Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Second try to post HJT

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Second try to post HJT

Unread postby gudda96 » March 21st, 2006, 4:11 am

I thought I had posted this yesterday, shall try again and would appreciate any help

Logfile of HijackThis v1.99.1
Scan saved at 17:00:35, on 20/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\Program Files\MailWasher\MailWasher.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.google.co.uk/webhp?hl=en&tab=iw&q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\saIE.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\saIE.dll
O4 - HKLM\..\Run: [BBDial] C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: MailWasherPro.lnk = C:\Program Files\MailWasher\MailWasher.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O15 - Trusted Zone: http://www.nwolb.com
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/install ... nstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3926569663
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EP ... -0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B4A9BB1-0554-44FF-8263-3FC91C2910B9}: NameServer = 62.6.40.178 194.72.9.38
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
gudda96
Regular Member
 
Posts: 23
Joined: March 20th, 2006, 1:48 pm
Advertisement
Register to Remove

Unread postby SpotCheckBilly » March 21st, 2006, 8:06 pm

Hello gudda96,

Welcome to the MWR forums.

There isn't really anything that jumps out in your HijackThis log. May I have a description of the problems that you're having? Please be as detailed as possible.

There are just a couple of minor cleanup items in your HijackThis log. They are not indications of any problems, just a couple of things that you can clean up.

We need to disable Ewido real time protection or it could block some or all of the fixes.

From the system tray:
1. Right-click the system tray icon
2. Uncheck real time protection.

or

From within Ewido:
1. Under 'Your security status',
2. Deactivate it by clicking 'real time protection' until the status says 'inactive'.

Run HiJackThis and click "Scan", then check(tick) the following, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O15 - Trusted Zone: http://www.nwolb.com

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/install ... nstall.cab

With all windows closed except HiJackThis, click "Fix checked".

Along with the description of the problems/concerns you have, please include a fresh HijackThis log. :wave:

SpotCheckBilly
User avatar
SpotCheckBilly
MRU Master
MRU Master
 
Posts: 943
Joined: February 22nd, 2005, 5:14 am
Location: Twin Cities, MN

Unread postby gudda96 » March 22nd, 2006, 12:10 pm

Spot Check Billy

Hi

Where do I start? Firstly, I am a reasonably experienced user but the amount of problems I have had overtaken my limited experience and I am virtually ready to do a reformat which I have done before but I cant even do that as I cant change my boot order.

I will list my problems in no particular order and I am getting by with the problems but fear it’s getting worse.

1. Can’t download windows updates since 6 Jan. I am set for auto updates and when they are due, I get the % sign in my Stray but they don’t download. If I go to do a manual update>>start/windows updates, my window freezes.
2. Cant use my windows defrag, when c/o defrag or analyse, NOTHING happens.
3. Lots of times I can’t delete an unwanted file/folder/icon so I have to use a prog I found called Unlocker. And if I did, a search and found say 20 unwanted files, I h/lite to delete them all at one go like you do, but no, it says I cannot delete dc10 xyz so I have to do them individually and sometimes it still leaves some behind.
4. Working in Word, after opening a saved doc, it often leaves a copy of that doc with a squiggle next to it.
5. I have had a few blue screens full of writing saying we have to close down.
6. Now and then whilst in OE, an error box appears sayingâ€
gudda96
Regular Member
 
Posts: 23
Joined: March 20th, 2006, 1:48 pm

Unread postby SpotCheckBilly » March 22nd, 2006, 7:33 pm

Hello gudda96,

OK, I think I can clear up at least some of your mysteries right off the bat.
NOTE: There is the possibility that your computers over all instability is partially caused by accidental deletion of critical system files. Let's make certain that there is no malware before we explore that sort of possibility.

1. Lots of times I can’t delete an unwanted file/folder/icon so I have to use a prog I found called Unlocker. And if I did, a search and found say 20 unwanted files, I h/lite to delete them all at one go like you do, but no, it says I cannot delete dc10 xyz so I have to do them individually and sometimes it still leaves some behind.

Be careful using a program such as Unlocker because it will unregister ALL of the files in the folder you are working in. As a general rule, if you are sure that you want to delete a certain file, reboot your computer into Safe Mode, then delete.

2. Working in Word, after opening a saved doc, it often leaves a copy of that doc with a squiggle next to it.

Microsoft Word saves a copy of the document with the "~" next to it so that if the program (or Windows) should unexpectedly be shut down, you won't lose the document.--- This has saved my bacon more than once.

3. I often get told I cant delete because its being used by someone.

This usually indicates that it is a running process which would have to be stopped before the file could be deleted. It's usually not a good idea to try to delete these unless you are Absolutely Certain that it is unwanted or malware.

OK, since there is no indication of malware in your HijackThis log, let's dig a little deeper.

I see that you already have ewido installed. Let's make sure that it is configured as follows, then run it.

You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
  • The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.

    If you are having problems with the updater, you can use this link to manually update ewido.
    Ewido manual updates

    Once the updates are installed do the following:
  • If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
  • Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run ewido.
  • Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
  • Click on scanner
  • Click on Settings
    • Under "How to scan" all boxes should be selected
    • Under "Possibly unwanted software" all boxes should be selected
    • Under "What to scan" select scan every file
    • Click OK
  • Click on Complete system scan
  • Let the program scan the machine
  • If ewido finds anything, it will pop up a notification. NOTE: We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere and the game "Risk" have been flagged. In particular, watch for alerts that have the word "Heuristic" in them - if you recognize the file name as "friendly," these may actually be false positives) select "none" as the action. DO NOT check "Perform action with all infections." If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

    Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
  • Click Save report
  • Save the report to your desktop
  • Exit ewido
Please download SilentRunners from here:

Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.

Please download ATFCleaner by Atribune©

Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox and/or Opera browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit von the Main menu to close the program.

Note: For Technical Support, double-click the e-mail address located at the bottom of each menu.

Finally, let's do a Panda ActiveScan..
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
In your next reply, please include the following:
1. The results from the ewido scan.
2. The log from Silent Runners.
3. The results from the Panda Active Scan.
4. A fresh HijackThis log file (make sure this is run in Normal Mode). :wave:

SpotCheckBilly
User avatar
SpotCheckBilly
MRU Master
MRU Master
 
Posts: 943
Joined: February 22nd, 2005, 5:14 am
Location: Twin Cities, MN

Unread postby NonSuch » April 5th, 2006, 6:22 pm

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum.

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 492 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware