Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack this lock RE:hs.exe

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijack this lock RE:hs.exe

Unread postby Jake_027 » December 18th, 2005, 4:40 pm

Logfile of HijackThis v1.99.1
Scan saved at 20:28:28, on 18/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\HistorySweep\HSSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
D:\QUICKH~1\qhwscsvc.exe
D:\QUICKH~1\QHONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\QUICKH~1\MailSvr.exe
D:\QUICKH~1\UPSCHD.EXE
D:\QUICKH~1\QHM32.EXE
C:\Program Files\VoyagerTest\fts.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
D:\OmniPage SE\opware32.exe
C:\Program Files\WinPortrait\wpctrl.exe
D:\Microsoft Antispyware\gcasServ.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\pupxpman.exe
C:\Program Files\WinPortrait\floater.exe
D:\PowerDVD\PDVDServ.exe
C:\DOCUME~1\Jake\LOCALS~1\Temp\40000010c00069dd890027\hs.exe
D:\iPod Updater\iPod\bin\iPodService.exe
D:\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1133353862\ee\AOLHostManager.exe
D:\QUICKH~1\QHONLINE.EXE
C:\Program Files\Common Files\AOL\1133353862\ee\AOLServiceHost.exe
D:\Spyware BeGone\SpywareBeGone.exe
D:\Adobe\Reader\reader_sl.exe
D:\AOL 9.0\aoltray.exe
C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
c:\program files\common files\aol\1133353862\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1133353862\ee\AOLServiceHost.exe
D:\Microsoft Antispyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
D:\AOL 9.0\waol.exe
D:\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\DOCUME~1\Jake\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/8SE/1?http://toolbar.m ... sgrInstall
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: (no name) - {FE7953EE-25ED-40D8-A53F-066C124CE023} - D:\HistorySweep\popkill.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Quick Heal e-mail Protection] D:\QUICKH~1\MailSvr.exe
O4 - HKLM\..\Run: [QH Live Update Scheduler] D:\QUICKH~1\UPSCHD.EXE /Check
O4 - HKLM\..\Run: [Quick Heal Messenger] D:\QUICKH~1\QHM32.EXE
O4 - HKLM\..\Run: [Quick Heal Startup Scan] D:\QUICKH~1\QHSTRT32.EXE /LOADRUN
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [Omnipage] D:\OmniPage SE\opware32.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\Microsoft Antispyware\gcasServ.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Quick Heal On-Line Protection] D:\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HistorySweep] "D:\HISTOR~1\HistorySweep.exe" /autostart
O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\system32\pupxpman.exe
O4 - HKLM\..\Run: [RemoteControl] D:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133353862\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [GhostSurf Reminder] "D:\GhostSurf 2005\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Quick Heal Startup Scan] D:\QUICKH~1\QHSTRT32.EXE /check
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] D:\Adobe\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Spyware Begone] "D:\Spyware BeGone\SpywareBeGone.exe" -FastScan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = D:\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/162107e0a29 ... xIE601.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37380.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D2023F3-6DB8-4F01-AE5D-47141F84B5F2}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: HistorySweepService - Unknown owner - D:\HistorySweep\HSSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\iPod Updater\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Quick Heal Helper Service WSC (qhwscsvc) - Unknown owner - D:\QUICKH~1\qhwscsvc.exe
O23 - Service: Quick Heal Online Protection - Unknown owner - D:\QUICKH~1\QHONSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

The HSSvc.exe is from historysweep 1.6 on the dec 05 pc advisor disc, its the hs.exe in temp that i think is the problem
Jake_027
Active Member
 
Posts: 5
Joined: December 18th, 2005, 4:36 pm
Advertisement
Register to Remove

Unread postby Susan528 » December 18th, 2005, 11:13 pm

Hello Jake and Welcome to Malware removal.

I think that the HSSvc.exe is the problem and the hs.exe is okay. Before we proceed with deletion of files, let’s obtain information first to verify this.

C:\DOCUME~1\Jake\LOCALS~1\Temp\40000010c00069dd890027\hs.exe
(You want to do a search on the hs.exe to locate it)
O23 - Service: HistorySweepService - Unknown owner - D:\HistorySweep\HSSvc.exe

STEP 1.
======
Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
hs.exe
Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.

Now please repeat the above again replacing the file with HSSvc.exe and copy and post (reply) with the results.

You are running HijackThis from its zipped archive; please create a new folder for it and unzip the program into it. It is very important you do this before anything else!
Also please do not have it in a temporary folder.

C:\DOCUME~1\Jake\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

Please post another hijackthis log along to the Jotti results.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

hs.exe/HSSvc.exe and jotti scans plus unzipped hijack this

Unread postby Jake_027 » December 19th, 2005, 6:08 pm

Logfile of HijackThis v1.99.1
Scan saved at 21:54:01, on 19/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\HistorySweep\HSSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
D:\QUICKH~1\qhwscsvc.exe
D:\QUICKH~1\QHONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\Explorer.EXE
D:\QUICKH~1\MailSvr.exe
D:\QUICKH~1\UPSCHD.EXE
D:\QUICKH~1\QHM32.EXE
C:\Program Files\VoyagerTest\fts.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
D:\OmniPage SE\opware32.exe
C:\Program Files\WinPortrait\wpctrl.exe
D:\Microsoft Antispyware\gcasServ.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\pupxpman.exe
D:\PowerDVD\PDVDServ.exe
D:\ZoneAlarm\zlclient.exe
D:\iPod Updater\iPod\bin\iPodService.exe
C:\DOCUME~1\Jake\LOCALS~1\Temp\40000010c00069dd890027\hs.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Spyware BeGone\SpywareBeGone.exe
D:\QUICKH~1\QHONLINE.EXE
D:\Adobe\Reader\reader_sl.exe
C:\Program Files\Common Files\AOL\1133353862\ee\AOLHostManager.exe
C:\Program Files\WinPortrait\floater.exe
D:\AOL 9.0\aoltray.exe
C:\Program Files\Common Files\AOL\1133353862\ee\AOLServiceHost.exe
C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
c:\program files\common files\aol\1133353862\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1133353862\ee\AOLServiceHost.exe
D:\AOL 9.0\waol.exe
D:\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
D:\Microsoft Antispyware\gcasDtServ.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/8SE/1?http://toolbar.m ... sgrInstall
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: (no name) - {FE7953EE-25ED-40D8-A53F-066C124CE023} - D:\HistorySweep\popkill.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Quick Heal e-mail Protection] D:\QUICKH~1\MailSvr.exe
O4 - HKLM\..\Run: [QH Live Update Scheduler] D:\QUICKH~1\UPSCHD.EXE /Check
O4 - HKLM\..\Run: [Quick Heal Messenger] D:\QUICKH~1\QHM32.EXE
O4 - HKLM\..\Run: [Quick Heal Startup Scan] D:\QUICKH~1\QHSTRT32.EXE /LOADRUN
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [Omnipage] D:\OmniPage SE\opware32.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\Microsoft Antispyware\gcasServ.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Quick Heal On-Line Protection] D:\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HistorySweep] "D:\HISTOR~1\HistorySweep.exe" /autostart
O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\system32\pupxpman.exe
O4 - HKLM\..\Run: [RemoteControl] D:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133353862\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [GhostSurf Reminder] "D:\GhostSurf 2005\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Quick Heal Startup Scan] D:\QUICKH~1\QHSTRT32.EXE /check
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] D:\Adobe\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Spyware Begone] "D:\Spyware BeGone\SpywareBeGone.exe" -FastScan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = D:\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/162107e0a29 ... xIE601.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37380.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D2023F3-6DB8-4F01-AE5D-47141F84B5F2}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: HistorySweepService - Unknown owner - D:\HistorySweep\HSSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\iPod Updater\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Quick Heal Helper Service WSC (qhwscsvc) - Unknown owner - D:\QUICKH~1\qhwscsvc.exe
O23 - Service: Quick Heal Online Protection - Unknown owner - D:\QUICKH~1\QHONSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

This is the hijackthis log run from its own folde

Jotti Scan for HSSvc.exe

Service load: 0% 100%

File: HSSvc.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 68d23b009ef05d4552b6852986c59dff
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

The reason both have been scanned before is because my pc crashed half way through posting this reply

Jotti Scan for hs.exe

Service load: 0% 100%

File: hs.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 037d9c39b06d3b39d81151cb5c9761eb
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

I don't think HSSvc.exe is the problem. This is the startup file for historysweep (see: http://www.historysweep.com) which i obtained from the cover disc of the December edition of PC Advisor magazine (see: http://www.pcadvisor.co.uk). It was on before hs.exe and never caused any problems. However, if hs.exe is a different matter. It is in the processes in windows task manager and if i close it there and delete it (plus i deleted all prefetch keys), it still comes back at the next startup. It has no company properties. However, i also posted this on pc advisor forums (where i got the link to here) and somebody sent me this:

Home Search Assistant And about:Blank -The latest, most nasty hijacks to show up, forcing your web browser to be redirected to an about:Blank page or some search website. These programs are really mix spyware, homepage hijacks and trojans and are nasty to remove. We suggest you try about:Buster and\or HSRemove and follow directions to use them on the download pages.

Although i don't get any of the syptoms (although i believe historysweeps pop-up killer has blocked a lot of these) i think this is what i have but unfortunately the hsremove didn't work. You can e-mail this person at : rabadubdub@yahoo.com (please tell him its on behalf of me) as he is the person who sent me this.

Thanks for all your help susan, i hope this is what you need, anything else please let me know.

Regards

Jake
Jake_027
Active Member
 
Posts: 5
Joined: December 18th, 2005, 4:36 pm

Unread postby Susan528 » December 19th, 2005, 6:52 pm

Hello Jake,

Thanks for the information. Let’s try some scans. Also please tell me what problems are you experiencing?

STEP 1.
Hello and Welcome ,

I would like you to run some scans and post the results. Let’s do some cleaning first.

STEP 2.
======
Let’s check for Malware/Spyware on your computer which is best dealt with by spyware-removal programs used one after the other.
Spybot: Search and Destroy:
  1. Download 'Spybot: Search And Destroy'.
  2. Install it according to the instructions in 'How To Setup Spybot SD and Ad-Aware SE'.
  3. Next, 'Search for Updates' as the definitions are not likely to be up-to-date.
  4. Close ALL windows except Spybot SD
  5. Click the "Check for Problems" button
  6. Click 'Fix Selected Problems' and fix only the RED items.
  7. REBOOT to finish removing what Spybot SD found and clear memory


Ad-Aware SE by Lavasoft:
  1. Download 'Ad-Aware SE'.
  2. Install according to the instructions in "How To Setup Spybot SD and Ad-Aware SE"
  3. Next, 'Check for Updates' by clicking on the 'world globe' second from the right at the top of your Ad-Aware SE window.
  4. Install the updates.
  5. Close ALL windows except Ad-Aware SE
  6. Click on 'Start' and choose 'full scan' for a full scan.
  7. Quarantine anything that it finds and SAVE the log file.
  8. REBOOT to finish removing what Ad-Aware SE found and clear memory.

Please let me know if anything can not be cleaned by these utilities.
STEP 3.
======
Download Ewido
  1. Download and install Ewido Security Suite It is a free trial version of the program.
  2. Install ewido security suite
  3. Launch ewido, there should be an icon on your desktop double-click it.
  4. The program will now go to the main screen
STEP 4.
======
Update Ewido
You will need to update ewido to the latest definition files.
  1. On the left hand side of the main screen click update
  2. Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use Ewido manual updates

STEP 5.
======
Ewido Scan
Once the updates are installed do the following:
  1. Click on scanner
  2. Click on Complete System Scan and the scan will begin.
  3. NOTE: During some scans with ewido it is finding cases of false positives.**

    1. You will need to step through the process of cleaning files one-by-one.
    2. If ewido detects a file you KNOW to be legitimate, select none as the action.
    3. DO NOT select "Perform action on all infections"
    4. If you are unsure of any entry found select none for now.
  4. Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  5. Click Save report.
  6. Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")


Scan again with HijackThis

Please POST
  • a New HijackThis log
  • the results from the Ewido log

in this thread using 'Add Reply'.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Infromation Requested

Unread postby Jake_027 » December 20th, 2005, 5:05 pm

Here is the infromation requested:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 20:19:24, 20/12/2005
+ Report-Checksum: 2C3BB2FD

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\gzo1nkoq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\gzo1nkoq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\gzo1nkoq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\gzo1nkoq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\gzo1nkoq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\gzo1nkoq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\gzo1nkoq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\gzo1nkoq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\gzo1nkoq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\gzo1nkoq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\gzo1nkoq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\gzo1nkoq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Jake\Application Data\Mozilla\Firefox\Profiles\gzo1nkoq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 20:38:49, on 20/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
D:\QUICKH~1\qhwscsvc.exe
D:\QUICKH~1\QHONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\QUICKH~1\MailSvr.exe
D:\QUICKH~1\UPSCHD.EXE
D:\QUICKH~1\QHM32.EXE
C:\Program Files\VoyagerTest\fts.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
D:\OmniPage SE\opware32.exe
C:\Program Files\WinPortrait\wpctrl.exe
D:\Microsoft Antispyware\gcasServ.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\iTunes\iTunesHelper.exe
C:\Program Files\WinPortrait\floater.exe
C:\WINDOWS\system32\pupxpman.exe
D:\PowerDVD\PDVDServ.exe
C:\DOCUME~1\Jake\LOCALS~1\Temp\40000010c00069dd890027\hs.exe
D:\iPod Updater\iPod\bin\iPodService.exe
D:\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
D:\QUICKH~1\QHONLINE.EXE
C:\Program Files\Common Files\AOL\1133353862\ee\AOLHostManager.exe
D:\AOL 9.0\aoltray.exe
C:\Program Files\Common Files\AOL\1133353862\ee\AOLServiceHost.exe
C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
c:\program files\common files\aol\1133353862\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1133353862\ee\AOLServiceHost.exe
D:\ewido anti-malware\ewidoguard.exe
D:\ewido anti-malware\ewidoctrl.exe
C:\Program Files\AOL\Broadband CheckUp\bin\MotiveBrowser.exe
C:\PROGRA~1\Motive\Common\MOTIVE~1.EXE
C:\Program Files\AOL\Broadband CheckUp\bin\mad.exe
D:\AOL 9.0\waol.exe
D:\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
D:\Microsoft Antispyware\gcasDtServ.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/8SE/1?http://toolbar.m ... sgrInstall
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: (no name) - {FE7953EE-25ED-40D8-A53F-066C124CE023} - D:\HistorySweep\popkill.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Quick Heal e-mail Protection] D:\QUICKH~1\MailSvr.exe
O4 - HKLM\..\Run: [QH Live Update Scheduler] D:\QUICKH~1\UPSCHD.EXE /Check
O4 - HKLM\..\Run: [Quick Heal Messenger] D:\QUICKH~1\QHM32.EXE
O4 - HKLM\..\Run: [Quick Heal Startup Scan] D:\QUICKH~1\QHSTRT32.EXE /LOADRUN
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [Omnipage] D:\OmniPage SE\opware32.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\Microsoft Antispyware\gcasServ.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Quick Heal On-Line Protection] D:\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HistorySweep] "D:\HISTOR~1\HistorySweep.exe" /autostart
O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\system32\pupxpman.exe
O4 - HKLM\..\Run: [RemoteControl] D:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133353862\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [GhostSurf Reminder] "D:\GhostSurf 2005\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Quick Heal Startup Scan] D:\QUICKH~1\QHSTRT32.EXE /check
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] D:\Adobe\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Spyware Begone] "D:\Spyware BeGone\SpywareBeGone.exe" -FastScan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = D:\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/162107e0a29 ... xIE601.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37380.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D2023F3-6DB8-4F01-AE5D-47141F84B5F2}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - D:\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\ewido anti-malware\ewidoguard.exe
O23 - Service: HistorySweepService - Unknown owner - D:\HistorySweep\HSSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\iPod Updater\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Quick Heal Helper Service WSC (qhwscsvc) - Unknown owner - D:\QUICKH~1\qhwscsvc.exe
O23 - Service: Quick Heal Online Protection - Unknown owner - D:\QUICKH~1\QHONSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I ran the following programs in the order they appear:

Windows Update (custom)
No Trace 1.0 (see http://www.no-trace.org/)
History Sweep 1.6 (see http://www.historysweep.com)
CW Shredder (see http://www.trendmicro.com/cwshredder)
Spybot Search and destroy 1.4 (with latest definitions) - Found Tracking cookies but nothing else
Ad Aware SE (with latest definitions) - found nothing
Spyware Begone (see http://www.spywarebegone.com) - found nothing
Microsoft Antispyware (with latest definitions) - found nothing
AOL Spyware Protection (with latest definitions) - found nothing
Quick Heal Antivirus (see http://www.quickheal.co.in) - found nothing
I Checked Zonealarm Program access (version 6.1.737.000)
I ran PC Tools Registry mechanic 4.0 (see http://www.pctools.com/registry-mechanic/)
I ran disk defragmenter on all drives
I used AOL Computer check up (no issues found)

But hs.exe is still there in C:\Documents and Settings\Jake\Local Settings\Temp\40000010c00069dd890027\hs.exe

It hasn't really shown any symptoms, but I am concerned because of the following:

1)http://www.titan.co.nz/clint/page72.html

2)I was sent this from a guy on another forum

Home Search Assistant And about:Blank -The latest, most nasty hijacks to show up, forcing your web browser to be redirected to an about:Blank page or some search website. These programs are really mix spyware, homepage hijacks and trojans and are nasty to remove. We suggest you try about:Buster and\or HSRemove and follow directions to use them on the download pages.

Notes from the download pages:
About:Buster notes
Symptoms:
- IE Hijacked to res://.dll/index.html#37049 PopUps
- Specific Words on webpages link to search pages.

Important steps to getting this tool to work properly:

First unzip all files from the zip folder to a folder or your desktop. Start it and hit ok. Then hit update. A new screen should popup. On that screen hit Check for Updates. If it says it found an update hit Download Updates. If it doesnt it will automatically tell you and exit. Now for the scanning part. Hit start and then Ok. The program should start scanning. Then hit exit and reboot.

Once rebooted run about:Buster once more to make sure everything is ok. The database will be updated very frequently so check your versions once a day.
HSRemove Notes From the author:

Symptoms:
- IE Hijacked to res://.dll/index.html#37049 PopUps
- Specific Words on webpages link to search pages.

3 important steps to getting this tool to work properly:

1: Boot into safe mode by tapping the f8 key as your computer boots. You should do this before you see the Windows splash screen.

2: Also, make sure you can see hidden files; Open My Computer and choose Tools, then click on Folder Options, click on the View tab and under Advanced Setting, choose Show Hidden Files and Folders, then click on OK and close My Computer.

3: Right-click on My Computer, Choose Manage, Double-click on Services and Applications, Click on Services. In the righthand column find "Network Security Service", and double-click on it. (In Safe Mode this may already be stopped) Choose Stop and then write down the name and path of the file in the "Path to Executable" section. Set the Startup Type to Disabled. Click Ok. Close the Computer Management window


Limitations: When finished, you will get a web page saying it worked as your home page. This is normal. You will need to reset your home page manually via tools, internet options. We have run the tool, it is spyware free and appears to not cause any problems. That said, you should have your computer backed up when installing any third party applications.

3)This file wasn't there until two weeks ago, and i cannot delete it. it is obiously not from another program as it would say the file is missing and needed. Also why would it be in my temp files?

4) I can no longer access C:\Documents and Settings\Jake\Local Settings\History. If I try windows explorer crashes and comes up with the send error report, don't send, etc screen. This wasn't happening until hs.exe came along.

5) Because of all this I am worried my PC may be hacked and my data stolen, as I use it for all internet activites

I highly doubt it is from a porn site as I do not use these and even if i were to be redirected I have Zonealarm on.

Thanks again for the help, i hope this is what you needed
Jake_027
Active Member
 
Posts: 5
Joined: December 18th, 2005, 4:36 pm

Unread postby Susan528 » December 20th, 2005, 5:35 pm

Hi Jake,

Let's try this to delete that hs.exe file.

C:\Documents and Settings\Jake\Local Settings\Temp\40000010c00069dd890027\hs.exe


STEP 1.
======
Cleanmgr
To clean temporary files:
  1. Go > start > run and type cleanmgr and click OK
  2. Scan your system for files to remove.
  3. Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
  4. Click OK to remove those files.
  5. Click Yes to confirm deletion.


STEP 2.( Windows XP only)
======
Prefetch Folder
Open C:\Windows\Prefetch\
Delete All files in this folder but not the Prefetch folder itself


STEP 3.
======
Delete Files with Killbox

Download Pocket Killbox from http://www.bleepingcomputer.com/files/killbox.php and unzip it; save it to your Desktop. DO NOT RUN IT YET.
==========
Double-click on KillBox.exe to launch the program. It is the ]red circle with a large white X in it
- Highlight the files in bold RED below and press the Ctrl key and the C key at the same time to copy them to the clipboard
C:\Documents and Settings\Jake\Local Settings\Temp\40000010c00069dd890027\hs.exe


In Killbox click on the File menu and then the Paste from Clipboard item
in the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
(Please note that the tool checks your computer for the presence of the files pasted into the box so if files are not present, it is possible that you might not see all files you pasted into the box.)
Click the option to Delete on Reboot
- If not greyed out click the checkbox for Unregister .dll Before Deleting
- Now click on the red button with a white 'X' in the middle to delete the files
- Click Yes when it says all files will be deleted on the next reboot
- Click Yes when it asks if you want to reboot now
(Note: If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually)

Please post another hijackthis log using Reply.
==========
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby Jake_027 » December 20th, 2005, 6:24 pm

Logfile of HijackThis v1.99.1
Scan saved at 22:20:21, on 20/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\ewido anti-malware\ewidoctrl.exe
D:\ewido anti-malware\ewidoguard.exe
D:\HistorySweep\HSSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
D:\QUICKH~1\qhwscsvc.exe
D:\QUICKH~1\QHONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\QUICKH~1\MailSvr.exe
D:\QUICKH~1\UPSCHD.EXE
D:\QUICKH~1\QHM32.EXE
C:\Program Files\VoyagerTest\fts.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
D:\OmniPage SE\opware32.exe
C:\Program Files\WinPortrait\wpctrl.exe
D:\Microsoft Antispyware\gcasServ.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\Microsoft Antispyware\gcasDtServ.exe
D:\iTunes\iTunesHelper.exe
D:\QUICKH~1\QHONLINE.EXE
D:\iPod Updater\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Jake\LOCALS~1\Temp\40000010c00069dd890027\hs.exe
C:\WINDOWS\system32\pupxpman.exe
D:\PowerDVD\PDVDServ.exe
D:\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1133353862\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1133353862\ee\AOLServiceHost.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Spyware BeGone\SpywareBeGone.exe
c:\program files\common files\aol\1133353862\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1133353862\ee\AOLServiceHost.exe
D:\Adobe\Reader\reader_sl.exe
D:\AOL 9.0\aoltray.exe
C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
D:\AOL 9.0\waol.exe
D:\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
D:\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/8SE/1?http://toolbar.m ... sgrInstall
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: (no name) - {FE7953EE-25ED-40D8-A53F-066C124CE023} - D:\HistorySweep\popkill.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Quick Heal e-mail Protection] D:\QUICKH~1\MailSvr.exe
O4 - HKLM\..\Run: [QH Live Update Scheduler] D:\QUICKH~1\UPSCHD.EXE /Check
O4 - HKLM\..\Run: [Quick Heal Messenger] D:\QUICKH~1\QHM32.EXE
O4 - HKLM\..\Run: [Quick Heal Startup Scan] D:\QUICKH~1\QHSTRT32.EXE /LOADRUN
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [Omnipage] D:\OmniPage SE\opware32.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\Microsoft Antispyware\gcasServ.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Quick Heal On-Line Protection] D:\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HistorySweep] "D:\HISTOR~1\HistorySweep.exe" /autostart
O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\system32\pupxpman.exe
O4 - HKLM\..\Run: [RemoteControl] D:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133353862\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [GhostSurf Reminder] "D:\GhostSurf 2005\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Quick Heal Startup Scan] D:\QUICKH~1\QHSTRT32.EXE /check
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] D:\Adobe\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Spyware Begone] "D:\Spyware BeGone\SpywareBeGone.exe" -FastScan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = D:\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/162107e0a29 ... xIE601.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37380.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D2023F3-6DB8-4F01-AE5D-47141F84B5F2}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - D:\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\ewido anti-malware\ewidoguard.exe
O23 - Service: HistorySweepService - Unknown owner - D:\HistorySweep\HSSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\iPod Updater\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Quick Heal Helper Service WSC (qhwscsvc) - Unknown owner - D:\QUICKH~1\qhwscsvc.exe
O23 - Service: Quick Heal Online Protection - Unknown owner - D:\QUICKH~1\QHONSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I'd love to saykillbox worked but it didn't. hs.exe is still there and still in the folder, only now it has the hidden box ticked.

it's increasingly looking like a complete reinstall isn't it :(

Jake
Jake_027
Active Member
 
Posts: 5
Joined: December 18th, 2005, 4:36 pm

Unread postby Susan528 » December 20th, 2005, 10:28 pm

Hello Jake,

You have not complained of symptoms that I would associate with Smitfraud/SpyAxe, but I have found a few logs where victim with the hs.exe file went through the fix and the file was removed. So let’s do the following below. I know you have run many scans but please do the scans as called for and in the order. If you have already downloaded programs, just be sure to check for updates in case there happen to be some.

Cleanmgr
To clean temporary files:
  1. Go > start > run and type cleanmgr and click OK
  2. Scan your system for files to remove.
  3. Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
  4. Click OK to remove those files.
  5. Click Yes to confirm deletion.

Smitfraud Fix

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/162107e0a29 ... xIE601.cab

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt the Ewido Log by using Add Reply.
Let us know if any problems persist.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Scans

Unread postby Jake_027 » December 21st, 2005, 4:55 pm

Logfile of HijackThis v1.99.1
Scan saved at 20:51:05, on 21/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
D:\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
D:\QUICKH~1\qhwscsvc.exe
D:\QUICKH~1\QHONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\QUICKH~1\MailSvr.exe
D:\QUICKH~1\UPSCHD.EXE
D:\QUICKH~1\QHM32.EXE
C:\Program Files\VoyagerTest\fts.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
D:\OmniPage SE\opware32.exe
C:\Program Files\WinPortrait\wpctrl.exe
D:\Microsoft Antispyware\gcasServ.exe
C:\Program Files\WinPortrait\floater.exe
C:\WINDOWS\VM_STI.EXE
D:\Microsoft Antispyware\gcasDtServ.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
D:\iTunes\iTunesHelper.exe
D:\iPod Updater\iPod\bin\iPodService.exe
D:\QUICKH~1\QHONLINE.EXE
C:\Temp\40000010c00069dd890027\hs.exe
C:\WINDOWS\system32\pupxpman.exe
D:\PowerDVD\PDVDServ.exe
D:\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\1133353862\ee\AOLHostManager.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1133353862\ee\AOLServiceHost.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Spyware BeGone\SpywareBeGone.exe
D:\AOL 9.0\aoltray.exe
c:\program files\common files\aol\1133353862\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1133353862\ee\AOLServiceHost.exe
C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
D:\AOL 9.0\waol.exe
D:\AOL 9.0\shellmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
D:\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/8SE/1?http://toolbar.m ... sgrInstall
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: (no name) - {FE7953EE-25ED-40D8-A53F-066C124CE023} - D:\HistorySweep\popkill.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Quick Heal e-mail Protection] D:\QUICKH~1\MailSvr.exe
O4 - HKLM\..\Run: [QH Live Update Scheduler] D:\QUICKH~1\UPSCHD.EXE /Check
O4 - HKLM\..\Run: [Quick Heal Messenger] D:\QUICKH~1\QHM32.EXE
O4 - HKLM\..\Run: [Quick Heal Startup Scan] D:\QUICKH~1\QHSTRT32.EXE /LOADRUN
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [Omnipage] D:\OmniPage SE\opware32.exe
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [gcasServ] "D:\Microsoft Antispyware\gcasServ.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Quick Heal On-Line Protection] D:\QUICKH~1\CATEYE.EXE
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HistorySweep] "D:\HISTOR~1\HistorySweep.exe" /autostart
O4 - HKLM\..\Run: [mspwr] C:\WINDOWS\system32\pupxpman.exe
O4 - HKLM\..\Run: [RemoteControl] D:\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133353862\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [GhostSurf Reminder] "D:\GhostSurf 2005\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Quick Heal Startup Scan] D:\QUICKH~1\QHSTRT32.EXE /check
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] D:\Adobe\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [Spyware Begone] "D:\Spyware BeGone\SpywareBeGone.exe" -FastScan
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = D:\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computerc ... diagcc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37380.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D2023F3-6DB8-4F01-AE5D-47141F84B5F2}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - D:\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\ewido anti-malware\ewidoguard.exe
O23 - Service: HistorySweepService - Unknown owner - D:\HistorySweep\HSSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\iPod Updater\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Quick Heal Helper Service WSC (qhwscsvc) - Unknown owner - D:\QUICKH~1\qhwscsvc.exe
O23 - Service: Quick Heal Online Protection - Unknown owner - D:\QUICKH~1\QHONSVC.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: 21/12/2005
The current time is: 19:51:45.39

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 18:37:19, 21/12/2005
+ Report-Checksum: EB9E3F6

+ Scan result:

No infected objects found.


::Report End

And Panda gave nothing.

However, when i first booted up after doing all this the properties displayed were MS-DOS properties, so I'm pretty sure its this (http://www.titan.co.nz/clint/page72.html ). Is there any way I can run it in DOS and damage it, without damaging my PC, like this says to do so.

Thanks

Jake
Jake_027
Active Member
 
Posts: 5
Joined: December 18th, 2005, 4:36 pm

Unread postby Susan528 » December 22nd, 2005, 12:49 am

Hello Jake,

I see that the file still remains. I have friend with connections to the Anti-virus companies and with the developer who wrote the smitrem fix. He would like to obtain the file for analysis.

Please zip the file and email the file
C:\Temp\40000010c00069dd890027\hs.exe

to the following address:
wng_z3r0(at)spywarewarrior.com
Replace the (at) in the address above with @

He will let us know what the analysis shows.

If you need more instructions, please reply.

Thanks,
Susan
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby NonSuch » January 1st, 2006, 5:25 am

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum.

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27215
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby wng_z3r0 » January 4th, 2006, 7:56 pm

Just for future reference, the hs.exe is a legitimate program, and is part of History Sweeper
http://www.tomdownload.com/internet/onl ... _sweep.htm

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 20 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware