7 replies to this topic

[Booter]

I was really having system slowdowns but used AVG antivirus and spyware doctor to get down to popups every second or third time I open up a new browser. Nothing seems to clear out all the bugs even after scanning the system and finding stuff. The popups just keep coming.

log:

Logfile of HijackThis v1.99.1
Scan saved at 2:31:01 PM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRAM FILES\PCCloneEX\PCCloneEX.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\AHS\Writepad\Writepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Chiropractic CA\Local Settings\Temporary Internet Files\Content.IE5\3VAL2BCM\STOPzilla_Setup[1].exe
C:\DOCUME~1\CHIROP~1\LOCALS~1\Temp\STOPzilla!\SZSetup.exe
C:\WINDOWS\system32\msiexec.exe
C:\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: (no name) - {54b23cf0-9bef-41db-9143-63f5a3223d3b} - C:\WINDOWS\system32\loruxfy.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll (file missing)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [PCCloneEX] C:\PROGRAM FILES\PCCloneEX\PCCloneEX.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: awtss - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: PRISMAPI.DLL - C:\WINDOWS\SYSTEM32\PRISMAPI.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\easyPDF 5\bepldr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

[tim s]

Hi Booter,

Welcome to the Tomcoyote forum! I'll be glad to help you with your computer problems.
HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

In order to help me help you, please observe the following while we work:

• Please do not try to fix any thing else own your own.
• If you don't know, stop and ask! Don't continue, we don't want to start all over again!
• Understand that cleaning your computer can sometimes take multiple passes/posts,
  and it's important to follow the steps as listed including re-running scans as listed
• Please reply to this thread, do not start another.

If you can do those four things, everything should go smoothly

I am checking your log now and will post back as soon as I can.

[tim s]

Hi Booter,

I need to know what firewall protection software you have I am not seeing any in your HJT log? Without protection we will not get rid of infected files without new one showing up.

You can only run one firewall program at a time running two or more with cause conflicts in programs and computer instablity.
If you already have one just let me know. Then we can continue. If you do not have one you can choose from this list.

Here are some you can choose from
Only run one firewall program.
Firewall protection programs: (free for personal use only available)

Link to 1st Comodo Firewall

Link to 2nd Jetico Personal Firewall

Link to 3rd ZoneAlarm

==========================================

The above has to be done first.

Next we have to disable anti-spyware programs that will interfere(block) removal of infection.

Disable STOPzilla Anti-Spyware

• Right click on system tray Icon near clock.
• Select View BASIC OPTIONS
• Click Disable Real Time protection.
• Click Disable POP-UP PROTECTION
• Untick box Auto-enable STOPzilla whenever my computer starts.
• Untick box Show Splash Screen whenever my computer starts.
• Click apply then click OK

Next:

Disable SpywareDoctor's realtime protection.

• Open Spyware Doctor
• Click the "OnGuard" button on the left side.
• Uncheck "Activate OnGuard".
• Exit the program.

=====================================

Make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1.Start HijackThis



2. Click on the Open the Misc tool section button
3. Click on the Misc Tools button



4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:



5. Click on the Save list... button and specify where you would like to save this file. When you press Save list button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply. Note: please uncheck word wrap under format in notepad

Post HJT Uninstall list in next reply


=====================================

We need to start with this tool here first:

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

=====================================

Please post these in next reply to this thread by using the button:
HJT Uninstall list
C:\vundofix.txt
New HJT log

[Booter]

I am using AVG for my protection. The reason you don't see it is because I put it on the ingnor list. Is there a way to get stuff off that list so you can see all there is to see. I may have put something on there that is a problem.

[tim s]

Hi Booter,

I am using AVG for my protection. The reason you don't see it is because I put it on the ingnor list. Is there a way to get stuff off that list so you can see all there is to see. I may have put something on there that is a problem.

If you mean you have put them in HJT ignorelist this is how to correct. I do need to see complete log.

Open HiJackThis first

• click on Open the Misc Tools section
• click ignorelist button
• on this screen click the delete all button
• Exit (close) HJT (this will let HJT show lines in log now)

Now if you are using AVG free edition (which is the one I am using/ with combo firewall) it does not come with a firewall you will still need to use one of the ones I posted.

You can still continue with rest Of instructions make sure to clear the ignorelist before posting new HJT log.
any questions just ask.

[tim s]

Hi Booter, Are you still needing help?

[tim s]

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log

[tim s]

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log