Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Coolwwwsearch


  • Please log in to reply
16 replies to this topic

#1 aquabird

aquabird

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 08 February 2006 - 05:19 PM

I am running window Xp and have encountered spyware like coolwwwsearch and klicksearch. Spybot gets rid of it but it comes back. I read the post from 2004 and cannot recognize it in the register using hijackthis files.
When I run spybot it finds HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\CURRENT\VERSION\UNINSTALL\SW
AND HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11FBa0#oAO1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11FBa0#oAO1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA\UninstallString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA\DisplayName
The third and the last one, spybot cannot get rid of. But they all come back after a while.
This is the hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:48:50 AM, on 2/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\sysip.exe
C:\DOCUME~1\EDVASK~1\LOCALS~1\Temp\30.tmp.exe
C:\DOCUME~1\EDVASK~1\LOCALS~1\Temp\31.tmp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bin\HPOstr05.exe
C:\WINDOWS\msof32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\program files\bin\HPOVDX05.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {2CF3BB33-A8D7-079C-312F-ABCFF55DD77D} - C:\WINDOWS\javaij32.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [sysip.exe] C:\WINDOWS\system32\sysip.exe
O4 - HKLM\..\Run: [30.tmp] C:\DOCUME~1\EDVASK~1\LOCALS~1\Temp\30.tmp.exe
O4 - HKLM\..\Run: [31.tmp] C:\DOCUME~1\EDVASK~1\LOCALS~1\Temp\31.tmp.exe
O4 - HKLM\..\Run: [31.tmp.exe] C:\DOCUME~1\EDVASK~1\LOCALS~1\Temp\31.tmp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Data LifeGuard LifeLine Lite installer.lnk = C:\Documents and Settings\Ed Vaske\Local Settings\Temp\ins27.tmp\dlgli.exe
O4 - Startup: dBpowerAMP.lnk = C:\Program Files\Illustrate\dBpowerAMP\Amp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Bin\HPOstr05.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O23 - Service: Workstation NetLogon Service ( 11F #`I) - Unknown owner - C:\WINDOWS\msof32.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
HELP identify the problem ; I suspect the BHO:Class etc... line?

BC AdBot (Login to Remove)

 


m

#2 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 AM

Posted 09 February 2006 - 08:34 AM

Download AboutBuster 6.0:

http://www.besttechie.net/tools/AboutBuster.zip
http://www.malwarebytes.org/AboutBuster.zip

Once downloaded, unzip it, and put the folder on your desktop.
Help with unzipping files is HERE

Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix

Please run HijackThis and click "Scan." Place checks next to the following entries:
  • R3 - Default URLSearchHook is missing
  • O2 - BHO: Class - {2CF3BB33-A8D7-079C-312F-ABCFF55DD77D} - C:\WINDOWS\javaij32.dll
  • O4 - HKLM\..\Run: [sysip.exe] C:\WINDOWS\system32\sysip.exe
  • O4 - HKLM\..\Run: [30.tmp] C:\DOCUME~1\EDVASK~1\LOCALS~1\Temp\30.tmp.exe
  • O4 - HKLM\..\Run: [31.tmp] C:\DOCUME~1\EDVASK~1\LOCALS~1\Temp\31.tmp.exe
  • O4 - HKLM\..\Run: [31.tmp.exe] C:\DOCUME~1\EDVASK~1\LOCALS~1\Temp\31.tmp.exe
Close all browser and other windows except for HijackThis, and click "Fix Checked".

Go to Start > Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below services:

Workstation NetLogon Service <<--- Make sure of the name..there are similair named (NOT exactly same) services that are legit...This one may also have 11FBa0#oAO1 in the description/name/prorerties.

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

Now go to the AboutBuster you downloaded/unzipped earlier and double click to run it. Follow the prompts and let it work...a log will open once it's done. Save a copy of this log somewhere else..like the desktop.
Now run buster again..just to be sure...This second log should be saved with a different name if saved at all..Try not to over write the origional you saved..you'll need to post it.

Restart your computer and perform this online scan:Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer"
8. When the scan is complete choose to save the results as "Save as Text"

Reboot and rerun HijackThis. Please post
  • a new HijackThis log
  • the AboutBuster log from the 1st run; you can post 2nd run also but I really need the 1st one
  • Results of Kaspersky scan
..

#3 aquabird

aquabird
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 09 February 2006 - 11:25 AM

Okay, thanks a lot, at least I have a plan of attack now. I suspected the .30tmp and .31tmp files in the registry also, as they have tried to get access to the internet at times. My zone alarm has stopped them. I run mozilla firefox and Avg, I also run Spybot S&D. I have not updated windows for a while, because a few updates have locked up my computer.

#4 aquabird

aquabird
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 13 February 2006 - 12:34 PM

I did what you said, this is my about buster log.AboutBuster 6.0
Scan started on [2/13/2006] at [11:53:32 AM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Removed Stream! C:\WINDOWS\cmsetacl.log:ijjpt
Removed Stream! C:\WINDOWS\Directx.log:tlmipp
Removed Stream! C:\WINDOWS\explorer.scf:ldfnjz
Removed Stream! C:\WINDOWS\FaxSetup.log:yraefs
Removed Stream! C:\WINDOWS\HPODJC05.INI:jsdobf
Removed Stream! C:\WINDOWS\KB873376.log:ncshp
Removed Stream! C:\WINDOWS\ntdtcsetup.log:mugmv
Removed Stream! C:\WINDOWS\PhotoDeluxe.scr:xvjfs
Removed Stream! C:\WINDOWS\WMSysPr9.prx:akqpfz
Removed Stream! C:\WINDOWS\_default.pif:sdbvhj
Removed Stream! C:\WINDOWS\{FCEE4D2F-67FA-4449-AD98-77EA603D4160}.dat:dvoqt
Removed Stream! C:\WINDOWS\{FCEE4D2F-67FA-4449-AD98-77EA603D4160}.dat:ggpyzr
-------------------------------------------------------------
Removed File! : C:\WINDOWS\d3oi32.exe
Removed File! : C:\WINDOWS\msof32.exe
Removed File! : C:\WINDOWS\netnm32.exe
Removed File! : C:\WINDOWS\sdkjg.exe
Removed File! : C:\WINDOWS\sdklb32.exe
Removed File! : C:\WINDOWS\sysmq32.exe
Removed File! : C:\WINDOWS\system32\addop.exe
Removed File! : C:\WINDOWS\system32\appuy.exe
Removed File! : C:\WINDOWS\system32\atlsd.exe
Removed File! : C:\WINDOWS\system32\mfcux.exe
Removed File! : C:\WINDOWS\system32\ruwec.log
Removed File! : C:\WINDOWS\system32\sdktn32.exe
Removed File! : C:\WINDOWS\system32\sysip.exe
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:03:18 PM


AboutBuster 6.0
Scan started on [2/13/2006] at [12:05:42 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 12:05:46 PM


I tried to do the Kaspersky scan and it would not let me click on accept. It took me to a page to buy it. Is it a virus scan? Because that is what the link sent me to. This is the hijack this log.
Logfile of HijackThis v1.99.1
Scan saved at 11:46:31 AM, on 2/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {2CF3BB33-A8D7-079C-312F-ABCFF55DD77D} - C:\WINDOWS\javaij32.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [sysip.exe] C:\WINDOWS\system32\sysip.exe
O4 - HKLM\..\Run: [30.tmp] C:\DOCUME~1\EDVASK~1\LOCALS~1\Temp\30.tmp.exe
O4 - HKLM\..\Run: [31.tmp] C:\DOCUME~1\EDVASK~1\LOCALS~1\Temp\31.tmp.exe
O4 - HKLM\..\Run: [31.tmp.exe] C:\DOCUME~1\EDVASK~1\LOCALS~1\Temp\31.tmp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [30.tmp.exe] C:\DOCUME~1\EDVASK~1\LOCALS~1\Temp\30.tmp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Data LifeGuard LifeLine Lite installer.lnk = C:\Documents and Settings\Ed Vaske\Local Settings\Temp\ins27.tmp\dlgli.exe
O4 - Startup: dBpowerAMP.lnk = C:\Program Files\Illustrate\dBpowerAMP\Amp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Bin\HPOstr05.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\msof32.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\GHOSTS~2.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Is that enough. The reason I did not do this earlier is on Thursday, my computer really messed up. I was not able to close or open any programs or files. I was typing an email when it happened and after that, if I hit a letter on the keyboard or anything I did was like a right mouse button click. I had to shut down with the button and was not able to come back to it until today. If this is fixed, I want to sincerely thank you and donate to your site. If this is not enough, whichever, please let me know. Ed

#5 aquabird

aquabird
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 13 February 2006 - 06:18 PM

I think it might have done the job. In the above post, I posted what you told me and tried to do all that you asked, but wasn't able to do the webscan. I have not rebooted and will not until you give me the go ahead. Thanks for your help. Aquabird.

#6 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 AM

Posted 15 February 2006 - 05:28 AM

Rebooting is fine..why could you not do the Webscan?? If you received an error msg post it...Also you MUST use IE for this scan and you MUST accept the ActiveX download

Edited by jwbirdsong, 15 February 2006 - 05:28 AM.


#7 aquabird

aquabird
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 15 February 2006 - 11:09 AM

Everytime I tried to accept the terms of the webscan, a pop-up covered the accept and took me to another page that wanted me to buy for 79.95 the pro version. Plus, Norton system works found about 20 registry errors now should I let it fix those and then defrag my c drive which is now about 38% fragmented? I will donate to your great website, we need at least one like this, thanks jwbirdsong. Hey did you notice we both had bird in our user?

#8 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 AM

Posted 16 February 2006 - 01:48 AM

Are you clicking the Online Scan button on 1st page at Kaspersky?? you should be...

If it still won't work try this one
run this online virus scan: ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
    - Select either Home User or Company
  • Click the big Scan Now button
  • If/when you get a notice that Panda wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.
And yes you can do both..have Norton fix what it finds and run defrag

#9 aquabird

aquabird
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 16 February 2006 - 02:50 PM

I ran both of them, webscan and activescan both say I have about 5 different viruses and 30 infected areas. I downloaded the free trial antivirus from kaspersky and ran it and it found nothing. Now my computer runs slow and I cannot get outlook express to connect to my ISP to get my email. Of course maybe my email problem has nothing to do with the computer running slowly. Or the antivirus I installed. Maybe I should dump that. It was running very fast for the first time in a while. Thanks a lot for your help. If I can't get email , I'll just have to visit here to see your reply.

#10 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 AM

Posted 16 February 2006 - 06:21 PM

Yeah if you D/L and installed another anti virus, the following will apply:

You are running two(or more) Anti-Virus programs..while one is a MUST have...running more than one is NEVER ACCEPTABLE.
They will 'battle' for control of your system and resources; causing slowdown, errors and shut down. Choose one and uninstall the other(s).

After you get back to using one AV; post a current HJT log...

#11 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 AM

Posted 16 February 2006 - 06:24 PM

Also post the results of the Online scans .....Probably most if the results are in SystemRestore and/or Your quarantine folder for AVG...

#12 aquabird

aquabird
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 17 February 2006 - 03:06 PM

KASPERSKY ON-LINE SCANNER REPORT
Thursday, February 16, 2006 13:06:02
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/02/2006
Kaspersky Anti-Virus database records: 166270
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
Scan Statistics
Total number of scanned objects 67194
Number of viruses found 5
Number of infected objects 53
Number of suspicious objects 0
Duration of the scan process 1799 sec

Infected Object Name Virus Name
C:\Hijackthis\backups\backup-20060213-114930-775.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP374\A0065187.exe Infected: not-virus:Hoax.Win32.Renos.az
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP374\A0065191.exe Infected: Trojan-Downloader.Win32.WinShow.be
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP379\A0065377.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP381\A0065408.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP382\A0065438.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP385\A0065448.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP387\A0065451.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP388\A0065461.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP388\A0065469.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP391\A0065479.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP393\A0065484.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP396\A0065489.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP396\A0065492.prx:akqpfz:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP396\A0065493.pif:sdbvhj:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP398\A0065505.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP399\A0065521.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP401\A0065537.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP403\A0065551.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP403\A0065560.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP404\A0065566.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP406\A0065575.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP407\A0065581.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP409\A0065584.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP412\A0065590.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP414\A0065611.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP417\A0065621.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP419\A0065625.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP420\A0065629.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP422\A0065636.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP427\A0066925.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP428\A0066942.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP429\A0066944.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067700.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067717.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067740.EXE Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067808.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067817.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067819.scr:xvjfs:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067820.prx:akqpfz:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067821.pif:sdbvhj:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067822.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067823.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067824.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067825.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067826.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067827.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067828.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067829.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067830.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067831.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067832.exe Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{F61C6AD4-EFEF-4809-A01B-78263F32C4AF}\RP431\A0067833.exe Infected: Trojan-Downloader.Win32.Agent.td
Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 3:03:35 PM, on 2/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\NORTON~1\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bin\HPOstr05.exe
c:\program files\bin\HPOVDX05.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.microsoft.com/search/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.microsoft.com/search/search.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://home.microsoft.com/search/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.microsoft.com/search/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.microsoft.com/search/search.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2CF3BB33-A8D7-079C-312F-ABCFF55DD77D} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Data LifeGuard LifeLine Lite installer.lnk = C:\Documents and Settings\Ed Vaske\Local Settings\Temp\ins27.tmp\dlgli.exe
O4 - Startup: dBpowerAMP.lnk = C:\Program Files\Illustrate\dBpowerAMP\Amp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Bin\HPOstr05.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://I:\content\include\XPPatchInstaller.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\GHOSTS~2.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

When I tried to uninstall the kaspersky antivirus that I downloaded, it wiped out some very key windows files and asked me for my windows disk. Since I had the Sp1 disk, it would not take it without reloading all of windows. I had a hard time finding the upgrade that microsoft sent, but finally did. It took nearly 2 hours to get it off my computer. The scan told me I had viruses, but the antivirus would not see and get rid of them?
I wouldn't recommend that anyone use this antivirus from Kaspersky.

#13 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 AM

Posted 17 February 2006 - 11:21 PM

Congratulations, your log is clean.

First, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Delete the AboutBuster folder from your desktop

Make sure MSAS is turned back on

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at link in my signature

Make SURE to read AND FOLLOW THE ADVISE IN How Did I Get Infected in the First Place??

One final thing I failed to mention earlier..You Java is outdated..update instruction are HERE

#14 aquabird

aquabird
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:59 AM

Posted 18 February 2006 - 02:51 AM

Thanks, Have done all except deleted aboutbuster from desktop and I don't know what MSAS is. I will mail in a donation to the site, you guys and (girls?) are super. THanks again for your help. Now I have a lot of studying to do before I start my new job and a lot of it will be done on the computer.
Ed

#15 jwbirdsong

jwbirdsong

    Slaher O' Spyware


  • Members
  • 232 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:59 AM

Posted 18 February 2006 - 11:00 AM

MSAS=Microsoft Anti Spyware and reading back through your thread we did NOT have to disable it so you can disregard that line.

Thanks for the donation..any and all are very GRATEFULLY accepted

Good luck on the new job




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users