Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

3 trojan viruses :(

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

3 trojan viruses :(

Unread postby swp110 » March 27th, 2006, 7:05 pm

i have a laptop running windows xp and ie version6 ....i came home from work the other night and my boyfriend said the computer was acting funny so i ran AVG scan and found 3 trojan viruses. trojan horse proxy.BPR, trojan horse generic.RSO, and trojan horse downloader generic.VGO. it said it healed the files but then 5 mins later they were back. now about everyday i get rid of them and then they are all back the next day. i am at a loss as to what to do. i do not want to wipe out my whole comp and start over but i have to do something about this. my computer randomly doesnt work or shuts off and when i restart it dosent reboot correctly..its as if it were forced to restart. i have tried to run scans in safe mode but no luck. i also have adaware and spybot but they havent found anything. i appreciate any help, thanks

Logfile of HijackThis v1.99.1
Scan saved at 5:54:37 PM, on 3/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1137043091\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1137043091\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\common files\aol\1137043091\ee\aolssc.exe
C:\Program Files\AIM\aim.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/notebooks/pavilion/e-center
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137043091\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1137043091\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1137043091\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/share ... insctl.cab
O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://isupport4.hp.com/awebui/jsp/answ ... anager.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4084546325
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/i ... downls.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/share ... cgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
swp110
Regular Member
 
Posts: 18
Joined: March 10th, 2005, 9:03 am
Advertisement
Register to Remove

Unread postby agrarianmonk » March 27th, 2006, 7:07 pm

Hi swp110

Welcome to the Malware Removal forums. I will be more than happy to help you work on your problems.
Please give me some time to review your log as this can be a lengthy process. As soon as a MR Staff Expert reviews my fix, I will post it for you.
In the mean time, if any problems occur. Please let me know.
Please only use this topic to reply to. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.
If you’re unsure of anything at all please stop and ask!
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby agrarianmonk » March 27th, 2006, 7:39 pm

You have been infected by Trojan.Abwiz.F, a Trojan horse with rootkit abilities that downloads and executes remote files and sends confidential computer information to a remote attacker. The Trojan also allows a remote attacker to perform various unauthorized actions on the compromised computer.

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing other rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

I also recommend that you disconnect this machine from the internet NOW!

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.


If you do wish to try to clean your computer, please follow these instructions:

You may want to print out these instructions or copy them to notepad since you will not have internet access during some of our fixes

**********************************

Download FixAbwiz.exe here and save it to your desktop.

**********************************

Next, please reboot your computer in SafeMode by doing the following:
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.

************************************
# Double-click the FixAbwiz.exe file to start the removal tool.
# Click Start to begin the process, and then allow the tool to run.

Please let me know in your next post if anything was found.

************************************

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\system32\taskdir.exe


*************************************

Reboot into normal mode

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

**********************************

In your next post, please include

  • Kaspersky scan report
  • new HijackThis Log


Also, Let us know if FixAbwiz.exe found anything and/or if any problems persist.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

new logs

Unread postby swp110 » March 28th, 2006, 2:22 am

here are the latest logs. abwiz fix didnt find anything on my computer, i deleted those 2 tings in hijack this, the other file in windows explorer wasnt there


Tuesday, March 28, 2006 1:13:28 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 28/03/2006
Kaspersky Anti-Virus database records: 184451


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 55827
Number of viruses found 11
Number of infected objects 35
Number of suspicious objects 0
Duration of the scan process 01:39:41

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Owner\Desktop\My Pictures\102761.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.EZula.z skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\102761.exe WiseSFX: infected - 1 skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\49152(2).exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.Quick.a skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\49152(2).exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\49152(2).exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\49152(2).exe WiseSFX: infected - 3 skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\49152.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.Quick.a skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\49152.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\49152.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\49152.exe WiseSFX: infected - 3 skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.Quick.a skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0020.BIN/data0003/data0001 Infected: not-a-virus:AdWare.Win32.WebRebates.g skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0020.BIN/data0003 Infected: not-a-virus:AdWare.Win32.WebRebates.g skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0020.BIN/data0003 Infected: not-a-virus:AdWare.Win32.WebRebates.b skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0020.BIN/data0004 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0020.BIN/data0005 Infected: not-a-virus:AdWare.Win32.WebRebates.b skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.WebRebates.b skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.EZula.ac skipped

C:\Documents and Settings\Owner\My Documents\64050.exe WiseSFX: infected - 9 skipped

C:\Documents and Settings\Owner\My Documents\69552.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.Quick.a skipped

C:\Documents and Settings\Owner\My Documents\69552.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\Documents and Settings\Owner\My Documents\69552.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped

C:\Documents and Settings\Owner\My Documents\69552.exe WiseSFX: infected - 3 skipped

C:\random\11965.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped

C:\random\11965.exe WiseSFX: infected - 1 skipped

C:\random\19271.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped

C:\random\19271.exe WiseSFX: infected - 1 skipped

C:\random\79365.exe/WISE0019.BIN Infected: Virus.Win32.Parite.b skipped

C:\random\79365.exe/WISE0020.BIN Infected: Virus.Win32.Parite.b skipped

C:\random\79365.exe/WISE0021.BIN Infected: Virus.Win32.Parite.b skipped

C:\random\79365.exe/WISE0022.BIN Infected: Virus.Win32.Parite.b skipped

C:\random\79365.exe WiseSFX: infected - 4 skipped

C:\unzipped\hijackthis\backups\backup-20051220-234610-853.dll Infected: not-a-virus:Downloader.Win32.PopCap.c skipped

C:\WINDOWS\system32\prkmkjha.djg Infected: Trojan.Win32.Agent.qe skipped

Scan process completed.







Logfile of HijackThis v1.99.1
Scan saved at 1:19:40 AM, on 3/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1137043091\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1137043091\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\common files\aol\1137043091\ee\aolssc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/notebooks/pavilion/e-center
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137043091\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1137043091\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1137043091\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/share ... insctl.cab
O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://isupport4.hp.com/awebui/jsp/answ ... anager.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4084546325
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/i ... downls.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/share ... cgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)
swp110
Regular Member
 
Posts: 18
Joined: March 10th, 2005, 9:03 am

Unread postby agrarianmonk » March 28th, 2006, 12:08 pm

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\Documents and Settings\Owner\Desktop\My Pictures\102761.exe
    C:\Documents and Settings\Owner\Desktop\My Pictures\49152(2).exe
    C:\Documents and Settings\Owner\Desktop\My Pictures\49152.exe
    C:\Documents and Settings\Owner\My Documents\64050.exe
    C:\Documents and Settings\Owner\My Documents\69552.exe
    C:\random\11965.exe
    C:\random\19271.exe
    C:\random\79365.exe
    C:\WINDOWS\system32\prkmkjha.djg

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

=========================

Please do another online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

**********************************

In your next post, please include

  • Kaspersky scan report
  • new HijackThis Log


Also let us know how your computer is running at the moment.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

not working

Unread postby swp110 » March 28th, 2006, 2:35 pm

i tried to use killbox like u said but i get the error msg
"PendingFileRenameOperationRegistryData has been Removed by External Process!"...not what sure what ot do now..thanks for all ur help:)
swp110
Regular Member
 
Posts: 18
Joined: March 10th, 2005, 9:03 am

Unread postby agrarianmonk » March 28th, 2006, 3:25 pm

Don't worry about the error message. Please reboot and do another online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

**********************************

In your next post, please include

  • Kaspersky scan report
  • new HijackThis Log
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

here ya go

Unread postby swp110 » March 28th, 2006, 6:22 pm

Logfile of HijackThis v1.99.1
Scan saved at 5:20:00 PM, on 3/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1137043091\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1137043091\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\common files\aol\1137043091\ee\aolssc.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/notebooks/pavilion/e-center
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137043091\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1137043091\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1137043091\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/share ... insctl.cab
O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - http://isupport4.hp.com/awebui/jsp/answ ... anager.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4084546325
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/i ... downls.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/share ... cgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service (HpRfDev) - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)






Tuesday, March 28, 2006 5:18:45 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 28/03/2006
Kaspersky Anti-Virus database records: 184615


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\

Scan Statistics
Total number of scanned objects 55248
Number of viruses found 11
Number of infected objects 35
Number of suspicious objects 0
Duration of the scan process 02:21:12

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Owner\Desktop\My Pictures\102761.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.EZula.z skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\102761.exe WiseSFX: infected - 1 skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\49152(2).exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.Quick.a skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\49152(2).exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\49152(2).exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\49152(2).exe WiseSFX: infected - 3 skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\49152.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.Quick.a skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\49152.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\49152.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped

C:\Documents and Settings\Owner\Desktop\My Pictures\49152.exe WiseSFX: infected - 3 skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.Quick.a skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0020.BIN/data0003/data0001 Infected: not-a-virus:AdWare.Win32.WebRebates.g skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0020.BIN/data0003 Infected: not-a-virus:AdWare.Win32.WebRebates.g skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0020.BIN/data0003 Infected: not-a-virus:AdWare.Win32.WebRebates.b skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0020.BIN/data0004 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0020.BIN/data0005 Infected: not-a-virus:AdWare.Win32.WebRebates.b skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.WebRebates.b skipped

C:\Documents and Settings\Owner\My Documents\64050.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.EZula.ac skipped

C:\Documents and Settings\Owner\My Documents\64050.exe WiseSFX: infected - 9 skipped

C:\Documents and Settings\Owner\My Documents\69552.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.Quick.a skipped

C:\Documents and Settings\Owner\My Documents\69552.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\Documents and Settings\Owner\My Documents\69552.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped

C:\Documents and Settings\Owner\My Documents\69552.exe WiseSFX: infected - 3 skipped

C:\random\11965.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped

C:\random\11965.exe WiseSFX: infected - 1 skipped

C:\random\19271.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped

C:\random\19271.exe WiseSFX: infected - 1 skipped

C:\random\79365.exe/WISE0019.BIN Infected: Virus.Win32.Parite.b skipped

C:\random\79365.exe/WISE0020.BIN Infected: Virus.Win32.Parite.b skipped

C:\random\79365.exe/WISE0021.BIN Infected: Virus.Win32.Parite.b skipped

C:\random\79365.exe/WISE0022.BIN Infected: Virus.Win32.Parite.b skipped

C:\random\79365.exe WiseSFX: infected - 4 skipped

C:\unzipped\hijackthis\backups\backup-20051220-234610-853.dll Infected: not-a-virus:Downloader.Win32.PopCap.c skipped

C:\WINDOWS\system32\prkmkjha.djg Infected: Trojan.Win32.Agent.qe skipped

Scan process completed.
swp110
Regular Member
 
Posts: 18
Joined: March 10th, 2005, 9:03 am

Unread postby agrarianmonk » March 29th, 2006, 7:06 pm

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\Documents and Settings\Owner\Desktop\My Pictures\102761.exe
C:\Documents and Settings\Owner\Desktop\My Pictures\49152(2).exe
C:\Documents and Settings\Owner\Desktop\My Pictures\49152.exe
C:\Documents and Settings\Owner\My Documents\64050.exe
C:\Documents and Settings\Owner\My Documents\69552.exe
C:\random\11965.exe
C:\random\19271.exe
C:\random\79365.exe
C:\WINDOWS\system32\prkmkjha.djg


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

**************************************

Please do another online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

**********************************

In your next post, please include

  • Kaspersky scan report
  • new HijackThis Log
  • c:\avenger.txt


Also let us know how your computer is running at the moment.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

avenger not working

Unread postby swp110 » March 29th, 2006, 9:19 pm

i tried to run avenger and after i pasted the files and hit the green light i clicked yes once then and error popped up *selected file does not appear to be a valid script* so i click ok and another error pops up *press ok to log error and continue or cancel to abort* whether i click ok or cancel one more error pops up saying *error code 1813* and it goes back to the main avenger screen... not sure what to do now since its not working??
swp110
Regular Member
 
Posts: 18
Joined: March 10th, 2005, 9:03 am

Unread postby agrarianmonk » March 29th, 2006, 10:55 pm

Hi swp110,

That error message is usually generated when a user is signed into windows w/o admin privileges. Are you signed in as the administrator? If not, please sign in as the administrator and follow the directions provided.

Thanks,
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby swp110 » March 30th, 2006, 9:31 pm

i am signed in as the admin. and i doubled checked too..any more ideas?
swp110
Regular Member
 
Posts: 18
Joined: March 10th, 2005, 9:03 am

Unread postby agrarianmonk » March 30th, 2006, 11:00 pm

do you have an error log generated by avenger? if so, could you post the contents of it?

look for C:\avenger.txt or errorlog.txt in the avenger folder.

thanks,
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby swp110 » March 31st, 2006, 7:02 pm

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: selected file does not appear to be a valid script.
Error code: 1813
swp110
Regular Member
 
Posts: 18
Joined: March 10th, 2005, 9:03 am

Unread postby agrarianmonk » March 31st, 2006, 8:40 pm

alright, let's try this:

Open a new notepad document and copy/paste the following quotebox into it.

@ECHO OFF

cd C:\Documents and Settings\Owner\Desktop\My Pictures
attrib -r -h -s 102761.exe
del /q 102761.exe
attrib -r -h -s 49152(2).exe
del /q 49152(2).exe
attrib -r -h -s 49152.exe
del /q 49152.exe
cd C:\Documents and Settings\Owner\My Documents
attrib -r -h -s 64050.exe
del /q 64050.exe
attrib -r -h -s 69552.exe
del /q 69552.exe
cd C:\random
attrib -r -h -s 11965.exe
del /q 11965.exe
attrib -r -h -s 19271.exe
del /q 19271.exe
attrib -r -h -s 79365.exe
del /q 79365.exe
cd C:\WINDOWS\system32
attrib -r -h -s prkmkjha.djg
del /q prkmkjha.djg
shutdown -r -f -t 10 -c "Rebooting to complete task."


Save the file to your Desktop as delfiles.bat... Save it as File Type All Files. Double click delfiles.bat. It will reboot your system.

**********************************

Please do another online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

**********************************

In your next post, please include

  • Kaspersky scan report
  • new HijackThis Log
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware