Jump to content
Sign in to follow this  
angie276

Different Computer, Different Problems

Recommended Posts

I picked up this computer yesterday at a sale. There wasn't any kind of anti-virus programs installed at all! I downloaded AVG, Ad-Aware and Spybot. Ran all three, AVG found over 200 viruses, Spybot found 89 issues and Ad-Aware found over 800 issues. Needless to say the computer is running a million times better but I know it probably still has some issues. My HJT log:

 

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 8:49:09 AM, on 5/23/2007

Platform: Windows ME (Win9x 4.90.3000)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\COMPAQ\CPQINET\CPQINET.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE

C:\WINDOWS\SYSTEM\LEXBCES.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE

C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE

C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE

C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE

C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE

C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\WINDOWS\DESKTOP\HIJACKTHIS_V2.EXE

C:\COMPAQ\CPQINET\CPQNPCSS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redire...mer&LC=0409

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.download.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe

O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe

O4 - HKLM\..\Run: [service Connection] c:\cpqs\bwtools\sccenter.exe

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe

O4 - HKLM\..\Run: [LexStart] Lexstart.exe

O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE

O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunOnce: [test]

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"

O4 - HKCU\..\RunOnce: [test]

O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE" (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [QRIA] (User 'Default user')

O4 - .DEFAULT Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe (User 'Default user')

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)

O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE

O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620...meInstaller.exe

O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...wave/wtinst.cab

O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://www.wildtangent.com/multiplayer/cannonsmmp/wtinst.cab

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = avci.net

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 12.127.17.71,12.173.195.1

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\SYSTEM\BROWSEUI.DLL

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\SYSTEM\BROWSEUI.DLL

 

--

End of file - 8576 bytes

Share this post


Link to post
Share on other sites

Hi and welcome

 

You've picked up an older computer with a bad infection...

 

O4 - HKLM\..\RunOnce: [test]

W32/Singu

http://www.sophos.com/security/analyses/w32singuag.html

Allows others to access the computer, Deletes files off the computer, Steals information Drops more malware Downloads code from the internet Reduces system security Records keystrokes Installs itself in the Registry Leaves non-infected files on computer.

Your system is infected.

Trojans attempt to steal passwords, as well as logging keypresses and open window titles to text files and periodically sends the collected information to a remote user via HTTP. Even if we clean the malware off your system, We can't guarantee that your system will be clean afterwards. Also, we cannot guarantee to repair all the damage it caused.

 

We recommend, you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, Pin numbers, credit card numbers, account numbers, etc. should all be changed immediately, and it would be wise to contact those same financial institutions to advise them of your situation. This infection that you have will attract others, keep it offline except when we are troubleshooting.

(How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?)

(When should I re-format? How should I reinstall?)

 

We can attempt to remove this but do keep in mind sometimes damage cannot be repaired...

Some feel a wipe and clean install of Windows is the best security.

 

 

The version of HijackThis you are running is Beta, a product that is normally in its final stages of testing.

Often, a Beta version of a product may contain minor bugs and glitches, so let’s work with final version HijackThis 1.99.1 instead.

 

Use Control Panel > Add/Remove Programs to remove HijackThis v2.

Then, do a search and also delete any Folders or Files the program created.

 

 

 

 

Please disable SpywareGuard, as it may interfere with some of our HijackThis fixes:

 

Right click the SpywareGuard icon in the System Tray at the bottom-right corner of the screen and open the program.

Then go to Menu, File, Exit.

Then confirm the program is closed.

 

 

 

 

Please go to Add/Remove programs and if found please remove

Web Offers

Wild Tagnent

 

Using windows explorer search for and delete

C:\PROGRAM FILES\Web Offer <--folder

 

 

 

Open HJT and click scan only, place a check by these entries

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.download.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\RunOnce: [test]

O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

O4 - HKCU\..\RunOnce: [test]

O4 - HKUS\.DEFAULT\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

O4 - HKUS\.DEFAULT\..\RunOnce: [QRIA]

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620...meInstaller.exe

O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...wave/wtinst.cab

O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://www.wildtangent.com/multiplayer/cannonsmmp/wtinst.cab

 

Close all windows and browsers except HJT and click fix checked

 

 

 

Go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Then use "Start > Run" and type in "%temp%" (without the quotes). Delete the entire contents of that "temp" folder (use "Edit > Select All", press "Delete", click "Yes").

 

Then, Empty your Temporary Internet Cache completely. Close all instances of Outlook and and Internet Explorer, then use "Control Panel > Internet Options > General tab" and click the "Delete File" button. When prompted place a check in: "Delete all offline content", then click OK.

 

 

 

Download and scan with the free 15 day trial of Counterspy

Or alternate location found Here

 

Once installed launch Counterspy.

Click on 'Spyware Scan',then click 'Updates' at the top right.

Once any available updates have been installed,click the 'Scan Now' button.

1.Once Counterspy has done scanning,the 'Scan Results' box will appear.

2.Click on 'View Results'.

3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.

4.Then click on 'Take Action'.

5.Once everything has been removed,click on 'View Details'.

6.Copy and Paste those details into a Word/Text document,then save it to your desktop.

Or Follow this tutorial on the installation/setup/scanning and cleaning of any infections found: Here

 

Reboot your pc.

 

 

 

 

Download AVG Anti-Spyware 7.5 from Here

And save that file to your desktop.

[*]Once you have downloaded AVG anti-spyware, locate the icon on the your desk top and double-click it to launch the set up program.

[*]Once the setup is complete you will need run AVG Anti-Spyware 7.5 and definition files.

[*]On the main screen select the icon "Update then select the"Update Now" link.

  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
*Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.

*Once in the Settings screen click on "Recommended Actions" and then select "Quarantine". <--VERY IMPORTANT"

*Under "Reports"

Select "Automatically generate report after every scan"

Un-Select "Only if threats were found"

 

Close AVG Anti-Spyware 7.5, Do not run a scan yet.

 

 

Reboot your computer into Safe Mode. Tap the F8 key just before Windows starts to load and select Safe Mode from the menu.

 

Important.. Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning proccess:

  • Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan"tab then click on "Complete Scan".
  • AVG will now begin the scanning process, be patient this may take a little time to complete.
Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system, (Make sure to remember where you have saved the file, this is important.
  • Close AVG Anti-Spyware 7.5 and reboot your system back into Normal Mode
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

 

 

In your next reply I need

Counterspy report

AVG A/S log

New HJT log

Comments on how things are running now

Share this post


Link to post
Share on other sites

Is there an alternative to Counterspy? I am running Windows ME and it won't let me install it. Thanks!

 

ETA: Nevermind I found it!

Edited by angie276

Share this post


Link to post
Share on other sites

AVG A/S is not compatable with Windows ME so I couldn't install it. I did everything else below are the results, the computer seems to be running pretty good.

 

My HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 3:56:54 PM, on 5/24/2007

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\COMPAQ\CPQINET\CPQINET.EXE

C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE

C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE

C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE

C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redire...mer&LC=0409

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.com/ws/eBayISAPI.dll?MyEbay&_trksid=m37

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe

O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe

O4 - HKLM\..\Run: [service Connection] c:\cpqs\bwtools\sccenter.exe

O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE

O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE

O4 - HKLM\..\Run: [sunServer] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\sunserver.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)

O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE

O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = avci.net

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 12.127.17.71,12.173.195.1

 

 

CounterSpy:

 

Spyware Scan Details

Start Date: 5/24/2007 3:16:19 PM

End Date: 5/24/2007 3:30:38 PM

Total Time: 14 mins 19 secs

 

Detected spyware

 

WildTangent Low Risk Adware more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=14225>

Details: WildTangent is an online gaming plugin bundle from Wildtangent.com similar to Macromedia’s flash. WildTangent uses a built in required feature that is used to provide adware based advertising to the user.

Status: Deleted

 

Infected files detected

c:\windows\application data\wildtangent\cdacache\cdacache.odds

c:\windows\application data\wildtangent\cdacache\00\00\01.dat

c:\windows\application data\wildtangent\cdacache\00\00\02.dat

c:\windows\application data\wildtangent\cdacache\00\00\03.dat

c:\windows\application data\wildtangent\cdacache\00\00\04.dat

c:\windows\application data\wildtangent\cdacache\00\00\05.dat

c:\windows\application data\wildtangent\cdacache\00\00\06.dat

c:\windows\application data\wildtangent\cdacache\00\00\07.dat

c:\windows\application data\wildtangent\cdacache\00\00\08.dat

c:\windows\application data\wildtangent\cdacache\00\00\09.dat

c:\windows\application data\wildtangent\cdacache\00\00\0a.dat

c:\windows\application data\wildtangent\cdacache\00\00\0b.dat

c:\windows\application data\wildtangent\cdacache\00\00\0c.dat

c:\windows\application data\wildtangent\cdacache\00\00\0d.dat

c:\windows\application data\wildtangent\cdacache\00\00\0e.dat

c:\windows\application data\wildtangent\cdacache\00\00\0f.dat

c:\windows\application data\wildtangent\cdacache\00\00\10.dat

c:\windows\application data\wildtangent\cdacache\00\00\11.dat

c:\windows\application data\wildtangent\cdacache\00\00\12.dat

c:\windows\application data\wildtangent\cdacache\00\00\13.dat

c:\windows\application data\wildtangent\cdacache\00\00\14.dat

c:\windows\application data\wildtangent\cdacache\00\00\15.dat

c:\windows\application data\wildtangent\cdacache\00\00\16.dat

c:\windows\application data\wildtangent\cdacache\00\00\17.dat

c:\windows\application data\wildtangent\cdacache\00\00\18.dat

c:\windows\application data\wildtangent\cdacache\00\00\19.dat

c:\_RESTORE\TEMP\A0294990.CPY

c:\Program Files\Netscape\Communicator\Program\Plugins\npwtplug.dll

 

Infected registry entries detected

HKEY_LOCAL_MACHINE\software\wildtangent

 

 

NewDotNet Browser Plug-in more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=9108>

Details: New.Net is an Internet Explorer spyware/hijacker plug-in that adds subdomains of 'new.net' to your name resolution system (Windows’ Host file), resulting in what appear to be extra top-level domains (.shop, and so on) being resolvable.

Status: Deleted

 

Infected files detected

c:\windows\ndnuninstall4_80.exe

c:\windows\ndnuninstall4_88.exe

c:\windows\ndnuninstall5_40.exe

c:\windows\ndnuninstall5_48.exe

c:\WINDOWS\NDNUNINSTALL6_10.EXE

c:\WINDOWS\NDNuninstall4_94.exe

c:\WINDOWS\NDNUNINSTALL5_64.EXE

c:\WINDOWS\NDNUNINSTALL6_22.EXE

c:\_RESTORE\TEMP\A0289640.CPY

c:\_RESTORE\TEMP\A0292072.CPY

c:\_RESTORE\TEMP\NEWDOT~2.0

c:\_RESTORE\TEMP\A0292502.CPY

c:\_RESTORE\TEMP\A0292507.CPY

c:\_RESTORE\TEMP\A0292517.CPY

 

 

ShopAtHome Spyware more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=10773>

Details: ShopAtHome installs itself in the Winsock layer of your computer and redirects visits to merchant sites in order to take the affiliate fees from them automatically without your knowledge.

Status: Deleted

 

Infected files detected

c:\windows\downloaded program files\xmlparse_.dll

c:\windows\downloaded program files\xmltok_.dll

c:\WINDOWS\SYSTEM\xmlparse.dll

c:\WINDOWS\SYSTEM\xmltok.dll

c:\_RESTORE\TEMP\A0292552.CPY

c:\My Documents\My Music\SahUpdate\xmlparse_.dll

c:\My Documents\My Music\SahUpdate\xmltok_.dll

c:\My Documents\My Music\SahUpdate\SAHUninstall_.exe

c:\My Documents\My Music\SahUpdate\WEBInstaller.dll

 

 

Cydoor Adware more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=4117>

Details: Cydoor is an adware program that downloads advertisements from a server and displays them on your computer.

Status: Deleted

 

Infected files detected

c:\windows\system\im64.dll

 

 

EGroup Dialer Dialer more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=14818>

Details: EGroup Dialer is an ActiveX control for premium-rate diallers, usually for porn sites.

Status: Deleted

 

Infected files detected

c:\windows\system\mseggrpid.dll

 

 

SearchForIt.AdShooter Adware more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=1712>

Details: AdShooter is adware that downloads and displays advertisements.

Status: Deleted

 

Infected files detected

c:\windows\system\syssfitb.dll

 

 

eZula.TopText Adware more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=5117>

Details: eZula TopText is a browser hijacker that will alter all pages viewed in Internet Explorer by adding extra links to words and phrases targeted by advertisers. These links are unauthorized by the users of the sites being viewed and not part of the orig

Status: Deleted

 

Infected files detected

c:\windows\system\ezpopstub.exe

 

 

ConsCorr Trojan Downloader more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=14926>

Details: Related to the VX2 downloaders, Conscorr is a trojan downloader, which is reponsible for infecting machines with large amounts of other spyware and adware.

Status: Deleted

 

Infected files detected

c:\windows\conscorr.ini

 

 

VX2.Transponder Browser Plug-in more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=12517>

Details: VX2 is an Internet Explorer Browser Helper Object that monitors web page requests and data entered into forms, sending this information to its home server, and opens pop-up advertisement windows. VX2 also collects and sends personal information.

Status: Deleted

 

Infected files detected

c:\windows\inf\conscorr.inf

 

 

Transponder.Pynix Spyware more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=15316>

Status: Deleted

 

Infected files detected

c:\windows\pynix.dll

 

 

ABetterInternet.Aurora Adware more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=39642>

Details: Opens popups on the desktop based on site visit history; may disable or uninstall other software; denies uninstallation

Status: Deleted

 

Infected files detected

c:\windows\dsr.dll

 

 

ABetterInternet Adware more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=14797>

Details: ABetterInternet shows advertisements based on the web pages you view and the web sites you visit.

Status: Deleted

 

Infected files detected

c:\WINDOWS\PYNIX.DLL

c:\_RESTORE\TEMP\A0294973.CPY

 

 

eZula.WebOffer Adware more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=14997>

Status: Deleted

 

Infected files detected

c:\WINDOWS\SYSTEM\ezPopStub.exe

c:\_RESTORE\TEMP\A0292671.CPY

c:\_RESTORE\TEMP\A0290724.CPY

c:\_RESTORE\TEMP\A0292333.CPY

c:\_RESTORE\TEMP\A0292370.CPY

c:\_RESTORE\TEMP\A0292371.CPY

 

 

WhenU.SaveNow Adware more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=10810>

Details: an advertising application that displays pop-up advertising on the desktop in response to users' surfing behavior.

Status: Deleted

 

Infected files detected

c:\_RESTORE\TEMP\A0294978.CPY

c:\_RESTORE\TEMP\A0294996.CPY

 

Infected registry entries detected

HKEY_LOCAL_MACHINE\software\whenu

 

 

SearchMiracle.EliteBar Browser Plug-in more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=14899>

Details: Adds a search hijacker toolbar to Internet Explorer called Elite Bar.

Status: Deleted

 

Infected files detected

c:\_RESTORE\TEMP\A0286517.CPY

 

Infected registry entries detected

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform iebar

 

 

SearchMiracle.AdDownloader Trojan Downloader more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=15287>

Details: SearchMiracle.AdDownloader installs a memory resident adware application that displays popup ads on the users computer.

Status: Deleted

 

Infected files detected

c:\_RESTORE\TEMP\A0289632.CPY

 

 

Trojan.Favadd.O Trojan more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=39557>

Details: Trojan.Favadd.O is a Trojan that adds several shortcuts to the Favorites menu in Internet Explorer pointing to crack and serial websites.

Status: Deleted

 

Infected files detected

c:\_RESTORE\TEMP\A0289634.CPY

 

 

Slagent Adware more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=14860>

Details: Slagent runs without user notification after initial installation and can download and execute arbitrary files on the computer. Slagent contacts a Web site for advertisement purposes.

Status: Deleted

 

Infected files detected

c:\_RESTORE\TEMP\A0289642.CPY

c:\_RESTORE\TEMP\A0289664.CPY

 

 

Instant Access Dialer more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=7112>

Details: InstantAccess is a dialer that gives a user access to premium services of a third-party Web site, by dialing a high cost numbers using a modem.

Status: Deleted

 

Infected files detected

c:\_RESTORE\TEMP\A0289644.CPY

 

Infected registry entries detected

HKEY_CLASSES_ROOT\clsid\{F72BC3F0-6C20-4793-9DDA-258589D8A907}

HKEY_CLASSES_ROOT\clsid\{F72BC3F0-6C20-4793-9DDA-258589D8A907}\InprocServer32 C:\WINDOWS\SYSTEM\NETSLV32.DLL

HKEY_CLASSES_ROOT\clsid\{F72BC3F0-6C20-4793-9DDA-258589D8A907}\InprocServer32 ThreadingModel Apartment

 

 

eZula.Earn Adware more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=15124>

Details: eZula.Earn is tha advertising components of the exula adware software.

Status: Deleted

 

Infected files detected

c:\_RESTORE\TEMP\A0290725.CPY

c:\_RESTORE\TEMP\A0291705.CPY

c:\_RESTORE\TEMP\A0291706.CPY

 

 

TopRebates.WebRebates Browser Plug-in more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=14768>

Details: TopRebates is a browser toolbar that can display pop-up advertisements and monitor your Web browsing activities.

Status: Deleted

 

Infected files detected

c:\_RESTORE\TEMP\A0291688.CPY

 

 

ABetterInternet.Transponder.Ceres Adware more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=15251>

Details: VX2.ABetterInternet.Transponder.2 is a new transponder variant of aBetterInternet.

Status: Deleted

 

Infected files detected

c:\_RESTORE\TEMP\A0291709.CPY

c:\_RESTORE\TEMP\A0292587.CPY

 

 

EUniverse Updater Browser Hijacker more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=4959>

Details: EUniverse is an adware program that runs at startup, generates popup ads, and performs a number of spyware related functions such as transmitting personal information and hijacking Internet Explorer.

Status: Deleted

 

Infected registry entries detected

HKEY_LOCAL_MACHINE\software\updater

HKEY_LOCAL_MACHINE\software\updater Install_Dir C:\Program Files\Common files\updater

HKEY_LOCAL_MACHINE\software\updater EXEName wupdater.exe

HKEY_LOCAL_MACHINE\software\updater VersionNumber 1.3.5

HKEY_LOCAL_MACHINE\software\updater cid EC1F5726-8AF4-4112-8FE5-71AACD56C00B

HKEY_LOCAL_MACHINE\software\updater installDate 2004/10/06 20:42

HKEY_LOCAL_MACHINE\software\updater puid 7472e2ae-d1e2-4112-875a-c74dd050ec60

 

 

GeoCities Cookie more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=5672>

Status: Deleted

 

Infected cookies detected

c:\windows\cookies\[email protected][2].txt

c:\windows\cookies\[email protected][3].txt

c:\windows\cookies\[email protected][1].txt

c:\windows\cookies\[email protected][4].txt

 

 

SuperStats Cookie more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=11656>

Status: Deleted

 

Infected cookies detected

c:\windows\cookies\def[email protected][1].txt

 

 

BurstNet.com Cookie more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=3445>

Status: Deleted

 

Infected cookies detected

c:\windows\cookies\[email protected][2].txt

 

 

WindowsMedia Cookie more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=14411>

Status: Deleted

 

Infected cookies detected

c:\windows\cookies\[email protected][2].txt

c:\windows\cookies\[email protected][3].txt

c:\windows\cookies\[email protected][1].txt

 

 

CGI-Bin Cookie more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=3609>

Status: Deleted

 

Infected cookies detected

c:\windows\cookies\[email protected][2].txt

 

 

ABetterInternet.Aurora Cookie Cookie more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=39588>

Status: Deleted

 

Infected cookies detected

c:\windows\cookies\[email protected][2].txt

c:\windows\cookies\[email protected][3].txt

c:\windows\cookies\[email protected][4].txt

c:\windows\cookies\[email protected][2].txt

c:\windows\cookies\[email protected][5].txt

 

 

ABetterInternet Cookie more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=39031>

Details: ABetterInternet shows advertisements based on the web pages you view and the web sites you visit.

Status: Deleted

 

Infected cookies detected

c:\windows\cookies\[email protected][1].txt

c:\windows\cookies\[email protected][3].txt

 

 

TopRebates Cookie more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=25003>

Details: Cookie capable of traking Web site visits.

Status: Deleted

 

Infected cookies detected

c:\windows\cookies\[email protected][2].txt

c:\windows\cookies\[email protected][3].txt

 

 

Right Media Cookie more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=29001>

Details: Rightmedia is a cookie that tracks the unique visitors to a web site and their personal preferences.

Status: Deleted

 

Infected cookies detected

c:\windows\cookies\[email protected][2].txt

c:\windows\cookies\[email protected][1].txt

 

 

Offeroptimizer Cookie more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=29004>

Details: Offeroptimizer is a cookie that tracks the unique visitors to a web site and their personal preferences.

Status: Deleted

 

Infected cookies detected

c:\windows\cookies\[email protected][2].txt

c:\windows\cookies\[email protected][1].txt

 

 

AdKnowledge.com Cookie more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=1655>

Status: Deleted

 

Infected cookies detected

c:\windows\cookies\[email protected][2].txt

 

 

Cok.PriceBandit Cookie more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=39011>

Status: Deleted

 

Infected cookies detected

c:\windows\cookies\[email protected][1].txt

 

 

Cok.a.websponsors Cookie more information... <http://www.sunbelt-software.com/dev/Spy/SpyFighter/ThreatHelp.aspx?ID=40185>

Status: Deleted

 

Infected cookies detected

c:\windows\cookies\[email protected][1].txt

Share this post


Link to post
Share on other sites

Welcome back

 

One of the problems with older windows computers is, finding tools and scans that run compatible.

 

CounterSpy did a very good job.....cause it appears your log is clean but I'm still suspicious.

What we can try next is a different scan for detections..

 

 

Sunbelt Software\CounterSpy\Quarantine folder <--delete the contents of the folder not the folder

 

 

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

 

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    Posted Image

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)

  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
in your reply post

DrWeb.csv log

And any comments on how things are running

Share this post


Link to post
Share on other sites

I couldn't move some of the infected files :(

 

A0295137.CPY;C:\_RESTORE\TEMP;Trojan.Bispy - write error;;

A0296640.CPY;C:\_RESTORE\TEMP;Adware.EliteBar;Incurable.Will be moved after reboot.;

A0296678.CPY;C:\_RESTORE\TEMP;Probably DLOADER.Trojan;Incurable.Will be moved after reboot.;

A0286505.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.4831 - write error;;

A0286517.CPY;C:\_RESTORE\TEMP;Trojan.MulDrop.2548 - write error;;

A0286518.CPY;C:\_RESTORE\TEMP;Trojan.Proxy.422 - write error;;

A0289622.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.2178 - write error;;

A0289632.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.4135 - write error;;

A0289634.CPY;C:\_RESTORE\TEMP;Trojan.StartPage.450 - write error;;

A0289642.CPY;C:\_RESTORE\TEMP;Trojan.Wintrim - write error;;

A0289660.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.2596 - write error;;

A0289662.CPY;C:\_RESTORE\TEMP;Trojan.MulDrop.2134 - write error;;

A0289664.CPY;C:\_RESTORE\TEMP;Trojan.Wintrim - write error;;

A0291710.CPY;C:\_RESTORE\TEMP;Trojan.Wintrim - write error;;

msnmsgr.exe;C:\Program Files\MSN Messenger;Probably DLOADER.Trojan;Incurable.Moved.;

Share this post


Link to post
Share on other sites

Welcome back

 

From what I think I see mostly was stored in System restore....

 

To disable, then re-enable System Restore:

 

1. Right-click My Computer, and then click Properties.

2. On the Performance tab, click File System, or press ALT+F.

3. On the Troubleshooting tab, click to select the Disable System Restore check box.

4. Click OK twice, and then click Yes when you are prompted to restart the computer.

5. To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.

 

 

Scan again and post a new HJT log.

Share this post


Link to post
Share on other sites

I have one question, what are all of the "extra buttons" on there for, do they serve a purpose? New HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 10:06:03 PM, on 5/24/2007

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\COMPAQ\CPQINET\CPQINET.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE

C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE

C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE

C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE

C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redire...mer&LC=0409

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe

O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe

O4 - HKLM\..\Run: [service Connection] c:\cpqs\bwtools\sccenter.exe

O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE

O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE

O4 - HKLM\..\Run: [sunServer] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\sunserver.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)

O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE

O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = avci.net

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 12.127.17.71,12.173.195.1

Share this post


Link to post
Share on other sites

Welcome back

 

After you reset system restore I wanted you to run the DrWeb scan again.......

what are all of the "extra buttons" on there for, do they serve a purpose?

What buttons on which program?

 

Let's do some cleanup now.

 

Open HJT and click scan only, place a check by these entries

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)

O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE (file missing)

O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)

 

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

 

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

(Description: This is the Microsoft MSN Queue Manager. There is disagreement over whether it is spying on you or not. Nevertheless, we suggest you check this entry and remove it. Removing this entry will free up some system resources. more information)

 

O4 - HKCU\..\Run: [MoneyAgent] \"C:\Program Files\Microsoft Money\System\Money Express.exe\"

(Description: Microsoft Money agent. If you are not using this feature, removing it will free up a small amount of system resources.)

 

Close all windows and browsers except HJT and click fix checked

 

 

Reboot to set the registry

 

 

 

I didn't detect any active process of a firewall on your system.

 

Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

Sygate free firewall

ZoneAlarm free firewall

Outpost free Firewall

Comodo

Kerio Personal Firewall

Jetico Personal Firewall

 

The above are known good free Firewalls available for personal use. If one conflicts with your system, try another.

For a tutorial on Firewalls and a listing of some available ones see the link below

http://www.bleepingcomputer.com/tutorials/tutorial60.html

 

 

Post back with a new DrWeb scan and a new HJT log

Share this post


Link to post
Share on other sites

DrWeb came back clean, HJT:

 

Logfile of HijackThis v1.99.1

Scan saved at 11:00:03 AM, on 5/25/2007

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\COMPAQ\CPQINET\CPQINET.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE

C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE

C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE

C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE

C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE

C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\LEXBCES.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redire...mer&LC=0409

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe

O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe

O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe

O4 - HKLM\..\Run: [service Connection] c:\cpqs\bwtools\sccenter.exe

O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe

O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE

O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE

O4 - HKLM\..\Run: [sunServer] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\CONSUMER\sunserver.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE

O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = avci.net

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 12.127.17.71,12.173.195.1

Share this post


Link to post
Share on other sites

Welcome back

 

I didn't detect any active process of a firewall on your system.

 

Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

Sygate free firewall

ZoneAlarm free firewall

Outpost free Firewall

Comodo

Kerio Personal Firewall

Jetico Personal Firewall

 

The above are known good free Firewalls available for personal use. If one conflicts with your system, try another.

For a tutorial on Firewalls and a listing of some available ones see the link below

http://www.bleepingcomputer.com/tutorials/tutorial60.html

 

Logs are clean good job!

 

If there are no more issues or problems your good to go

 

 

 

Below I have included a number of recommendations to protect your computer in order to prevent future malware infections.

 

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

 

 

Install and Update SpywareBlaster protects against bad ActiveX, browser hijackers, and dialers that are some of the fastest-growing threats on the Internet today.

Tutorial

 

IE-SPYAD puts over 5000 sites in your restricted zone so you will be protected when you visit innocent-looking sites that aren't actually innocent at all.

Tutorial

 

Install and Update SpyBot Search&Destroy Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.

Tutorial

Run on a regular basis

 

Install and Update Ad-Aware SE Personal

You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.

Tutorial

Run on a regular basis

 

SUPERAntiSpyware

This is another excellent FREE scanner to look for nasties that might be lurking in your system.

SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well. Quick Guide: How to use!

 

Update all these programs regularly . Without regular updates you will not be protected when new malicious programs are released.

And to run them regularly as this can prevent a great deal of spyware hassle.

 

Please take the time to read this article with suggestions and information on 'Safe Computing Practices.'

So how did I get infected in the first place.

Another valueable article to read Dealing with Unwanted Spyware and Parasites

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

Since this issue appears resolved ... this Topic is closed

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...