Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Explorer Toolbar mess [RESOLVED]

Started by ruggb , Mar 22 2006 09:02 AM

  • This topic is locked This topic is locked

#1
ruggb
Posted 22 March 2006 - 09:02 AM

ruggb

    New Member

  • Member
  • Pip
  • 6 posts
Help. I have my sister's PC that has been without virus software for a year. I have the thing at least running decent, but can not get rid of adware pop-ups and a blue search toolbar at the bottom of Internet explorer. It also has Favorites that can not be removed. I have followed all directions before posting. Please help as I have to get her PC back this weekend. 210 mile drive. Thanks for the help in advanced. I will post the hijackthis log and the ewido log. I also have virus software running now.

Logfile of HijackThis v1.99.1
Scan saved at 8:45:30 AM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell Support\DSAgnt.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\lxcccoms.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lwkwsxlfj...n9o2odfmv9.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {2265FC59-667C-454D-8220-C4FB745936C2} - C:\Program Files\msxzz649\msxzz649.dll (file missing)
O2 - BHO: (no name) - {24C201AD-11B5-48EE-A528-51DF04D1D93B} - C:\Program Files\msxzz649\msxzz649.dll (file missing)
O2 - BHO: (no name) - {284E730B-FB54-425C-A1EB-D5C824CD206E} - C:\Program Files\msxzz649\msxzz649.dll (file missing)
O2 - BHO: (no name) - {341953B7-ED32-42ED-B364-7E628FE88C27} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {351F3AA9-824F-4DC9-99F5-41BCA4BD04BB} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {40EEB6F8-D9A6-FD38-348A-BB86ED637818} - C:\DOCUME~1\Atley\APPLIC~1\EQLOG~1\move copy.exe (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {6193960D-0914-46F9-B748-7E614043ADF8} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {71EE2053-600E-472C-AC0E-2E73AA1EB4B9} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {C362E412-83BB-458D-9D83-3E417A144C82} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {C806A42F-4331-40CD-998F-E3B49E01CC2E} - C:\Program Files\msxzz649\msxzz649.dll (file missing)
O2 - BHO: (no name) - {D7EDD33D-B4EB-4D62-9E2C-B921FBCD6A8F} - C:\Program Files\msxzz649\msxzz649.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [phone send slow bait] C:\Documents and Settings\All Users\Application Data\free iso phone send\FILMTRAY.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [BitsMeal] C:\DOCUME~1\Atley\APPLIC~1\TRANSB~1\DUMBEGGS.exe
O4 - HKCU\..\Run: [a04FRUZ5e] ntkck32.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142914907531
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28177.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcccoms.exe


Here is the Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:40:32 AM, 3/22/2006
+ Report-Checksum: 3B3181FB

+ Scan result:

C:\Program Files\msxzz649\xz74fonv.DLL.tcf -> Adware.ClearSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP648\A0352619.DLL -> Adware.ClearSearch : Cleaned with backup
C:\WINDOWS\bundles\adl_dh.exe -> Adware.DealHelper : Cleaned with backup
C:\WINDOWS\SYSTEM32\Uninstaller.exe -> Adware.DealHelper : Cleaned with backup


::Report End
  • 0

Advertisements

#2
loophole
Posted 22 March 2006 - 11:01 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi ruggb :tazz:


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lwkwsxlfj...n9o2odfmv9.html
O2 - BHO: (no name) - {2265FC59-667C-454D-8220-C4FB745936C2} - C:\Program Files\msxzz649\msxzz649.dll (file missing)
O2 - BHO: (no name) - {24C201AD-11B5-48EE-A528-51DF04D1D93B} - C:\Program Files\msxzz649\msxzz649.dll (file missing)
O2 - BHO: (no name) - {284E730B-FB54-425C-A1EB-D5C824CD206E} - C:\Program Files\msxzz649\msxzz649.dll (file missing)
O2 - BHO: (no name) - {341953B7-ED32-42ED-B364-7E628FE88C27} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {351F3AA9-824F-4DC9-99F5-41BCA4BD04BB} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {40EEB6F8-D9A6-FD38-348A-BB86ED637818} - C:\DOCUME~1\Atley\APPLIC~1\EQLOG~1\move copy.exe (file missing)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {6193960D-0914-46F9-B748-7E614043ADF8} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {71EE2053-600E-472C-AC0E-2E73AA1EB4B9} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {C362E412-83BB-458D-9D83-3E417A144C82} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: (no name) - {C806A42F-4331-40CD-998F-E3B49E01CC2E} - C:\Program Files\msxzz649\msxzz649.dll (file missing)
O2 - BHO: (no name) - {D7EDD33D-B4EB-4D62-9E2C-B921FBCD6A8F} - C:\Program Files\msxzz649\msxzz649.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [phone send slow bait] C:\Documents and Settings\All Users\Application Data\free iso phone send\FILMTRAY.exe
O4 - HKCU\..\Run: [BitsMeal] C:\DOCUME~1\Atley\APPLIC~1\TRANSB~1\DUMBEGGS.exe
O4 - HKCU\..\Run: [a04FRUZ5e] ntkck32.exe

Now close all windows other than HiJackThis, then click Fix Checked


Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode


Show hidden files and folders
  • click start then control panel
  • click the tools tab
  • click the folder options from the dropdown menu
  • click the view tab
  • check the show hidden files and folders radio button

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):
Messenger plus3 <<< You can reinstall it later without the sponsor software
CSBB
msxzz649

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\CSBB
C:\Program Files\msxzz649
C:\Documents and Settings\All Users\Application Data\free iso phone send
C:\Documents and Settings\Atley\Application Data\TRANSB <<< Thats the first six letters of the folder you need to delete

please delete these files (if present):

C:\windows\ntkck32.exe
C:\windows\system32\ntkck32.exe


Reboot

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post with a new Hijack log.

  • 0

#3
ruggb
Posted 23 March 2006 - 06:04 AM

ruggb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
loophole, thanks for the help. I followed your directions and things seem worse. The blue search bar is gone, but I get more pop-ups than I had before. Here is the Kaspersky report and new hijackthis log.

KASPERSKY ON-LINE SCANNER REPORTKASPERSKY ON-LINE SCANNER REPORT
Thursday, March 23, 2006 5:49:40 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build
2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 23/03/2006
Kaspersky Anti-Virus database records: 183533


Scan Settings
Scan using the following antivirus databaseextended
Scan Archivestrue
Scan Mail Basestrue

Scan TargetMy Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects62743
Number of viruses found5
Number of infected objects12
Number of suspicious objects0
Duration of the scan process00:43:33

Infected Object NameVirus NameLast Action
C:\Documents and Settings\Atley\Application Data\Eq Log\move copy.exe.tcf
Infected: not-a-virus:AdWare.Win32.Lop.ag skipped

C:\RECYCLER\S-1-5-21-3383156687-1247728585-1046113438-1008\Dc1.exe
Infected: not-a-virus:AdWare.Win32.Lop.ag skipped

C:\RECYCLER\S-1-5-21-3383156687-1247728585-1046113438-1008\Dc2.exe
Infected: not-a-virus:AdWare.Win32.Lop.ag skipped

C:\RECYCLER\S-1-5-21-3383156687-1247728585-1046113438-1008\Dc3.exe
Infected: not-a-virus:AdWare.Win32.Lop.ag skipped

C:\RECYCLER\S-1-5-21-3383156687-1247728585-1046113438-500\Dc1\erkuzzg7.DLL
Infected: not-a-virus:AdWare.Win32.ClearSearch.al skipped

C:\RECYCLER\S-1-5-21-3383156687-1247728585-1046113438-500\Dc2\BLEH
ATOM.exe Infected: not-a-virus:AdWare.Win32.Lop.ag skipped

C:\RECYCLER\S-1-5-21-3383156687-1247728585-1046113438-500\Dc2\FILMTRAY.exe
Infected: not-a-virus:AdWare.Win32.Lop.ag skipped

C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP648\A0352627.exe
Infected: not-a-virus:AdWare.Win32.Lop.ag skipped

C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP648\A0352646.exe
Infected: not-a-virus:AdWare.Win32.DealHelper.t skipped

C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP648\A0352647.exe
Infected: not-a-virus:AdWare.Win32.DealHelper.u skipped

C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP648\A0352676.exe
Infected: not-a-virus:AdWare.Win32.Lop.ag skipped

C:\WINDOWS\SYSTEM32\secure.exe Infected:
not-a-virus:AdWare.Win32.DealHelper.v skipped

Scan process completed.

Here is the Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 5:53:48 AM, on 3/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\lxcccoms.exe
C:\WINDOWS\System32\alg.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nxewysexz...un9o2odfmv9.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dwknlprcl..._kubnSJqN/o.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {1B2D435E-4478-F960-62B3-A06029B6E0D4} - C:\DOCUME~1\Atley\APPLIC~1\EQLOG~1\move copy.exe (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Internet one lies fast] C:\Documents and Settings\All Users\Application Data\pure about internet one\Bait Cool.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BitsMeal] C:\DOCUME~1\Atley\APPLIC~1\TRANSB~1\DUMBEGGS.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142914907531
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28177.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcccoms.exe
  • 0

#4
loophole
Posted 23 March 2006 - 10:28 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Dont worry we are almost done

Delete this file C:\WINDOWS\SYSTEM32\secure.exe

Make sure you uninstall Messenger plus 3

Download Findlop by Metallica. Unzip it to your desktop.
Double click findlop.bat. It will open a notepad file.
Copy the content of that file and paste it here in your reply.
  • 0

#5
ruggb
Posted 23 March 2006 - 02:38 PM

ruggb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
loophole,
I deleted the secure.exe file. I do not find the Messenger plus3 in the add/remove programs, but it does have a directory under programs. Can I just delete the directory? Also, in your 1st post you said to delete the directory that started with transb, well it would not let me. I did delete several files within the directory, but the dumbeggs.exe file says access is denied. Here is the findlop.bat file. Thanks for the help.

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'AAFBF65291846A6A.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\atley\applic~1\transb~1\Long meet tool.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Atley'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 03/23/2006 15:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 02/04/1998
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Owner'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 03/23/2006 14:32:00
StartError: 0x80070534
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

2 Triggers

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 05/20/2004
EndDate: 00/00/0000
StartTime: 00:52
MinutesDuration: 1440
MinutesInterval: 5
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 1:
Type: AtLogon
StartDate: 05/20/2004
EndDate: 00/00/0000
StartTime: 00:52
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0
  • 0

#6
loophole
Posted 23 March 2006 - 05:00 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

That's my fault I should have had you kill the job first

Copy everything inside the quote box below (starting with @) and paste it into notepad. Go up to "File > Save As", click the drop-down box to change the "Save As Type" to "All Files". Save it as remlop.bat on your desktop.

@echo off
cd C:\WINDOWS\Tasks
attrib -r -s -h AAFBF65291846A6A.job
del AAFBF65291846A6A.job
exit



Double-click remlop.bat A window will open and close quickly, this is normal.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nxewysexz...un9o2odfmv9.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dwknlprcl..._kubnSJqN/o.htm
O2 - BHO: (no name) - {1B2D435E-4478-F960-62B3-A06029B6E0D4} - C:\DOCUME~1\Atley\APPLIC~1\EQLOG~1\move copy.exe (file missing)
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Internet one lies fast] C:\Documents and Settings\All Users\Application Data\pure about internet one\Bait Cool.exe
O4 - HKCU\..\Run: [BitsMeal] C:\DOCUME~1\Atley\APPLIC~1\TRANSB~1\DUMBEGGS.exe


Now close all windows other than HiJackThis, then click Fix Checked

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
.

Please delete the folders in red using Windows Explorer(if present):

C:\Documents and Settings\Atley\Application Data\Eq Log
C:\Documents and Settings\All Users\Application Data\pure about internet one
C:\Documents and Settings\Atley\Application Data\TRANSB <<< Thats the first six letters of the folder you need to delete


Reboot

Post a new Hijack log and tell me how your system is running now.

Thanks
  • 0

#7
ruggb
Posted 23 March 2006 - 08:49 PM

ruggb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
loophole,
I think you got it that time. All the extra desktop icons for casion, dates, etc.. are gone. IE is back to normal. I still see that there is a Messenger plus 3 in the program folders, but not in the add/remove programs. Is this anything to worry about? Here is the latest hijackthis log. Thanks so much for your help. If things look good this time, I will finish her PC a day early. Now I know why virus software is so important. I will school my sister and her kids on how they surf and chat. I don't think they use their pc much as they only have dial-up. I suppose they miss all the updates as a result. I will make sure they are completly updated before giving it back. I also added memory. They won't know what to think. Thanks again. I will donate and hope I get reimbursed! :whistling:

Logfile of HijackThis v1.99.1
Scan saved at 8:39:36 PM, on 3/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\lxcccoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qshsirdlc..._n9o2odfmv9.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142914907531
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicr...scan/as4web.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28177.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcccoms.exe
  • 0

#8
loophole
Posted 23 March 2006 - 09:12 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi ruggb :help:

You can delete the messenger plus folder. Just don't let them download it again :blink:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qshsirdlc..._n9o2odfmv9.jsp


Now close all windows other than HiJackThis, then click Fix Checked


Congratulations
your system is clean :whistling:

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Anti virus- An anti-virus is a must, here are a few good free ones.Please never run more than one ant-virus at a time.

  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner (by Atribune) - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0

#9
ruggb
Posted 24 March 2006 - 06:57 AM

ruggb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
How Sweet it is!!! We are done. I re-ran the hijackthis and found not entry of the
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qshsirdlc..._n9o2odfmv9.jsp

that kept coming back. That is awesome!! I also got rid of the messenger folder and downloaded Trillian. I will make sure they use it and not touch MSN messenger again. I hope I don't have to do this again, however, I think my parents might need this as my sisters kids have been using it frequently since this one has been destroyed for some time. Not sure they will let me take it back with me for a week. Thanks again, this site is Awesome!! You provide and excellent service, I hope you get paid for your services through the donations.
  • 0

#10
loophole
Posted 24 March 2006 - 09:49 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi

Glad we could help :whistling: .You can use msn messenger just don't use the Messenger plus. If you do make sure you don't download it with the sponsor software. Thats where the problem is.

Good luck to you :blink:
  • 0

#11
loophole
Posted 02 April 2006 - 08:18 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP