Good morning:
My original post is "eaten alive" in your forum. GR@PH<"S" ask me to post a HJT log here. Also at start up I get and error message: isactiveguard: RegopenKeyEx faiLogfile of HijackThis v1.99.1
Scan saved at 9:07:08 AM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\apiqe32.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\apimt32.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zwgun.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zwgun.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zwgun.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\zwgun.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zwgun.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zwgun.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\zwgun.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=irishsupplyguy&login=ff7dd50d38554aacc7f54e2f02101075/irishsupplyguy:netzero.net/1128621779/30/sss.1.51174/&ts=434566d3&A=0&B=1120892400000&C=1120892400000&D=1125471600000&I=7.NH3&N=PLHS&O=I&UT=
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {109212EC-3F75-38A1-64AA-DD6F914869B6} - C:\WINDOWS\system32\apiqg.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: Class - {ABFCA22A-1BD4-07E3-7B76-3B4A8BCD96EE} - C:\WINDOWS\iplo32.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [win1B.tmp] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\win1B.tmp.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [apimt32.exe] C:\WINDOWS\apimt32.exe
O4 - HKLM\..\RunOnce: [apiqe32.exe] C:\WINDOWS\apiqe32.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A4542EE-4F48-45FF-94D0-1B433FED1E0F}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: style32 - C:\WINDOWS\
O23 - Service: Network Security Service (NSS) ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntln.exe (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
led 5 0. Thank you for your help!
Hello..
Please print these instructions out, or write them down, as you can't read them during the fix.You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.
Download about:buster by RubbeRDuckY Here (http://www.malwarebytes.org/AboutBuster.zip).
Download CWShredder Here (http://aumha.org/downloads/cwshredder.zip).
Download SpSeHjfix Here (http://www.derbilk.de/SpSeHjfix112.zip).
Download and install CleanUp! Here (http://downloads.stevengould.org/cleanup/CleanUp40.exe)
Save all of these files somewhere you will remember like to the Desktop.
Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)Unzip CWShredder to its own folder (ie c:\CWShredder)Unzip AboutBuster to its own folder (ie c:\Aboutbuster)Run the CleanUp! installer. You dont need to do anything with it right now.Update About:Buster
- Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
- Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
- Click "OK" at the prompt with instructions.
- Click "Update" and then "Check For Update" to begin the update process.
- If any updates exist please download them by clicking "Download Update" then click the X to close that window.
- Now close About:Buster
Update CWShredder
- Open CWShredder and click I AGREE
- Click Check For Update
- Close CWShredder
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.Please run about:buster by RubbeRDuckY:
- Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
- Click Yes to allow it to shutdown explorer.exe.
- It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
- When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
- Reboot your computer into safe mode again
Run about:buster
again following the same instructions as above, this time without the restart at the end
Now run
CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.
Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.
Now run the
CleanUp program:
*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp
Running CleanUp
- Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
- When CleanUp starts go to the Options button (right side of CleanUp screen)
- Move the arrow down to "Custom CleanUp!"
- Now place a checkmark next to the following (Make sure nothing else is checked!):
- Delete Cookies
This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
- Empty Recycle Bins
- Delete Prefetch files
- Cleanup! All Users
- Click OK
- Then click on the CleanUp button. This will take a short while, let it do its thing.
- When asked to reboot system select No
- Close CleanUp
Reboot back into normal mode..
After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
Good morning Rawe:
Thank you for your reply. I printed your instructions and will reply after I have followed your advice.
I appreciate your help!
Hello Rawe:
I am a newbie, hope I dAboutBuster 5.1, reference file 32
Scan started on [10/18/2005] at [10:40:25 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\WINDOWS\system32\fntzq.dat
Removed File! : C:\WINDOWS\system32\zhzfd.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:41:17 AM
AboutBuster 5.1, reference file 32
Scan started on [10/18/2005] at [10:44:29 AM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:45:21 AM
(10/18/05 10:49:41 AM) SPSeHjFix started v1.1.2
(10/18/05 10:49:41 AM) OS: WinXP Service Pack 2 (5.1.2600)
(10/18/05 10:49:41 AM) Language: english
(10/18/05 10:49:41 AM) Win-Path: C:\WINDOWS
(10/18/05 10:49:41 AM) System-Path: C:\WINDOWS\system32
(10/18/05 10:49:41 AM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(10/18/05 10:49:49 AM) Disinfection started
(10/18/05 10:49:49 AM) Bad-Dll(IEP): (not found)
(10/18/05 10:49:49 AM) Bad-Dll(IEP) in BHO: (not found)
(10/18/05 10:49:49 AM) UBF: 7 - UBB: 2 - UBR: 12
(10/18/05 10:49:49 AM) UBF: 7 - UBB: 2 - UBR: 12
(10/18/05 10:49:49 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
(10/18/05 10:49:49 AM) Stealth-String not found
(10/18/05 10:49:49 AM) Not infected->END
Logfile of HijackThis v1.99.1
Scan saved at 11:03:41 AM, on 10/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\apimt32.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\apiqe32.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\system32\wpabaln.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=irishsupplyguy&login=ff7dd50d38554aacc7f54e2f02101075/irishsupplyguy:netzero.net/1128621779/30/sss.1.51174/&ts=434566d3&A=0&B=1120892400000&C=1120892400000&D=1125471600000&I=7.NH3&N=PLHS&O=I&UT=
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {51516028-FA3B-8261-B4D3-346C6B349CAE} - C:\WINDOWS\system32\mszm32.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [apimt32.exe] C:\WINDOWS\apimt32.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A4542EE-4F48-45FF-94D0-1B433FED1E0F}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: style32 - C:\WINDOWS\
O23 - Service: Network Security Service ( 11Fßä�#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apiqe32.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
id everything properly. Thank you for your patience!
Hope this makes sense. Thank you Rawe
Good morning experts:
I know you good folks are extremely busy but my last post is three days old and my computer is getting funkier by the minute. Could someone please help?
Tkank you!!!
Hi, sorry, I didn't first notice to track the topic. Thank Corrine, she's the one who pointed me out here now :oops:
Can you post a fresh log for me here, please, and we'll continue :thumbsup:
Thank you Corrine!!! Thank you Rawe!!!
I am posting a new AAw log and HJT log. Hope I do this properly. T
Ad-Aware SE Build 1.06r1
Logfile Created on:Friday, October 21, 2005 12:33:29 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R71 19.10.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt(TAC index:3):2 total references
Tracking Cookie(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
10-21-2005 12:33:29 PM - Scan started. (Full System Scan)
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 600
ThreadCreationTime : 10-21-2005 3:44:35 PM
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 672
ThreadCreationTime : 10-21-2005 3:44:37 PM
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 696
ThreadCreationTime : 10-21-2005 3:44:37 PM
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 740
ThreadCreationTime : 10-21-2005 3:44:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe
#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 752
ThreadCreationTime : 10-21-2005 3:44:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 908
ThreadCreationTime : 10-21-2005 3:44:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 964
ThreadCreationTime : 10-21-2005 3:44:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1056
ThreadCreationTime : 10-21-2005 3:44:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:9 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1108
ThreadCreationTime : 10-21-2005 3:44:38 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:10 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1348
ThreadCreationTime : 10-21-2005 3:44:39 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe
#:11 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1452
ThreadCreationTime : 10-21-2005 3:44:39 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
#:12 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1588
ThreadCreationTime : 10-21-2005 3:44:40 PM
BasePriority : Normal
FileVersion : 7.4
ProductVersion : 7.4
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
LegalCopyright : (C) 1993 - 2002 Lexmark International, Inc.
OriginalFilename : LexBceS.exe
#:13 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1612
ThreadCreationTime : 10-21-2005 3:44:40 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
#:14 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1640
ThreadCreationTime : 10-21-2005 3:44:40 PM
BasePriority : Normal
FileVersion : 7.4
ProductVersion : 7.4
ProductName : MarkVision for Windows (32 bit)
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
LegalCopyright : (C) 1993 - 2002 Lexmark International, Inc.
OriginalFilename : LEXPPS.EXE
Comments : MarkVision for Windows '95 New P2P Server (32-bit)
#:15 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_01\bin\
ProcessID : 1768
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal
#:16 [realplay.exe]
FilePath : C:\Program Files\Real\RealPlayer\
ProcessID : 1776
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal
FileVersion : 6.0.9.584
ProductVersion : 6.0.9.584
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealPlayer
InternalName : REALPLAY
LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : REALPLAY.EXE
#:17 [drgtodsc.exe]
FilePath : C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\
ProcessID : 1784
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal
FileVersion : 7.1.0.217
ProductVersion : 7.1.0.217
ProductName : Drag-to-Disc
CompanyName : Roxio
FileDescription : Drag To Disc Application
InternalName : D2D
LegalCopyright : Copyright (c) 1994-2004 Roxio, Inc.
LegalTrademarks : Copyright (c) 1994-2004 Roxio, Inc.
OriginalFilename : BurnCtrl.EXE
#:18 [aoldial.exe]
FilePath : C:\Program Files\Common Files\AOL\ACS\
ProcessID : 1792
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal
FileVersion : 2.0.20.1.US.1
ProductVersion : 2.0.20.1.US.1
ProductName : AOL Connectivity Service
CompanyName : America Online, Inc
FileDescription : AOL Connectivity Service Dialer
LegalCopyright : Copyright © 2003 America Online, Inc.
OriginalFilename : AOLDial.exe
#:19 [qttask.exe]
FilePath : C:\Program Files\QuickTime\
ProcessID : 1800
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal
FileVersion : 6.5
ProductVersion : QuickTime 6.5
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe
#:20 [avgnt.exe]
FilePath : C:\Program Files\AVPersonal\
ProcessID : 1816
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal
#:21 [exec.exe]
FilePath : C:\Program Files\NetZero\
ProcessID : 1824
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal
FileVersion : 4, 3, 0, 0
ProductVersion : 4, 3, 0, 0
CompanyName : NetZero
FileDescription : ZCast
InternalName : ZCOM_exec
LegalCopyright : Copyright © 2002 United Online, Inc.
#:22 [aoltray.exe]
FilePath : C:\Program Files\America Online 9.0\
ProcessID : 1852
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal
FileVersion : 9.00.001
ProductVersion : 9.00.001
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : AOL Tray Icon
InternalName : AolTray
LegalCopyright : Copyright (C) America Online, Inc. 1999 - 2004
#:23 [tmas.exe]
FilePath : C:\Program Files\Trend Micro\Tmas\
ProcessID : 1860
ThreadCreationTime : 10-21-2005 3:44:41 PM
BasePriority : Normal
FileVersion : 3, 0, 1, 23
ProductVersion : 3.11
ProductName : Trend Micro Anti-Spyware
CompanyName : Trend Micro Incorporated
FileDescription : Anti-Spyware Main Module
InternalName : tmas.exe
LegalCopyright : Copyright (c) 2003-2005 Trend Micro Incorporated. All rights reserved.
OriginalFilename : tmas.exe
#:24 [avguard.exe]
FilePath : C:\Program Files\AVPersonal\
ProcessID : 176
ThreadCreationTime : 10-21-2005 3:44:45 PM
BasePriority : Normal
#:25 [aolacsd.exe]
FilePath : C:\PROGRA~1\COMMON~1\AOL\ACS\
ProcessID : 192
ThreadCreationTime : 10-21-2005 3:44:45 PM
BasePriority : Normal
#:26 [avwupsrv.exe]
FilePath : C:\Program Files\AVPersonal\
ProcessID : 208
ThreadCreationTime : 10-21-2005 3:44:45 PM
BasePriority : Normal
#:27 [ewidoctrl.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 244
ThreadCreationTime : 10-21-2005 3:44:45 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright © 2004
OriginalFilename : ewidoctrl.exe
#:28 [ewidoguard.exe]
FilePath : C:\Program Files\ewido\security suite\
ProcessID : 264
ThreadCreationTime : 10-21-2005 3:44:45 PM
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : guard
CompanyName : ewido networks
FileDescription : guard
InternalName : guard
LegalCopyright : Copyright © 2004
OriginalFilename : guard.exe
#:29 [lssrvc.exe]
FilePath : C:\Program Files\Common Files\LightScribe\
ProcessID : 340
ThreadCreationTime : 10-21-2005 3:44:45 PM
BasePriority : Normal
FileVersion : 1.0.17.4
ProductName : LightScribe
LegalCopyright : © Copyright 2003-2004 Hewlett-Packard Development Company, LP
OriginalFilename : LSSrvc.exe
#:30 [wanmpsvc.exe]
FilePath : C:\WINDOWS\
ProcessID : 628
ThreadCreationTime : 10-21-2005 3:44:46 PM
BasePriority : Normal
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
ProductName : America Online
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
LegalCopyright : Copyright © 2001 America Online, Inc.
OriginalFilename : WanMPSvc.exe
#:31 [alg.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1492
ThreadCreationTime : 10-21-2005 3:44:48 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Application Layer Gateway Service
InternalName : ALG.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ALG.exe
#:32 [exec.exe]
FilePath : C:\Program Files\NetZero\
ProcessID : 2144
ThreadCreationTime : 10-21-2005 3:44:52 PM
BasePriority : Normal
FileVersion : 4, 3, 0, 0
ProductVersion : 4, 3, 0, 0
CompanyName : NetZero
FileDescription : ZCast
InternalName : ZCOM_exec
LegalCopyright : Copyright © 2002 United Online, Inc.
#:33 [x1exec.exe]
FilePath : C:\Program Files\NetZero\qsacc\
ProcessID : 2436
ThreadCreationTime : 10-21-2005 3:44:56 PM
BasePriority : Normal
FileVersion : 3.6.00
ProductVersion : 3.6.00
ProductName : NetZero HiSpeed
CompanyName : NetZero, Inc.
FileDescription : NetZero HiSpeed
InternalName : x1exec.exe
LegalCopyright : Copyright © 2001-2005 NetZero, Inc.
OriginalFilename : x1exec.exe
#:34 [wmiprvse.exe]
FilePath : C:\WINDOWS\system32\wbem\
ProcessID : 2768
ThreadCreationTime : 10-21-2005 3:45:01 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI
InternalName : Wmiprvse.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Wmiprvse.exe
#:35 [usrmlnka.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 3588
ThreadCreationTime : 10-21-2005 3:45:30 PM
BasePriority : Realtime
FileVersion : 4. 11. 21
ProductVersion : 4. 11. 21
ProductName : U.S. Robotics Modem Driver
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics driver interface
InternalName : 3cmlink.exe
LegalCopyright : Copyright (C) © 2000 U.S. Robotics Corporation
OriginalFilename : 3cmlink.exe
#:36 [usrshuta.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 3600
ThreadCreationTime : 10-21-2005 3:45:30 PM
BasePriority : Normal
FileVersion : 4. 11. 21
ProductVersion : 4. 11. 21
ProductName : U.S. Robotics Modem Driver
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics shutdown helper
InternalName : 3cshtdwn.exe
LegalCopyright : Copyright (C) © 2000 U.S. Robotics Corporation
OriginalFilename : 3cshtdwn.exe
#:37 [usrmlnka.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 3612
ThreadCreationTime : 10-21-2005 3:45:30 PM
BasePriority : Normal
FileVersion : 4. 11. 21
ProductVersion : 4. 11. 21
ProductName : U.S. Robotics Modem Driver
CompanyName : U.S. Robotics Corporation
FileDescription : U.S. Robotics driver interface
InternalName : 3cmlink.exe
LegalCopyright : Copyright (C) © 2000 U.S. Robotics Corporation
OriginalFilename : 3cmlink.exe
#:38 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1084
ThreadCreationTime : 10-21-2005 5:33:19 PM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : administrator@2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value : Cookie:administrator@2o7.net/
Expires : 10-20-2010 12:27:38 PM
LastSync : Hits:10
UseCount : 0
Hits : 10
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 1
Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Deep scanning and examining files (E:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for E:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 1
Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 1
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Search the web.url
TAC Rating : 3
Category : Misc
Comment : Problematic URL discovered: http://www.lookfor.cc/
Object : C:\Documents and Settings\Administrator\Favorites\
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Seven days of free porn.url
TAC Rating : 3
Category : Misc
Comment : Problematic URL discovered: http://www.7days.ws/
Object : C:\Documents and Settings\Administrator\Favorites\
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3
12:39:35 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:06:06.16
Objects scanned:120438
Objects identified:3
Objects ignored:0
New critical objects:3
hank you for your help!
Hello Rawe:
Here is the fresh HJT log. Thank you!Logfile of HijackThis v1.99.1
Scan saved at 12:42:54 PM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\NetZero\exec.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=irishsupplyguy&login=ff7dd50d38554aacc7f54e2f02101075/irishsupplyguy:netzero.net/1128621779/30/sss.1.51174/&ts=434566d3&A=0&B=1120892400000&C=1120892400000&D=1125471600000&I=7.NH3&N=PLHS&O=I&UT=
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: style32 - C:\WINDOWS\
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Run a scan with HijackThis and check the following object for removal:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O20 - Winlogon Notify: style32 - C:\WINDOWS\
Now close ALL open windows except for HijackThis and hit FIX CHECKED.
After that:
Please download cureit;
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Run drweb - cureit
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.
Reboot.
Post a fresh HiJackThis log once finished. :thumbsup:
Good afternoon Rawe:
Fixed the files you directed with HJT. Ran the program from the link that you provided. It ran quick scan but I never saw the options you suggested for the select drive scans. When I rebooted I got this message Isactiveguard: RegOpenKeyExfailed 50. Thank you for your time and expertise. I hope we cLogfile of HijackThis v1.99.1
Scan saved at 4:38:52 PM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NZSearch\nzspc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=irishsupplyguy&login=ff7dd50d38554aacc7f54e2f02101075/irishsupplyguy:netzero.net/1128621779/30/sss.1.51174/&ts=434566d3&A=0&B=1120892400000&C=1120892400000&D=1125471600000&I=7.NH3&N=PLHS&O=I&UT=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
an resolve this. Many thanks. Attached is a fresh HJT scan.
Please do an online virus scan with
Panda ActiveScan Here (http://www.pandasoftware.com/products/activescan.htm). You need to use Internet Explorer for this scan.
- Once you get to the Panda site, scroll down a bit and click on Scan your PC
- A new window will appear; click on Check Now!
- A new window will appear; fill in the boxes (Country, State, email addy)
- Click on Scan Now! >
If you have never used ActiveScan before, you will be prompted to install an ActiveX control (asinst.cab) : click on Install. Panda will install the component, and then install the latest signature files.
- From "Select a device to scan...", choose "My Computer"
- Allow the scan to run. It'll take a while.
- When complete, click on "See Report", and then on "Save report"; save it to a convenient location.
- I will need you to post that report in your next reply; simply open the text file, then copy/paste the content here.
Good morning Rawe:
Sorry to be such a problem. I went to the link for Panda that you posted. When I got to the page to enter country, state/province, and email address the country and state/province drop downs were blank so I could not make a selection nor could I type in those fields. The only thing I could enter was my email address so the program would not allow me to go any further. Sorry to be such a dunce. Is there an alternative or do you have any other suggestions? thank you for your patience.
Hi, let's do this instead:
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/service?chapter=161739400)
Next Click on
Launch Kaspersky Anti-Virus Web ScannerYou will be prompted to install an ActiveX component from Kaspersky, Click
Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Standard
Scan Archives
Scan Mail Bases[/list]
- Click OK
- Now under select a target to scan:My Computer
- This program will start to scan your system.
- The scan will take a while so be patient and let it run.
- Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
- Save the file to your desktop.
- Copy and paste that information in your next post.
Good morning Rawe:
Ran Kaspersky as you reccomended. Attached is the text file. Thank you for you help!
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, October 24, 2005 11:00:20
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 24/10/2005
Kaspersky Anti-Virus database records: 146569
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 50816
Number of viruses found: 4
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 1761 sec
Infected Object Name - Virus Name
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000257.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000262.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000263.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000264.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000269.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000270.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000271.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000272.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000291.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000292.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000297.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000390.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP5\A0000487.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP5\A0000488.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\aolback.exe.lnk:aotqsb:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\apiqe32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\ftrcl.dat:kfxtx:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\ModemLog_Best Data Data Fax Modem.txt:btzsmv:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\msgsocm.log:uujyog:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\msgsocm.log:zyalb:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\netfxocm.log:grcdbt:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\netpf32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\netsf.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\SchedLgU.Txt:izyqvv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\setupapi.log:barwpx:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\setupapi.old:barwpx:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\setuperr.log:cybseg:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\Soap Bubbles.bmp:uyuygr:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\crtu32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\uytnx.dat:ypeshb:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\wiaservc.log:rpwgjm:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\WindowsUpdate.log:sbjjle:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\_default.pif:pmpywo:$DATA Infected: Trojan.Win32.Agent.bi
E:\WINDOWS\Temporary Internet Files\Content.IE5\H3786PB0\index[1].htm Infected: Exploit.HTML.Mht
Scan process completed.
Hi :thumbsup:
Please download
WebRoot SpySweeper from
HERE (http://www.webroot.com/downloads/) (It's a 2 week trial):
- Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
- Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directoy as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
- Once the program is installed, it will open.
- It will prompt you to update to the latest definitions, click Yes.
- Once the definitions are installed, click Sweep Now on the left side.
- Click the Start button.
- When it's done scanning, click the Next button.
- Make sure everything has a check next to it, then click the Next button.
- It will remove all of the items found.
- Click Session Log in the upper right corner, copy everything in that window.
- Click the Summary tab and click Finish.
- Paste the contents of the session log you copied into your next reply along with a fresh HijackThis log.
Good morning Rawe:
Ran WebRoot as you suggested. Attached is the session log and a fresh HJT log. I really appreciate your help!!
********
9:55 AM: | Start of Session, Wednesday, October 26, 2005 |
9:55 AM: Spy Sweeper started
9:55 AM: Sweep initiated using definitions version 561
9:55 AM: Starting Memory Sweep
9:57 AM: Memory Sweep Complete, Elapsed Time: 00:01:45
9:57 AM: Starting Registry Sweep
9:57 AM: Found Adware: coolwebsearch (cws)
9:57 AM: HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {81a1550a-a544-72d8-f0e6-372bee4fa644} (ID = 110295)
9:57 AM: Registry Sweep Complete, Elapsed Time:00:00:08
9:57 AM: Starting Cookie Sweep
9:57 AM: Found Spy Cookie: 2o7.net cookie
9:57 AM: administrator@2o7[2].txt (ID = 1957)
9:57 AM: Found Spy Cookie: pointroll cookie
9:57 AM: administrator@ads.pointroll[1].txt (ID = 3148)
9:57 AM: Found Spy Cookie: atlas dmt cookie
9:57 AM: administrator@atdmt[2].txt (ID = 2253)
9:57 AM: Found Spy Cookie: atwola cookie
9:57 AM: administrator@atwola[1].txt (ID = 2255)
9:57 AM: Found Spy Cookie: ru4 cookie
9:57 AM: administrator@edge.ru4[1].txt (ID = 3269)
9:57 AM: Found Spy Cookie: nextag cookie
9:57 AM: administrator@nextag[2].txt (ID = 5014)
9:57 AM: Found Spy Cookie: questionmarket cookie
9:57 AM: administrator@questionmarket[1].txt (ID = 3217)
9:57 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:57 AM: Starting File Sweep
10:02 AM: mortgage life insurance.url (ID = 130681)
10:02 AM: search the web.url (ID = 54454)
10:02 AM: seven days of free porn.url (ID = 54472)
10:07 AM: Found Adware: liveshows online
10:07 AM: backup-20041228-130716-528.inf (ID = 65674)
10:07 AM: File Sweep Complete, Elapsed Time: 00:09:38
10:07 AM: Full Sweep has completed. Elapsed time 00:11:35
10:07 AM: Traces Found: 12
10:08 AM: Removal process initiated
10:08 AM: Quarantining All Traces: coolwebsearch (cws)
10:08 AM: Quarantining All Traces: liveshows online
10:08 AM: Quarantining All Traces: 2o7.net cookie
10:08 AM: Quarantining All Traces: atlas dmt cookie
10:08 AM: Quarantining All Traces: atwola cookie
10:08 AM: Quarantining All Traces: nextag cookie
10:08 AM: Quarantining All Traces: pointroll cookie
10:08 AM: Quarantining All Traces: questionmarket cookie
10:08 AM: Quarantining All Traces: ru4 cookie
10:09 AM: Removal process completed. Elapsed time 00:01:18
********
9:45 AM: | Start of Session, Wednesday, October 26, 2005 |
9:45 AM: Spy Sweeper started
9:54 AM: Your spyware definitions have been updated.
9:55 AM: | End of Session, Wednesday, October 26, 2005 |
Logfile of HijackThis v1.99.1
Scan saved at 10:15:12 AM, on 10/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXALPSWX.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXALJSWX.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=irishsupplyguy&login=ff7dd50d38554aacc7f54e2f02101075/irishsupplyguy:netzero.net/1128621779/30/sss.1.51174/&ts=434566d3&A=0&B=1120892400000&C=1120892400000&D=1125471600000&I=7.NH3&N=PLHS&O=I&UT=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130265368093
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Much better. What problems you do have at the moment?
Good aternoon Rawe:
Thank you for your quick response. There are two obvious issues. When I reboot two strange things happen.
1. Before the computer shuts down I get a pop up message. The header reads "USR prbda.exe DLL initilaziton failed. " the body reads " the application failed to initialize because a windows station is shutting down". In the backgound you can see the end task window run briefly then the computer shuts down.
2. When the computer restarts I get a pop up message that reads:
isactiveguard: RegOpenKeyEx failed 50
Hope that is enough information to get the rest. Thank you, I can't tell you how much I appreciate you efforts on my behalf!
Hi, ok, let's try this.
First, please DISABLE Ewido Security Guard. Once you have done that, please UNinstall Ewido completely, including the deletion of the folder.
Then empty recycle bin.
When completed, download CCleaner (http://www.ccleaner.com/). Install the program and launch it. Don't run it yet.
When you launch the program, click on "Tools" - menu. Click "Startup".
List the entries here what you see.
Good morning Rawe:
You must have the patience of Job. Here is the start-up menu from CCleaner. Thank you for your help!
Ad-Aware SE Personal
Adobe Reader 7.0
Agere Systems PCI Soft Modem
America Online (Choose which version to remove)
AntiVir/XP
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Toolbar
AOL You've Got Pictures Screensaver
CCleaner (remove only)
CleanUp!
HijackThis 1.99.1
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
InterVideo WinDVD
Java 2 Runtime Environment, SE v1.4.2_01
Kaspersky On-line Scanner
Learn2 Player (Uninstall Only)
Lexmark Supplies Monitor
Lexmark Z65
Microsoft .NET Framework 1.1
Microsoft AntiSpyware
Microsoft Works 7.0
NetZero
Pure Networks Port Magic
QuickTime
RealPlayer Basic
Roxio Easy Media Creator 7 Basic Edition
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Software Setup
SoundMAX
Spy Sweeper
Trend Micro Anti-Spyware
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
That's a Uninstall list, not the start-up list?
Can you just let me know what you see in the startup list.. And do you still get all the same errors?
Sorry Rawe:
I know that this must be very trying. When I reboot now I only get the message before shut down. ( USR prbda.exe DLL initialization failed) I no longer get a error message at start up.
The start up menu in CCleaner has 15 files. Everything there looks normal except these 3. I could no do a copy and paste from that screen.
1. Key=HKLM:RUN Program= 3c1807pd no file
2. Key=HKCU:Run Program= spc_w File= "C:\Program Files\NZSearch\nzspc.exe" _w
3. Key=HKLM:Run Program=USRpdA File= C:\WINDOWS\SYSTEM32\USRmlnkA.exe
RunServices\Device
If you need me to send the other files I will copy them down and type them in. Thank you so much for your help!
Go to Windows Search and look for this file: prbda.exe
Tell me the location where it is if you find it.
Good afternoon Rawe:
This is the search results. Hope it is what you are looking for.
1. usrprbda C:\i386\Driver.Cab
2. USRPRBDA.EXE -2F63B139F.pf C:\WINDOWS\Prefetch
3. usrprbda C:\WINDOWS\System 32
4. usrprbda C:\WINDOWS\DriverCache\i386\driver.cab
That was all that was found with "prbda". I hope I did it right, I know you must be tired of fooling with me. Thank you for your help.
Download
CleanUp (http://cleanup.stevengould.org/)
Run the CleanUp! installer and get the program ready to be used, then launch it.
Click "Options". Scroll the arrow to "Custom CleanUp!"
Check the following options:
Empty recycle bins
Delete Cookies
Delete Prefetch files
Scan local drives for temporary files
CleanUp! All Users
Click OK.
Hit CleanUp!
Once it's finished, reboot. Post back and let me know if you still get the error.
Good Morning Rawe:
Ran CleanUp with the settings you recommended. I still get" USRprbda.exe DLL initilazition failed" when the machine starts to shut down. In the background there are two end program pop-ups in the background.
1.netzeroVpclientwnd
2.zcom_ad
All error meessages go away in about 2-3 seconds and the computer reboots and the start-up screen is clean. Thank you for your help.
Ok, fix these entries in HijackThis:
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
Next, can you redo an Kaspersky log for me here. Just run the scan again, please.. I'm checking if you still have malware or are you clean.
Good morning Rawe:
According to Kasper all 4 viruses are still there. Attached is the log file.
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, October 31, 2005 09:46:20
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 31/10/2005
Kaspersky Anti-Virus database records: 147877
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 51281
Number of viruses found: 4
Number of infected objects: 27
Number of suspicious objects: 0
Duration of the scan process: 1913 sec
Infected Object Name - Virus Name
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000257.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000262.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000263.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000264.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000269.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000270.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000271.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000272.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000291.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000292.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000297.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000390.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP5\A0000487.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\aolback.exe.lnk:aotqsb:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\apiqe32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\ftrcl.dat:kfxtx:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\ModemLog_Best Data Data Fax Modem.txt:btzsmv:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\netpf32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\netsf.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\SchedLgU.Txt:izyqvv:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\setupapi.old:barwpx:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\Soap Bubbles.bmp:uyuygr:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\crtu32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\uytnx.dat:ypeshb:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\WindowsUpdate.log:sbjjle:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\_default.pif:pmpywo:$DATA Infected: Trojan.Win32.Agent.bi
E:\WINDOWS\Temporary Internet Files\Content.IE5\H3786PB0\index[1].htm Infected: Exploit.HTML.Mht
Scan process completed.
Ok, let's do this now.. About:Buster should clean that up.
1) Disable System Restore;
1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".
2) Download about:buster by RubbeRDuckY Here (http://www.malwarebytes.org/AboutBuster.zip).
3)
Unzip AboutBuster to its own folder (ie c:\Aboutbuster)4)
Update About:Buster
- Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
- Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
- Click "OK" at the prompt with instructions.
- Click "Update" and then "Check For Update" to begin the update process.
- If any updates exist please download them by clicking "Download Update" then click the X to close that window.
- Now close About:Buster
5) Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.[/B]
6)
Please run about:buster by RubbeRDuckY:
- Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
- Click Yes to allow it to shutdown explorer.exe.
- It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
- When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
- Reboot your computer into safe mode again
Run about:buster
again following the same instructions as above, this time without the restart at the end
7) Reboot back into normal mode.
8 ) Enable System Restore;
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".
9) Post your
About:Buster log. :thumbsup:
Good afternoon Rawe:
Here is the AboutBuster log that you requested. Thank you for your help
AboutBuster 5.1, reference file 32
Scan started on [10/31/2005] at [1:14:28 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\WINDOWS\dkpwz.dat
Removed File! : C:\WINDOWS\dqooj.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:15:20 PM
AboutBuster 5.1, reference file 32
Scan started on [10/31/2005] at [1:17:37 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:18:28 PM
Hi.. I'm a bit stuck. Do you have any more info to provide? I asked for help with your problem, we'll see if someone knows something which helps.
Good morning Rawe:
I guess you could tell from my KasperSky scan I have the following 4 virsuses:
Trojan-Down...WIN32.Agent.td
Trojan.WIN32.Agent.bi
Trojan-Down...WIN32.Agent.bc
Exploit.HTML.Mht
3 of them are on my C drive and one is on my E drive, although I don't know which is where.
I will post a new HJT log with this post. If there is anything else I can do let me know. Sorry to be such a problem. I appreciate your efforts.
Logfile of HijackThis v1.99.1
Scan saved at 11:36:29 AM, on 11/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXALPSWX.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXALJSWX.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=irishsupplyguy&login=ff7dd50d38554aacc7f54e2f02101075/irishsupplyguy:netzero.net/1128621779/30/sss.1.51174/&ts=434566d3&A=0&B=1120892400000&C=1120892400000&D=1125471600000&I=7.NH3&N=PLHS&O=I&UT=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130265368093
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A4542EE-4F48-45FF-94D0-1B433FED1E0F}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Just to recap here, what current problems are you having?
As to the KAV scan, when you turned off (and back on again) System Restore, it purges it's folder. (Which is where KAV reported multiple viruses there).
Open HijackThis, click 'Config', then 'Misc Tools'. Hit "Open ADS Spy". Hit Scan. Once it's finished, hit Save log and save it somewhere you can easily access (like the Desktop for example).
Locate and open that saved log, post it here.
Also, click Start > Control Panel > Internet Options > click that 'Settings' button under 'Temporary Internet Files'. Post what it says for "Current location".
One more thing, do you know this file?
C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
If not, could you locate it, right-click on it and hit 'Properties'. If it has a 'Version' tab, please post all that it says on that tab. If it hasn't got that tab, don't worry. Just exit out of that window.
Thanks for the help SpyDie..
I believe WRLogonNTF.dll is a part of SpySweeper: http://castlecops.com/o20list-117.html
Quote from: Rawe on November 01, 2005, 07:40:19 PM
Thanks for the help SpyDie..
I believe WRLogonNTF.dll is a part of SpySweeper: http://castlecops.com/o20list-117.html
Thanks ;)
In which case, irishsupplyguy forget what I said about WRLogonNTF.dll
Hello SpyDie:
Sorry to be such a problem.
Current Location=
C:\Documents and settings\Administrator\Local Settings\Temporary Internet Files\
WRLogon.dll= File version 2.0.5.402 Description= SpySweeper SDK
These are my current problems:
When I reboot at shutdown I get an error message pop up that reads:
" USRprbda.exe DLL initialization failed " the body reads: the application failed to initalize
because a windows station is shutting down.
In the background there are 2 end task pop-ups. One says "NetZeroUpclientwnd" the second says
zcom_ad. After those close the computer shuts down.
When I log off NetZero I get and about:blank button on the bottom left of my tool bar next to the "start" button. When I click on it nothing happens. I go to end task to turn it off.
When I sent a job to the printer nothin happens. When I reboot all jobs in the print que then print.
Hope this may help solve this mystery. Thank you for your time and expertise. HJTADS log attached.
C:\WINDOWS\aolback.exe.lnk : aotqsb (35353 bytes)
C:\WINDOWS\clock.avi : btdbqx (13581 bytes)
C:\WINDOWS\control(2).ini : munoti (197756 bytes)
C:\WINDOWS\control(3).ini : munoti (197756 bytes)
C:\WINDOWS\control(4).ini : munoti (197756 bytes)
C:\WINDOWS\ftrcl.dat : kfxtx (86593 bytes)
C:\WINDOWS\ModemLog_Best Data Data Fax Modem.txt : btzsmv (11801 bytes)
C:\WINDOWS\ModemLog_Best Data Data Fax Modem.txt : jeyrgg (0 bytes)
C:\WINDOWS\SchedLgU.Txt : izyqvv (86593 bytes)
C:\WINDOWS\setupapi.old : barwpx (11801 bytes)
C:\WINDOWS\Soap Bubbles.bmp : uyuygr (35353 bytes)
C:\WINDOWS\uytnx.dat : ypeshb (11801 bytes)
C:\WINDOWS\vbaddin.ini : vpoljn (197756 bytes)
C:\WINDOWS\WindowsUpdate.log : sbjjle (86593 bytes)
C:\WINDOWS\_default.pif : ayragx (0 bytes)
C:\WINDOWS\_default.pif : bkuvyw (13581 bytes)
C:\WINDOWS\_default.pif : hykuc (0 bytes)
C:\WINDOWS\_default.pif : ixynmn (0 bytes)
C:\WINDOWS\_default.pif : lmffvq (3567 bytes)
C:\WINDOWS\_default.pif : mkymzs (197756 bytes)
C:\WINDOWS\_default.pif : pmpywo (11801 bytes)
C:\WINDOWS\_default.pif : pwgikk (0 bytes)
C:\WINDOWS\_default.pif : tlnaag (197756 bytes)
C:\WINDOWS\_default.pif : ujgzfh (13581 bytes)
C:\WINDOWS\_default.pif : xlrrcu (3567 bytes)
Wonder if this helps with the dll error?
http://www.pcbanter.net/showthread.php?t=783886
http://castlecops.com/postitle81583-0-0-.html
Also, would you be prepared to reinstall the NetZero software?
For now, try this:
Run a scan with HijackThis and check these two items:
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
Click 'Fix Checked' and reboot (restart) the computer.
This won't remove NetZero but will remove it from loading at bootup for now.
Now, once your back into Windows I want you to try loading NetZero again and shutting off/logging off the computer as you normally would - if the popups reappear, the NetZero software would need to be reinstalled.
Also, as to ADS Spy, run that scan again and once it is finished check all the ones that are there, and click 'Remove Selected'.
Good afternoon SpyDie:
Followed your instructions and also completely uninstalled NetZero, it's be a pain every since I got it.
Did a reboot and all pop-ups are gone. My computer is behaving a little better. After I rebooted I ran a KasperSky on line scan and it still found 3 of the 4 Trojans. A log of the scan is posted with this message. Thank you for your help!!
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, November 02, 2005 12:11:35
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 2/11/2005
Kaspersky Anti-Virus database records: 148232
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 50860
Number of viruses found: 3
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 1965 sec
Infected Object Name - Virus Name
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP5\A0001511.pif:pmpywo:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP5\A0001513.old:barwpx:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP5\A0001517.lnk:aotqsb:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\apiqe32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\netpf32.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\netsf.exe Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\crtu32.exe Infected: Trojan.Win32.Agent.bi
E:\WINDOWS\Temporary Internet Files\Content.IE5\H3786PB0\index[1].htm Infected: Exploit.HTML.Mht
Scan process completed.
All the popups? That is great news.
http://www.landzdown.com/rem.bat
Download that file please, and run it. It'll remove some of the files KAV is reporting.
As to the ones in System Restore;
Again we need to disable and then re-enable System Restore. Disable it:
1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".
Restart the computer.
Once back into Windows, re-enable it:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".
Once done, re-post a new fresh HijackThis log & a new KAV online scan log.
Good morning SpyDie:
Followed your excellent instructions and looks like we're down to on Trojan. Attached are a fresh HJT log and KAV scan. Thank you for your help.
Logfile of HijackThis v1.99.1
Scan saved at 9:10:06 AM, on 11/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=irishsupplyguy&login=ff7dd50d38554aacc7f54e2f02101075/irishsupplyguy:netzero.net/1128621779/30/sss.1.51174/&ts=434566d3&A=0&B=1120892400000&C=1120892400000&D=1125471600000&I=7.NH3&N=PLHS&O=I&UT=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130265368093
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, November 03, 2005 09:52:22
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 3/11/2005
Kaspersky Anti-Virus database records: 148412
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 46013
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 1740 sec
Infected Object Name - Virus Name
E:\WINDOWS\Temporary Internet Files\Content.IE5\H3786PB0\index[1].htm Infected: Exploit.HTML.Mht
Scan process completed.
Brilliant :)
That one is still there. It currently is doing no harm, it is in the temporary internet files of Internet Explorer. It is simply where Internet Explorer downloads files from the websites you visit (e.g images & text) so it will load faster next time.
I see you have downloaded CCleaner. Could you possibly please run that? When you load it up, it should be on the 'Cleaner' tab already, if not click it. Hit "Run Cleaner'. I am not totally sure if CCleaner (or Cleanup!) clears out multiple drives, but we will see.
Go & Scan again with KAV afterwards, see if it still reports the same thing.
SpyDie you are the man!!
Updated CCleaner and ran it. Ran a new KAV scan (attached). My computer seems to be runing fine. If you feel we are done you can close this issue as everything seems to be O.K. I really appreciate your time and effort.
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, November 03, 2005 13:06:30
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 3/11/2005
Kaspersky Anti-Virus database records: 148434
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 46143
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 1767 sec
Infected Object Name - Virus Name
E:\WINDOWS\Temporary Internet Files\Content.IE5\H3786PB0\index[1].htm Infected: Exploit.HTML.Mht
Scan process completed.
Hi! I'll let Spy Die give you the all clear. However, before you go anywhere, take a few minutes to check out "So how did I get infected in the first place?" © Tony Klein (http://www.landzdown.com/index.php/topic,2783.0.html). There is a lot of helpful information there.
Please do look at that topic Corrine linked to, :)
Looks like CCleaner never did clean it out...
Download KillBox from here please;
http://www.atribune.org/downloads/KillBox.exe
Launch it, and copy/paste this filepath into the box that says "Full Path of File to Delete"
E:\WINDOWS\Temporary Internet Files\Content.IE5\H3786PB0\
The word "Directory" should appear underneath it in blue writing. This confirms that the folder is present.
Click the button with the red circle with a white cross in it. Click Yes to the prompt.
That should be the end of that & everything is clean. Go and visit that topic Corrine linked to :) It has tons of information about preventing this from ever happening again and more.
Glad to hear you got it sorted. :)
Good morning SpyDie:
When I paste the file name E:\WINDOWS\Temporary Internet Files\Content.IE5\H376PBO\ , directory in blue does not appear. If I delete H376PBO\ the blue directory does appear. What is my next move?
Navigate to this folder: E:\WINDOWS\Temporary Internet Files\Content.IE5\
And delete all it's content.. Empty recycle bin.. And reboot. :thumbsup:
Good morning Rawe, SpyDie, and Corrine:
Looks like I am totally clean!! Rawe thank you for all you efforts on my behalf. SpyDie you are an incredible bright human being. Corrine for effort and dedication you are undoubtly without peer. I thank you all!!
Attached is a fresh HJT log and a KAV scan.
Again, thanks a million!!
Logfile of HijackThis v1.99.1
Scan saved at 10:31:11 AM, on 11/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=irishsupplyguy&login=ff7dd50d38554aacc7f54e2f02101075/irishsupplyguy:netzero.net/1128621779/30/sss.1.51174/&ts=434566d3&A=0&B=1120892400000&C=1120892400000&D=1125471600000&I=7.NH3&N=PLHS&O=I&UT=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130265368093
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, November 04, 2005 11:09:28
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 4/11/2005
Kaspersky Anti-Virus database records: 148563
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 42142
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 1686 sec
No malware has been detected. The sections that have been scanned are CLEAN.
Scan process completed.
Log is perfectly clean :) Glad to help and good to see you're computer is now fine :) I'd go and look at that post Corrine linked to.
After checking out Tony Klein's post, come back for some cake! You have earned a celebration! :breakkie:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fwww.joyofbaking.com%2Fimages%2Fchocolatebuttercake.jpg&hash=655739d1fb67d3238f85af1dc76620fd74548a36)
Hi Folks:
Read Tony's suggestions and applied all that I was not previously running. Ran Jason's tool box and made adjustments there, ran it again and got an A. You people are great and the only real defense we have out there against the predators. I'm sure you get on their nerves a great deal. Thank you all for an excellent job.
Best regards,
Mark
Good job all ... :D
Mark, I hope having all that good security doesn't mean that you won't be back to LzD to visit.
Hi Corrine:
Where do visitors post just to say Hi? With the help from you and all the good people there hopefully I won't be back with any more security issues. If you will marry me I promise we can adopt SpyDie and Rawe! :lol:
Thank you all!!!
Quote from: irishsupplyguyIf you will marry me I promise we can adopt SpyDie and Rawe!
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fimg116.exs.cx%2Fimg116%2F1231%2Fz7shysterical.gif&hash=45e235c06e55b774eb6b0c78b850ac1ff71d040c) Family gatherings would be a bit difficult with Rawe in Finland and SpyDie in the U.K.
Mark, after 27 posts and all the time you've spent here, you are not a "visitor" but a member of LzD! Apart from the serious stuff, LandzDown Forum has
- a Lounge (http://www.landzdown.com/index.php) set up for relaxation and socialization
- a spot for parties and welcomes (http://www.landzdown.com/index.php) (there was one for you here (http://www.landzdown.com/index.php/topic,2461.0.html))
- a place for games (http://www.landzdown.com/index.php/board,12.0.html)
- a room for jokes (http://www.landzdown.com/index.php/board,18.0.html)
Another great part of LandzDown is the Updates. We have very special Update Moderators at LzD who make sure that all our members know when their favorite security software has been updated. In fact, with the new software on your computer, you might be interested in staying current (http://www.landzdown.com/index.php/topic,1935.0.html).
I hope you do stop by on occasion. Perhaps play "word association", one of the other games, or just say "Hi". (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fus.i1.yimg.com%2Fus.yimg.com%2Fi%2Fmesg%2Ftsmileys2%2F40.gif&hash=40c90de6d9de6ce43e65264f84511edba74483f4)
Thank you all for your good work! I will visit.
Mark