can someone please help me get rid of Trojan.Agent.qt and Adware.PurityScan
and whatever else needs to go

Logfile of HijackThis v1.99.1
Scan saved at 3:25:09 AM, on 22/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\f0c6497.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Family\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [b3e569b6.exe] C:\WINDOWS\system32\b3e569b6.exe
O4 - HKLM\..\Run: [f0c6497.exe] C:\WINDOWS\system32\f0c6497.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [b3e569b6.exe] C:\Documents and Settings\Family\Local Settings\Application Data\b3e569b6.exe
O4 - HKCU\..\Run: [f0c6497.exe] C:\Documents and Settings\Family\Local Settings\Application Data\f0c6497.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: eDocOne: Save to... - C:\Program Files\eDocOne\Script\catcher.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: eDocOne - {34C3E8B4-9D99-4F3C-A2F9-64007F446F54} - C:\Program Files\eDocOne\Script\catcher2.htm
O9 - Extra 'Tools' menuitem: eDocOne: Save to... - {34C3E8B4-9D99-4F3C-A2F9-64007F446F54} - C:\Program Files\eDocOne\Script\catcher2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142574637825
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgAU2404.exe
O16 - DPF: {F9F3920B-2F24-437A-A224-D49F0004A172} - http://www.net-viewer.com/dls/AutoInstall.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DE73492-599F-4241-99BD-71F52582E427}: NameServer = 203.134.24.70 203.134.26.70
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\csrss.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ViruScape Guard Service ({00008375-0Ab24-0D93-DFC9-9DC83F7AD8BC}) - Unknown owner - C:\Program Files\Tera Innovations\ViruScape\VS32.exe" -installguard (file missing)



This post has been edited by zuggalo: Jun 21 2006, 11:27 AM

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

thanks thats fine better late than never. since i posted that log ive done many things to try to get rid of stuff so this will b a bit diffrent

thanks in advance
brad

Logfile of HijackThis v1.99.1
Scan saved at 12:36:42 AM, on 26/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\f0c6497.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Family\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [f0c6497.exe] C:\WINDOWS\system32\f0c6497.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [b3e569b6.exe] C:\Documents and Settings\Family\Local Settings\Application Data\b3e569b6.exe
O4 - HKCU\..\Run: [f0c6497.exe] C:\Documents and Settings\Family\Local Settings\Application Data\f0c6497.exe
O4 - HKCU\..\Run: [SigXC] C:\Program Files\SigXC\SigX.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: eDocOne: Save to... - C:\Program Files\eDocOne\Script\catcher.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: eDocOne - {34C3E8B4-9D99-4F3C-A2F9-64007F446F54} - C:\Program Files\eDocOne\Script\catcher2.htm
O9 - Extra 'Tools' menuitem: eDocOne: Save to... - {34C3E8B4-9D99-4F3C-A2F9-64007F446F54} - C:\Program Files\eDocOne\Script\catcher2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142574637825
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgAU2404.exe
O16 - DPF: {F9F3920B-2F24-437A-A224-D49F0004A172} - http://www.net-viewer.com/dls/AutoInstall.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DE73492-599F-4241-99BD-71F52582E427}: NameServer = 203.134.24.70 203.134.26.70
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\csrss.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ViruScape Guard Service ({00008375-0Ab24-0D93-DFC9-9DC83F7AD8BC}) - Unknown owner - C:\Program Files\Tera Innovations\ViruScape\VS32.exe" -installguard (file missing)

Let's get this fixed for you.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O4 - HKLM\..\Run: [f0c6497.exe] C:\WINDOWS\system32\f0c6497.exe
O4 - HKCU\..\Run: [b3e569b6.exe] C:\Documents and Settings\Family\Local Settings\Application Data\b3e569b6.exe
O4 - HKCU\..\Run: [f0c6497.exe] C:\Documents and Settings\Family\Local Settings\Application Data\f0c6497.exe
O4 - HKCU\..\Run: [SigXC] C:\Program Files\SigXC\SigX.exe
O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgAU2404.exe
O16 - DPF: {F9F3920B-2F24-437A-A224-D49F0004A172} - http://www.net-viewer.com/dls/AutoInstall.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\csrss.dll


============


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  
  
  C:\WINDOWS\system32\f0c6497.exe
  C:\Documents and Settings\Family\Local Settings\Application Data\b3e569b6.exe
  C:\Documents and Settings\Family\Local Settings\Application Data\f0c6497.exe
  C:\WINDOWS\system32\csrss.dll
  
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
  
  If your computer does not restart automatically, please restart it manually.
  
  
• After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
• Post this log in your next reply.

Also post a new hijackthis log.

after i clicked fix checked in hijack this i got a error what do i do now?

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\WINDOWS\system32\csrss.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

It's ok. It's a bit of a bug with Hijackthis.
Proceed with the rest of the steps.

Pocket Killbox version 2.0.0.648
Running on Windows XP as Family(Administrator)
was started @ Monday, June 26, 2006, 1:03 AM

Killbox Closed(Exit) @ 1:04:47 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Family(Administrator)
was started @ Monday, June 26, 2006, 1:04 AM

# 1 [Delete on Reboot]
Path = C:\Documents and Settings\Family\Local Settings\Application Data\f0c6497.exe


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\f0c6497.exe


I Rebooted @ 1:07:46 AM
Killbox Closed(Exit) @ 1:07:51 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Family(Administrator)
was started @ Monday, June 26, 2006, 1:13 AM


Logfile of HijackThis v1.99.1
Scan saved at 1:15:18 AM, on 26/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Family\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: eDocOne: Save to... - C:\Program Files\eDocOne\Script\catcher.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: eDocOne - {34C3E8B4-9D99-4F3C-A2F9-64007F446F54} - C:\Program Files\eDocOne\Script\catcher2.htm
O9 - Extra 'Tools' menuitem: eDocOne: Save to... - {34C3E8B4-9D99-4F3C-A2F9-64007F446F54} - C:\Program Files\eDocOne\Script\catcher2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142574637825
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DE73492-599F-4241-99BD-71F52582E427}: NameServer = 203.134.24.70 203.134.26.70
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ViruScape Guard Service ({00008375-0Ab24-0D93-DFC9-9DC83F7AD8BC}) - Unknown owner - C:\Program Files\Tera Innovations\ViruScape\VS32.exe" -installguard (file missing)

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

Incident Status Location

Adware:adware/ncase Not disinfected c:\temp\salm.log
Dialer:dialer.no Not disinfected c:\windows\downloaded program files\rdgAU2404.exe
Adware:adware/ist.istbar Not disinfected C:\Documents and Settings\Family\Favorites\~ VIP Free [bleep] ~.url
Dialer:dialer.asl Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\moduleusage\C:/WINDOWS/Downloaded Program Files/internazionale_ver10.ocx
Adware:adware/transponder Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/sqwire Not disinfected Windows Registry
Adware:adware/ist.yoursitebar Not disinfected Windows Registry
Adware:adware/block-checker Not disinfected Windows Registry
Adware:Adware/SystemDoctor Not disinfected C:\!KillBox\f0c6497.exe
Adware:Adware/SystemDoctor Not disinfected C:\!KillBox\f0c6497.exe( 1)
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\z5lgy6r3.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\z5lgy6r3.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\z5lgy6r3.default\cookies.txt[.kinghost.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\z5lgy6r3.default\cookies.txt[.landing.domainsponsor.com/]
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\z5lgy6r3.default\cookies.txt[.offeroptimizer.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\z5lgy6r3.default\cookies.txt[.tickle.com/]
Virus:Trj/Classloader.G Disinfected C:\Documents and Settings\Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a5399d2-249cdb6a.zip[Beyond.class]
Virus:Trj/Classloader.G Disinfected C:\Documents and Settings\Family\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-a5399d2-249cdb6a.zip[VerifierBug.class]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Family\Cookies\family@adultfriendfinder[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Family\Cookies\family@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Family\Cookies\family@atdmt[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Family\Cookies\family@burstnet[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Family\Cookies\family@ccbill[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Family\Cookies\family@com[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Family\Cookies\family@counter13.sextracker[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Family\Cookies\family@kinghost[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Family\Cookies\family@mediaplex[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Family\Cookies\family@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Family\Cookies\family@serving-sys[2].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Family\Cookies\family@sextracker[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Family\Cookies\family@stats1.reliablestats[1].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Family\Cookies\family@www.advnt01[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Family\Local Settings\Temp\NoadwareBkupTemp\family@errorsafe[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Family\Local Settings\Temp\NoadwareBkupTemp\family@winfixer[2].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Family\Local Settings\Temp\svshost.exe


Logfile of HijackThis v1.99.1
Scan saved at 6:38:05 PM, on 26/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Family\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: eDocOne: Save to... - C:\Program Files\eDocOne\Script\catcher.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: eDocOne - {34C3E8B4-9D99-4F3C-A2F9-64007F446F54} - C:\Program Files\eDocOne\Script\catcher2.htm
O9 - Extra 'Tools' menuitem: eDocOne: Save to... - {34C3E8B4-9D99-4F3C-A2F9-64007F446F54} - C:\Program Files\eDocOne\Script\catcher2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142574637825
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DE73492-599F-4241-99BD-71F52582E427}: NameServer = 203.134.24.70 203.134.26.70
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ViruScape Guard Service ({00008375-0Ab24-0D93-DFC9-9DC83F7AD8BC}) - Unknown owner - C:\Program Files\Tera Innovations\ViruScape\VS32.exe" -installguard (file missing)

Open up Killbox.
Click Tools -> Delete Temp Files
Place a check mark in all locations that aren't greyed out. By default they should already be checked.
Click Delete Selected Temp Files

You can follow the same steps with any other profiles that are found.


============


Delete this file with Killbox as you did before.

c:\windows\downloaded program files\rdgAU2404.exe


============


Your log is looking pretty good.
Let me know of any problems that you are still having.

im still having a ie window pop up with a message saying

NOTICE: If your computer is not protected, it could be prone to Viruses, unpredictable behavior and crashes.
Protecting your computer increases security and can prevent data loss. Click on OK for more imfomation.

if i click ok this opens up

http://amaena.com/securityworm5827/?p=3&am...&lid=secure

also another box pops up saying

NOTICE: If your computer has been running slower than normal, it may be infected with Viruses, Adware or Spyware.
WinAntiVirus can preform a quick and completly FREE scan of your system for malicious programs
Download WinAntiVirus FREE now!

if i click ok takes me to

http://winantivirus.com/pages/scanner/inde...amp;p=&ax=1


any ideas?

thanks
brad

This post has been edited by zuggalo: Jun 26 2006, 11:51 PM

Yes, that helps. I think you've got something new.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

============


I'd like to take a look at a different log also.


Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will receive a prompt:
  Do you want to skip supplementary searches?
  click NO
• If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
• Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.