9 replies to this topic

[bobusi]

I got hit by a delf and a trojano and isolated them with Avast. (They ran my usage over my ISP's limit.) But I keep seeing some things that I'm not sure about, e.g. the O20 in my scan below.

Thanks so very much.

Logfile of HijackThis v1.99.1
Scan saved at 10:44:09 AM, on 5/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\Earthworks\Shared\ewlicense_manager_nt.exe
C:\Program Files\Common Files\Earthworks\LicenseServices\LicenseServicesNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Earthworks\Components\process_manager_nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130195805875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130195735781
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup163.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{244B6C1D-E19B-4E86-B6E4-2CA2D82667AF}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{244B6C1D-E19B-4E86-B6E4-2CA2D82667AF}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{244B6C1D-E19B-4E86-B6E4-2CA2D82667AF}: NameServer = 192.168.1.1
O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Earthworks License Manager - Earthworks Corporation - C:\Program Files\Common Files\Earthworks\Shared\ewlicense_manager_nt.exe
O23 - Service: Earthworks License Services - Earthworks Corporation - C:\Program Files\Common Files\Earthworks\LicenseServices\LicenseServicesNT.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Process Manager - Datamine Software Ltd - C:\Program Files\Common Files\Earthworks\Components\process_manager_nt.exe

[Rogue]

Hi bobusi ,

Welcome to Tom Coyote Forums

Please observe these rules while we work:

• Perform all actions in the order given.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Since there may be other issues with your system besides your original symptoms, please continue to follow this thread until I have given you an "All Clean.".

If you can do these things, everything should go smoothly.

Ready? Let's go.

*=========================*

Download Haxfix
http://users.telenet...ools/haxfix.exe
Double click on haxfix.exe to install the program. (standard installation path is c:\program Files\haxfix)
Checkmark Create a desktop icon.
Click Next
When the installation is completed, make sure that the checkmark Launch haxfix is placed.
Click Finish
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
4. Goldunfix
E. Exit Haxfix

Select option 1. Make Logfile" by typing 1 and then pressing Enter.
Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
Please post the contents of the log file in your next post
*========================*

Show Uninstall List with Hijackthis
This is how you do that:
Open HiJackThis
Click on the tab "Open the Misc Tools Session"
Click on the Box that says "Uninstall Manager"
Click on the button "Save list"
Copy and past the List from notepad into your post
*=========================*

Please post the following;

Haxfix log (c:\haxfix.txt)
Uninstall List
New hijackthis log

Thanks,

Rogue

[bobusi]

Rogue, sorry for the late reply. Got swamped at work.
Thanks for the meticulous instructions.
Here are my logs:

HAXFIX logfile - by Marckie

version 4.43
Mon 05/21/2007 18:58:20.10

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
matching services found
Aspi32

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
xartcd5

checking for services
xartcd7

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected


--- Catchme logfile - thank you Gmer ---

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-21 18:58:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\serv.txt

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


--- Analysing Catchme logfile ---

no matching regkeys found


Finished!

Uninstall list

Abacast Client
Ad-Aware SE Personal
Adobe Acrobat 8 Professional
Adobe Flash Player 9 ActiveX
Adobe Photoshop CS
All Editor 2.4.3
APC PowerChute Personal Edition
ArcSoft ShowBiz
AutoCAD LT
AutoCAD LT 97
avast! Antivirus
Core FTP LE 1.3c
Corpscon 6.0.1
Crystal Reports for ESRI
Datamine Studio v2.1.1518.7
Datamine Table Editor v3
DisplayIT 2
Earthworks Data Source Drivers v3.0.1607.0
Earthworks Downhole Explorer v3.1.1530.0
Google Desktop Search
Google Earth
Google Toolbar for Internet Explorer
Grapher 6
GTK+ 2.6.7 runtime environment
HaxFix 4.43
HijackThis 1.99.1
HP Designjet 500 - 800 series
hp deskjet 6122
hp deskjet 6122 series
hp instant support
HP Memories Disc
hp officejet 7100 series
hp officejet 7100 series corporate driver
HP Photo and Imaging 2.0 - Scanners
iISystem Wiper 2.4
ImageMixer VCD/DVD2 for OLYMPUS
Index.dat Suite
iTunes
IZArc 3.5 beta 2
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
JD Secure 3.1
LimeWire PRO 4.10.9
Logitech Desktop Messenger
Logitech MouseWare 9.79
Logitech Resource Center
Lotus NotesSQL 2.06 driver
Macromedia Dreamweaver 8
Macromedia Extension Manager
MeasureIT 2
Microsoft Office XP Media Content
Microsoft Office XP Professional with FrontPage
MSXML 4.0 SP2 (KB927978)
MyDVD
NVIDIA Drivers
OASIS montaj 5
OLYMPUS Master
QuickTime
Real Alternative 1.44
Realtek AC'97 Audio
Rosetta Stone 2.1.3.0A
SmartFTP
Sony ACID Music Studio 6.0a
Spybot - Search & Destroy 1.4
Surfer 8
The Rosetta Stone
Update for Windows XP (KB894391)
Windows Genuine Advantage v1.3.0254.0
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB891781
Windows XP Service Pack 2


Logfile of HijackThis v1.99.1
Scan saved at 7:10:10 PM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\Earthworks\Shared\ewlicense_manager_nt.exe
C:\Program Files\Common Files\Earthworks\LicenseServices\LicenseServicesNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Earthworks\Components\process_manager_nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130195805875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130195735781
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup163.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{244B6C1D-E19B-4E86-B6E4-2CA2D82667AF}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{244B6C1D-E19B-4E86-B6E4-2CA2D82667AF}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Earthworks License Manager - Earthworks Corporation - C:\Program Files\Common Files\Earthworks\Shared\ewlicense_manager_nt.exe
O23 - Service: Earthworks License Services - Earthworks Corporation - C:\Program Files\Common Files\Earthworks\LicenseServices\LicenseServicesNT.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Process Manager - Datamine Software Ltd - C:\Program Files\Common Files\Earthworks\Components\process_manager_nt.exe

[Rogue]

Hi bobusi

Welcome back. Let's see if we can get you cleaned up.

Remove Programs
Please Click Start > Control Panel > Add/Remove Programs

Remove these programs by clicking Remove
J2SE Runtime Environment 5.0 Update 3

If some programs listed are not present, please do not panic
*=========================*

Open HaxFix.bat from your desktop or navigate to c:\program Files\haxfix
Read the warning and press any key to continue
Select option "2. Auto Fix" by typing 2 and then pressing Enter.
You'll get a message to close all other open windows.
Close all open windows except the red dos window from Haxfix and then press Enter.
The computer will reboot.
After reboot a logfile will open. (c:\haxfix.txt) Pleae post the contents of that log
*=========================*

Start HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked
*=========================*

Run Kapersky Online AV Scanner
Using Internet Explore Go to http://www.kaspersky.com/virusscanner and click the Kaspersky Online Scanner button.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer" and then put the kettle on!
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
*=========================*

Please post the following;
c:\haxfix.txt
Kapersky Log
New hijackthis log

Thanks,

Rogue

Edited by R0gue, 22 May 2007 - 10:33 PM.
Edit HJT line removal

[bobusi]

Rogue, Looks like I may still have some boogers. But the machine is actually running like normal.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 23, 2007 1:36:59 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 23/05/2007
Kaspersky Anti-Virus database records: 328220
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Y:\
Z:\

Scan Statistics:
Total number of scanned objects: 161337
Number of viruses found: 5
Number of infected objects: 14 / 0
Number of suspicious objects: 2
Duration of the scan process: 01:59:21

Infected Object Name / Virus Name / Last Action
C:\Back 40 Network\Assays\2006\QFP Contacts w Ag.xls Object is locked skipped
C:\Back 40 Network\Assays\2007\90 Zone table all holes.xls Object is locked skipped
C:\Back 40 Network\Assays\Gold Summary.xlsx Object is locked skipped
C:\Back 40 Network\Assays\~$Gold Summary.xlsx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\msw\BMan.exe Infected: not-a-virus:AdWare.Win32.Searcher.m skipped
C:\Documents and Settings\All Users\Application Data\msw\MSW.exe Infected: not-a-virus:AdWare.Win32.Searcher.h skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodeceMedia.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodeceMedia.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Bob Mahin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Bob Mahin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Bob Mahin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Bob Mahin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bob Mahin\Local Settings\History\History.IE5\MSHist012007052320070524\index.dat Object is locked skipped
C:\Documents and Settings\Bob Mahin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bob Mahin\My Documents\home backup\My own stuff\IM Website\mail\ignorantmob.com\lake\inbox/[From "Sonicbids Member Relations" <support@sonicbids.com>][Date Fri, 26 May 2006 15:37:28 -0400]/UNNAMED/[From "PayPal Security Service" <service@paypal.com>][Date Fri, 26 May 2006 19:29:29 -0500]/html Infected: Trojan-Spy.HTML.Paylap.cb skipped
C:\Documents and Settings\Bob Mahin\My Documents\home backup\My own stuff\IM Website\mail\ignorantmob.com\lake\inbox/[From "Sonicbids Member Relations" <support@sonicbids.com>][Date Fri, 26 May 2006 15:37:28 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.cb skipped
C:\Documents and Settings\Bob Mahin\My Documents\home backup\My own stuff\IM Website\mail\ignorantmob.com\lake\inbox Mail Berkeley mbox: infected - 2 skipped
C:\Documents and Settings\Bob Mahin\My Documents\home backup\My own stuff\IM Website\mail\ignorantmob.com\lake\neomail-trash/[From "advanced view" <qimhljxfoug@psg-online.com>][Date Sun, 9 Jul 2006 23:00:02 -0200]/UNNAMED/[From "Denver Rocha" <tkuehnel@zapf.com>][Date Tue, 11 Jul 2006 00:49:11 +0300]/UNNAMED/[From "memory probably" <somrjfpjjfi@potindia.com>][Date Tue, 11 Jul 2006 07:38:28 -0200]/text/[From "could" <owwdlqkjesq@southerncomfort.com>][Date Wed, 12 Jul 2006 08:51:06 -0200]/UNNAMED/[From "Eileen Varne ... /[From narcolepsyworld@hotmail.com][Date Sun, 16 Jul 2006 08:00:04 - ... /document.pif Infected: Net-Worm.Win32.Mytob.dam skipped
C:\Documents and Settings\Bob Mahin\My Documents\home backup\My own stuff\IM Website\mail\ignorantmob.com\lake\neomail-trash/[From "advanced view" <qimhljxfoug@psg-online.com>][Date Sun, 9 Jul 2006 23:00:02 -0200]/UNNAMED/[From "Denver Rocha" <tkuehnel@zapf.com>][Date Tue, 11 Jul 2006 00:49:11 +0300]/UNNAMED/[From "memory probably" <somrjfpjjfi@potindia.com>][Date Tue, 11 Jul 2006 07:38:28 -0200]/text/[From "could" <owwdlqkjesq@southerncomfort.com>][Date Wed, 12 Jul 2006 08:51:06 -0200]/UNNAMED/[From "Eileen Varne ... /[From narcolepsyworld@hotmail.com][Date Sun, 16 Jul 2006 08:00:04 -0500]/document.zip Infected: Net-Worm.Win32.Mytob.dam skipped
C:\Documents and Settings\Bob Mahin\My Documents\home backup\My own stuff\IM Website\mail\ignorantmob.com\lake\neomail-trash/[From "advanced view" <qimhljxfoug@psg-online.com>][Date Sun, 9 Jul 2006 23:00:02 -0200]/UNNAMED/[From "Denver Rocha" <tkuehnel@zapf.com>][Date Tue, 11 Jul 2006 00:49:11 +0300]/UNNAMED/[From "memory probably" <somrjfpjjfi@potindia.com>][Date Tue, 11 Jul 2006 07:38:28 -0200]/text/[From "could" <owwdlqkjesq@southerncomfort.com>][Date Wed, 12 Jul 2006 08:51:06 -0200]/UNNAMED/[From "Eileen Varner" ... /[From "Adam" <thomas@evansville.edu>][Date Fri, 14 Jul 2006 12:05:32 +0100]/UNNAMED Infected: Net-Worm.Win32.Mytob.dam skipped
C:\Documents and Settings\Bob Mahin\My Documents\home backup\My own stuff\IM Website\mail\ignorantmob.com\lake\neomail-trash/[From "advanced view" <qimhljxfoug@psg-online.com>][Date Sun, 9 Jul 2006 23:00:02 -0200]/UNNAMED/[From "Denver Rocha" <tkuehnel@zapf.com>][Date Tue, 11 Jul 2006 00:49:11 +0300]/UNNAMED/[From "memory probably" <somrjfpjjfi@potindia.com>][Date Tue, 11 Jul 2006 07:38:28 -0200]/text/[From "could" <owwdlqkjesq@southerncomfort.com>][Date Wed, 12 Jul 2006 08:51:06 -0200]/UNNAMED/[From "Eileen Varner" <RogerVilla@altadena-pasadena.com>][Date Wed, 12 Jul 2006 06:09:00 -0700]/UNNAMED Infected: Net-Worm.Win32.Mytob.dam skipped
C:\Documents and Settings\Bob Mahin\My Documents\home backup\My own stuff\IM Website\mail\ignorantmob.com\lake\neomail-trash/[From "advanced view" <qimhljxfoug@psg-online.com>][Date Sun, 9 Jul 2006 23:00:02 -0200]/UNNAMED/[From "Denver Rocha" <tkuehnel@zapf.com>][Date Tue, 11 Jul 2006 00:49:11 +0300]/UNNAMED/[From "memory probably" <somrjfpjjfi@potindia.com>][Date Tue, 11 Jul 2006 07:38:28 -0200]/text/[From "could" <owwdlqkjesq@southerncomfort.com>][Date Wed, 12 Jul 2006 08:51:06 -0200]/UNNAMED Infected: Net-Worm.Win32.Mytob.dam skipped
C:\Documents and Settings\Bob Mahin\My Documents\home backup\My own stuff\IM Website\mail\ignorantmob.com\lake\neomail-trash/[From "advanced view" <qimhljxfoug@psg-online.com>][Date Sun, 9 Jul 2006 23:00:02 -0200]/UNNAMED/[From "Denver Rocha" <tkuehnel@zapf.com>][Date Tue, 11 Jul 2006 00:49:11 +0300]/UNNAMED/[From "memory probably" <somrjfpjjfi@potindia.com>][Date Tue, 11 Jul 2006 07:38:28 -0200]/text Infected: Net-Worm.Win32.Mytob.dam skipped
C:\Documents and Settings\Bob Mahin\My Documents\home backup\My own stuff\IM Website\mail\ignorantmob.com\lake\neomail-trash/[From "advanced view" <qimhljxfoug@psg-online.com>][Date Sun, 9 Jul 2006 23:00:02 -0200]/UNNAMED/[From "Denver Rocha" <tkuehnel@zapf.com>][Date Tue, 11 Jul 2006 00:49:11 +0300]/UNNAMED Infected: Net-Worm.Win32.Mytob.dam skipped
C:\Documents and Settings\Bob Mahin\My Documents\home backup\My own stuff\IM Website\mail\ignorantmob.com\lake\neomail-trash/[From "advanced view" <qimhljxfoug@psg-online.com>][Date Sun, 9 Jul 2006 23:00:02 -0200]/UNNAMED Infected: Net-Worm.Win32.Mytob.dam skipped
C:\Documents and Settings\Bob Mahin\My Documents\home backup\My own stuff\IM Website\mail\ignorantmob.com\lake\neomail-trash Mail Berkeley mbox: infected - 8 skipped
C:\Documents and Settings\Bob Mahin\ntuser.dat Object is locked skipped
C:\Documents and Settings\Bob Mahin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1F1E28E0-3ECD-4791-959D-179FE956A765}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4d0.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 1:38:38 PM, on 5/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\Earthworks\Shared\ewlicense_manager_nt.exe
C:\Program Files\Common Files\Earthworks\LicenseServices\LicenseServicesNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Earthworks\Components\process_manager_nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Documents and Settings\Bob Mahin\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130195805875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130195735781
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup163.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{244B6C1D-E19B-4E86-B6E4-2CA2D82667AF}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{244B6C1D-E19B-4E86-B6E4-2CA2D82667AF}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Earthworks License Manager - Earthworks Corporation - C:\Program Files\Common Files\Earthworks\Shared\ewlicense_manager_nt.exe
O23 - Service: Earthworks License Services - Earthworks Corporation - C:\Program Files\Common Files\Earthworks\LicenseServices\LicenseServicesNT.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Process Manager - Datamine Software Ltd - C:\Program Files\Common Files\Earthworks\Components\process_manager_nt.exe

[Rogue]

Hi bobusi,

Just a few bad files left.
Alot of what Kapersky found was in your emails. The growing trends now days is to send attchements that look legit or from legit looking companies (PayPal, eBay, etc;) but carry a harmful package. If your unsure of the sender don't even open it.
Yo forgot the log from haxfix c:\haxfix.txt

Remove Programs
Please Click Start > Control Panel > Add/Remove Programs

Remove these programs by clicking Remove

Deal Helper

If some programs listed are not present, please do not panic
*=========================*

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to and find the following files: if found, delete the following (some may not be present after previous steps):

C:\Documents and Settings\All Users\Application Data\msw\BMan.exe
C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
C:\Documents and Settings\Bob Mahin\My Documents\home backup\My own stuff\IM Website\mail\ignorantmob.com\lake\neomail-trash <<<Remove any unknown emails
C:\Documents and Settings\Bob Mahin\My Documents\home backup\My own stuff\IM Website\mail\ignorantmob.com\lake\inbox <<< <<<Remove any unknown emails

*=========================*

Please post the following;

haxfix log (c:\haxfix.txt)
New hijackthis log.

If all looks good we'll do some final cleanup


Thanks,

Rogue

[bobusi]

Okay, back again.

I deleted all the identified files (did not find deal helper in install/uninstall). Those web emails have caused problems in my band's website too. We had to shut down the blogs because of huge volumes of spam and carp**.

Here are the new scans:

HAXFIX logfile - by Marckie

version 4.43
Tue 05/29/2007 8:40:47.76

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
matching services found
Aspi32

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected


--- Catchme logfile - thank you Gmer ---

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-29 08:40:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


--- Analysing Catchme logfile ---

no matching regkeys found


Finished!


Logfile of HijackThis v1.99.1
Scan saved at 10:26:07 AM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\Earthworks\Shared\ewlicense_manager_nt.exe
C:\Program Files\Common Files\Earthworks\LicenseServices\LicenseServicesNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Earthworks\Components\process_manager_nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Bob Mahin\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130195805875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130195735781
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup163.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{244B6C1D-E19B-4E86-B6E4-2CA2D82667AF}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{244B6C1D-E19B-4E86-B6E4-2CA2D82667AF}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Earthworks License Manager - Earthworks Corporation - C:\Program Files\Common Files\Earthworks\Shared\ewlicense_manager_nt.exe
O23 - Service: Earthworks License Services - Earthworks Corporation - C:\Program Files\Common Files\Earthworks\LicenseServices\LicenseServicesNT.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Process Manager - Datamine Software Ltd - C:\Program Files\Common Files\Earthworks\Components\process_manager_nt.exe

Once again Rogue, thank you

[Rogue]

Hi bobusi,

Everything looks good. Just some general clean up left


Remove Programs
Please Click Start > Control Panel > Add/Remove Programs

Remove these programs by clicking Remove

HaxFix 4.4
J2SE Runtime Environment 5.0 Update 6

If some programs listed are not present, please do not panic
*=========================*

Please update Java Runtime Environment

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of perceived vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6.1 Update

• The current version can be downloaded from Sun here: http://java.sun.com/...loads/index.jsp Scroll down the page to 'Java Runtime Environment (JRE) 6u1'
  Selcted either Windows Online or Windows Offline download and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.

*=========================*

Uninstall Unnecessary Tools/Files

c:\haxfix.txt

These were problem specific and were not intended for everyday use.

Optional Tools/Files to Uninstall
Kapersky Online AV from add/remove programs. You can continue to use Kapersky along with your resident AV (Avast). This will only detect viruses, not remove them. Not all detections are bad so be careful.
*========================*

Flush System Restore
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a Restore Point, and then click Ok

Next, go to Start > Run and type in cleanmgr
Select the More Options tab
Choose the option to Clean Up System Restore and select OK.
This will remove all restore points except the new one you just created
*========================*

This is my post for when you are All Clean - which you seem to be.

But to help protect you against further infections, and also to help prevent criminals using your computer to infect other people's computers on the web, I recommend the following: (You may already have some of the items or completed steps)

Make your Internet Explorer more secure - This can be done by following these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
Click here for more information on -> Computer Safety On line - Anti-Virus
In case you do NOT have any antivirus software installed in your computer or yours has expired, you may use one of the following.

• AVG Free Edition
• Avast Home Edition
• BitDefender Free Edition
• ClamWin Free Antivirus
• A-Squared Free
• Antivir Personal Edition
• Active Virus Shield

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - this keeps your computer safe from hackers AS WELL AS from several computer viruses (mostly worms) which spread through the internet by using security holes of Windows. Have in mind that these are FREE FULL versions of the software and they lack of some features available in their shareware versions. Nevertheless, the FREE versions are capable of providing a basic firewall protection to your computer.

• Kerio Personal Firewall
• ZoneAlarm©
• Outpost Free
• Comodo
• Sygate (not supported anymore but you can download from here

Click here for more information on Firewalls -> Computer Safety On line - Software Firewalls


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Set up system to ensure a regular update of the Operating System.

Automatically:

• On the Desktop, right-click My Computer.
• Click Properties.
• Click on Automatic Updates
• Check the option of choice (I use Automatic (Recommended)). If you use dial-up I would recommend using the
  Notify Me option so that you can download when you can afford the time and bandwidth overheads.
• Select the Day/Time of choice
• Click Apply
• Click OK

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

• Install Spybot© - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
  This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here: Click here for more info -->Instructions for - Spybot S & D and Ad-aware
  
• Install Lavasofts© Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here: Click here for more info -->Instructions for - Spybot S & D and Ad-aware
  
• Install Javacools© SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here: Click here for more info -->Computer Safety on line - Anti-Malware
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and you are less susceptible to attacks.


Safe Surfing,

Rogue

[bobusi]

I'm in the process of your last clean up instructions. Mostly waiting for the Java update to download. THANKS again for all you help. You guys are godsends.

[Rogue]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php