion : QuickTime 6.5
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe

#:20 [avgnt.exe]
FilePath : C:\Program Files\AVPersonal\
ProcessID : 1816
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal

#:21 [exec.exe]
FilePath : C:\Program Files\NetZero\
ProcessID : 1824
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal
FileVersion : 4, 3, 0, 0
ProductVersion : 4, 3, 0, 0
CompanyName : NetZero
FileDescription : ZCast
InternalName : ZCOM_exec
LegalCopyright : Copyright © 2002 United Online, Inc.

#:22 [aoltray.exe]
FilePath : C:\Program Files\America Online 9.0\
ProcessID : 1852
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal
FileVersion : 9.00.001
ProductVersion : 9.00.001
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : AOL Tray Icon
InternalName : AolTray
LegalCopyright : Copyright (C) America Online, Inc. 1999 - 2004

#:23 [tmas.exe]
FilePath : C:\Program Files\Trend Micro\Tmas\
ProcessID : 1860
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal
FileVersion : 3, 0, 1, 23
ProductVersion : 3.11
ProductName : Trend Micro Anti-Spyware
CompanyName : Trend Micro Incorporated
FileDescription : Anti-Spyware Main Module
InternalName : tmas.exe
LegalCopyright : Copyright (c) 2003-2005 Trend Micro Incorporated. All rights reserved.
OriginalFilename : tmas.exe

#:24 [avguard.exe]
FilePath : C:\Program Files\AVPersonal\
ProcessID : 176
ThreadCreationTime : 10-21-2005 3:44:45 PM
BasePriority : Normal

#:25 [aolacsd.exe]
FilePath : C:\PROGRA~1\COMMON~1\AOL\ACS\
ProcessID : 192
ThreadCreationTime : 10-21-2005 3:44:45 PM
BasePriority : Normal

#:26 [avwupsrv.exe]
FilePath : C:\Program Files\AVPersonal\
ProcessID : 208
ThreadCreationTime : 10-21-2005 3:44:45 PM
BasePriority : Normal

#:27 [ewidoctrl.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 244
ThreadCreationTime : 10-21-2005 3:44:45 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe

#:28 [ewidoguard.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 264
ThreadCreationTime : 10-21-2005 3:44:45 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : guard
CompanyName : ewido networks
FileDescription : guard
InternalName : guard
LegalCopyright : Copyright © 2004
OriginalFilename : guard.exe

#:29 [lssrvc.exe]
FilePath : C:\Program Files\Common Files\LightScribe\
ProcessID : 340
ThreadCreationTime : 10-21-2005 3:44:45 PM
BasePriority : Normal
FileVersion : 1.0.17.4
ProductName : LightScribe
LegalCopyright : © Copyright 2003-2004 Hewlett-Packard Development Company, LP
OriginalFilename : LSSrvc.exe

#:30 [wanmpsvc.exe]
FilePath : C:\WINDOWS\
ProcessID : 628
ThreadCreationTime : 10-21-2005 3:44:46 PM
BasePriority : Normal
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
LegalCopyright : Copyright © 2001 America Online, Inc.
OriginalFilename : WanMPSvc.exe

#:31 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1492
ThreadCreationTime : 10-21-2005 3:44:48 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe

#:32 [exec.exe]
FilePath : C:\Program Files\NetZero\
ProcessID : 2144
ThreadCreationTime : 10-21-2005 3:44:52 PM
BasePriority : Normal
FileVersion : 4, 3, 0, 0
ProductVersion : 4, 3, 0, 0
CompanyName : NetZero
FileDescription : ZCast
InternalName : ZCOM_exec
LegalCopyright : Copyright © 2002 United Online, Inc.

#:33 [x1exec.exe]
FilePath : C:\Program Files\NetZero\qsacc\
ProcessID : 2436
ThreadCreationTime : 10-21-2005 3:44:56 PM
BasePriority : Normal
FileVersion : 3.6.00
ProductVersion : 3.6.00
ProductName : NetZero HiSpeed
CompanyName : NetZero, Inc.
FileDescription : NetZero HiSpeed
InternalName : x1exec.exe
LegalCopyright : Copyright © 2001-2005 NetZero, Inc.
OriginalFilename : x1exec.exe

#:34 [wmiprvse.exe]
FilePath : C:\WINDOWS\system32\wbem\
ProcessID : 2768
ThreadCreationTime : 10-21-2005 3:45:01 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI
InternalName : Wmiprvse.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Wmiprvse.exe

#:35 [usrmlnka.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 3588
ThreadCreationTime : 10-21-2005 3:45:30 PM
BasePriority : Realtime
FileVersion : 4. 11. 21
ProductVersion : 4. 11. 21
ProductName : U.S. Robotics Modem Driver
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics driver interface
InternalName : 3cmlink.exe
LegalCopyright : Copyright (C) © 2000 U.S. Robotics Corporation
OriginalFilename : 3cmlink.exe

#:36 [usrshuta.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 3600
ThreadCreationTime : 10-21-2005 3:45:30 PM
BasePriority : Normal
FileVersion : 4. 11. 21
ProductVersion : 4. 11. 21
ProductName : U.S. Robotics Modem Driver
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics shutdown helper
InternalName : 3cshtdwn.exe
LegalCopyright : Copyright (C) © 2000 U.S. Robotics Corporation
OriginalFilename : 3cshtdwn.exe

#:37 [usrmlnka.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 3612
ThreadCreationTime : 10-21-2005 3:45:30 PM
BasePriority : Normal
FileVersion : 4. 11. 21
ProductVersion : 4. 11. 21
ProductName : U.S. Robotics Modem Driver
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics driver interface
InternalName : 3cmlink.exe
LegalCopyright : Copyright (C) © 2000 U.S. Robotics Corporation
OriginalFilename : 3cmlink.exe

#:38 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1084
ThreadCreationTime : 10-21-2005 5:33:19 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value : Cookie:administrator@2o7.net/
Expires : 10-20-2010 12:27:38 PM
LastSync : Hits:10
UseCount : 0
Hits : 10

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Deep scanning and examining files (E:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for E:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 1

Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Search the web.url
TAC Rating : 3
Category : Misc
Comment : Problematic URL discovered: http://www.lookfor.cc/
Object : C:\Documents and Settings\Administrator\Favorites\

Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Seven days of free porn.url
TAC Rating : 3
Category : Misc
Comment : Problematic URL discovered: http://www.7days.ws/
Object : C:\Documents and Settings\Administrator\Favorites\

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

12:39:35 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:06:06.16
Objects scanned:120438
Objects identified:3
Objects ignored:0
New critical objects:3

hank you for your help!

irishsupplyguy · « **Reply #7 on:** October 21, 2005, 05:49:29 PM »

Hello Rawe:
Here is the fresh HJT log. Thank you!Logfile of HijackThis v1.99.1
Scan saved at 12:42:54 PM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\NetZero\exec.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=irishsupplyguy&login=ff7dd50d38554aacc7f54e2f02101075/irishsupplyguy:netzero.net/1128621779/30/sss.1.51174/&ts=434566d3&A=0&B=1120892400000&C=1120892400000&D=1125471600000&I=7.NH3&N=PLHS&O=I&UT=
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: style32 - C:\WINDOWS\
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Rawe · « **Reply #8 on:** October 21, 2005, 08:48:19 PM »

Run a scan with HijackThis and check the following object for removal:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O20 - Winlogon Notify: style32 - C:\WINDOWS\

Now close ALL open windows except for HijackThis and hit FIX CHECKED.

After that:

Please download cureit;
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Run drweb - cureit
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Reboot.

Post a fresh HiJackThis log once finished.

irishsupplyguy · « **Reply #9 on:** October 21, 2005, 09:41:11 PM »

Good afternoon Rawe:
Fixed the files you directed with HJT. Ran the program from the link that you provided. It ran quick scan but I never saw the options you suggested for the select drive scans. When I rebooted I got this message Isactiveguard: RegOpenKeyExfailed 50. Thank you for your time and expertise. I hope we cLogfile of HijackThis v1.99.1
Scan saved at 4:38:52 PM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NZSearch\nzspc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=irishsupplyguy&login=ff7dd50d38554aacc7f54e2f02101075/irishsupplyguy:netzero.net/1128621779/30/sss.1.51174/&ts=434566d3&A=0&B=1120892400000&C=1120892400000&D=1125471600000&I=7.NH3&N=PLHS&O=I&UT=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

an resolve this. Many thanks. Attached is a fresh HJT scan.

Rawe · « **Reply #10 on:** October 22, 2005, 12:09:51 PM »

Please do an online virus scan with Panda ActiveScan Here. You need to use Internet Explorer for this scan.

Once you get to the Panda site, scroll down a bit and click on Scan your PC
A new window will appear; click on Check Now!
A new window will appear; fill in the boxes (Country, State, email addy)
Click on Scan Now! >
If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
From "Select a device to scan...", choose "My Computer"
Allow the scan to run. It'll take a while.
When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here.

irishsupplyguy · « **Reply #11 on:** October 22, 2005, 01:40:58 PM »

Good morning Rawe:
Sorry to be such a problem. I went to the link for Panda that you posted. When I got to the page to enter country, state/province, and email address the country and state/province drop downs were blank so I could not make a selection nor could I type in those fields. The only thing I could enter was my email address so the program would not allow me to go any further. Sorry to be such a dunce. Is there an alternative or do you have any other suggestions? thank you for your patience.

Rawe · « **Reply #12 on:** October 23, 2005, 06:43:33 AM »

Hi, let's do this instead:

Please do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:

Standard
[/list]

Scan Options:

Scan Archives
Scan Mail Bases
[/list]

Click OK
Now under select a target to scan:
My Computer

This program will start to scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.
Copy and paste that information in your next post.

irishsupplyguy · « **Reply #13 on:** October 24, 2005, 03:58:30 PM »

Good morning Rawe:
Ran Kaspersky as you reccomended. Attached is the text file. Thank you for you help!

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, October 24, 2005 11:00:20
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 24/10/2005
Kaspersky Anti-Virus database records: 146569
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: standard
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   A:\
   C:\
   D:\
   E:\

Scan Statistics:
   Total number of scanned objects: 50816
   Number of viruses found: 4
   Number of infected objects: 34
   Number of suspicious objects: 0
   Duration of the scan process: 1761 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000257.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000262.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000263.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000264.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000269.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000270.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000271.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000272.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000291.dll   Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000292.dll   Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000297.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000390.dll   Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP5\A0000487.dll   Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP5\A0000488.exe   Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\aolback.exe.lnk:aotqsb:$DATA   Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\apiqe32.exe   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\ftrcl.dat:kfxtx:$DATA   Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\ModemLog_Best Data Data Fax Modem.txt:btzsmv:$DATA   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\msgsocm.log:uujyog:$DATA   Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\msgsocm.log:zyalb:$DATA   Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\netfxocm.log:grcdbt:$DATA   Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\netpf32.exe   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\netsf.exe   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\SchedLgU.Txt:izyqvv:$DATA   Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\setupapi.log:barwpx:$DATA   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\setupapi.old:barwpx:$DATA   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\setuperr.log:cybseg:$DATA   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\Soap Bubbles.bmp:uyuygr:$DATA   Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\crtu32.exe   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\uytnx.dat:ypeshb:$DATA   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\wiaservc.log:rpwgjm:$DATA   Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\WindowsUpdate.log:sbjjle:$DATA   Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\_default.pif:pmpywo:$DATA   Infected: Trojan.Win32.Agent.bi
E:\WINDOWS\Temporary Internet Files\Content.IE5\H3786PB0\index[1].htm   Infected: Exploit.HTML.Mht

Scan process completed.

Rawe · « **Reply #14 on:** October 25, 2005, 09:27:58 PM »

Hi

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
Double-click the file to install it as follows:
Click "Next", read the agreement, Click "Next"
Choose "Custom" click "Next".
Leave the default installation directoy as it is, then click "Next".
UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
Finally, click "Install"

Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply along with a fresh HijackThis log.

LandzDown Forum

News:

Author Topic: referred by GR@ph<"S" (Read 12581 times)

irishsupplyguy

referred by GR@ph<"S"

Rawe

Re: referred by GR@ph<"S"

irishsupplyguy

Re: referred by GR@ph<"S"

irishsupplyguy

Re: referred by GR@ph<"S"

irishsupplyguy

Re: referred by GR@ph<"S"

Rawe

Re: referred by GR@ph<"S"

irishsupplyguy

Re: referred by GR@ph<"S"

irishsupplyguy

Re: referred by GR@ph<"S"

Rawe

Re: referred by GR@ph<"S"

irishsupplyguy

Re: referred by GR@ph<"S"

Rawe

Re: referred by GR@ph<"S"

irishsupplyguy

Re: referred by GR@ph<"S"

Rawe

Re: referred by GR@ph<"S"

irishsupplyguy

Re: referred by GR@ph<"S"

Rawe

Re: referred by GR@ph<"S"