Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

DrWatsons Problem


  • Please log in to reply

#136
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Did you just install a new program?

Did you already run CWShredder?
  • 0

Advertisements


#137
Pantrwrstl

Pantrwrstl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 172 posts
what kind of new program? i did run cws
  • 0

#138
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Any kind of new software recently (very recently). You have this process running: MsiExec.exe
which runs when a new program is being installed. It wasn't running on the first HiJackThis log you posted today, but was running in the 2nd log.
  • 0

#139
Pantrwrstl

Pantrwrstl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 172 posts
i havent installed any new programs today
  • 0

#140
Pantrwrstl

Pantrwrstl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 172 posts
i have a few windows updates that were ready to be installed but i hadent installed them yet so it was in my system tray.... could that be anything????
  • 0

#141
Pantrwrstl

Pantrwrstl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 172 posts
New Hijack this log after insalled windows updates:


Logfile of HijackThis v1.99.1
Scan saved at 3:49:49 PM, on 4/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} (V3ProX Control) - http://ahnlabdownloa...n/myv3/myv3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101264785109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4940B58-3477-435E-9902-34E9FF328239}: NameServer = 209.47.15.118,64.157.143.38,
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
  • 0

#142
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Go to Start > Search
Click on "All Files and Folders", then click on "More Advanced Options"
Put a checkmark next to the first 3 items (search system folders, search hidden files and folders, search subfolders)

Search for this item and tell me all of the locations (ie c:\windows\system32 or c:\windows):

SysTray.Exe

Let me know.
  • 0

#143
Pantrwrstl

Pantrwrstl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 172 posts
Name In Folder
systray C:\WINDOWS\SYSTEM32
SYSTRAY.EXE-345DCC1C.PF C:\WINDOWS\Prefetch

Edited by Pantrwrstl, 11 April 2005 - 02:56 PM.

  • 0

#144
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, I was thinking about it and you said the last MWav scan went pretty quick and only scanned 4,000 files? It definitely didn't scan your whole computer.

This scan takes around 3 hours to finish when set to scan everything. I need you to run MWav again, this time put a check next to below items:

*Memory
*Startup Folders
*Drive - All Local Drives
*Folder - then click browse to change the directory to C: (default is C:\Windows)
*Registry
*System Folders
*Services
*Include Sub-Directory
*Scan All Files

Please make sure all of these are checked. This will take hours to complete.

Copy the portion of the scan that lists infected items and paste them here.

Edited by bananafanafo, 11 April 2005 - 08:26 PM.

  • 0

#145
Pantrwrstl

Pantrwrstl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 172 posts
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "ameopt Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "VB and VBA Program Settings Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "dlmax Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\DOCUME~1\user\LOCALS~1\TEMPOR~1\Content.IE5\OX4RYBUV\l2mfix[1].exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\WINDOWS\SYSTEM32\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OX4RYBUV\l2mfix[1].exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Documents and Settings\user\Desktop\l2mfix.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Documents and Settings\user\Desktop\l2mfix\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\!Submit\ppq20B.tmp infected by "Trojan-Downloader.Win32.IstBar.hs" Virus. Action Taken: No Action Taken.
  • 0

Advertisements


#146
Pantrwrstl

Pantrwrstl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 172 posts
Incase this helps you too...


Mon Apr 11 22:27:43 2005 => ***** Scanning complete. *****
Mon Apr 11 22:27:43 2005 => Total Objects Scanned: 42069
Mon Apr 11 22:27:43 2005 => Total Virus(es) Found: 15
Mon Apr 11 22:27:43 2005 => Total Disinfected Files: 0
Mon Apr 11 22:27:43 2005 => Total Files Renamed: 0
Mon Apr 11 22:27:43 2005 => Total Deleted Objects: 0
Mon Apr 11 22:27:43 2005 => Total Errors: 4
Mon Apr 11 22:27:43 2005 => Time Elapsed: 00:55:35
Mon Apr 11 22:27:43 2005 => Virus Database Date: 2005/04/06
Mon Apr 11 22:27:43 2005 => Virus Database Count: 124827

Mon Apr 11 22:27:43 2005 => Scan Completed.
  • 0

#147
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
*Double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file path listed below:

C:\!Submit\ppq20B.tmp

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the YES button.
  • 0

#148
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Make sure you are disconnected from the Internet and that all programs and windows are closed. Put a check next to the following items and click "FIX CHECKED":

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

OPTIONAL:

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

The optional item above is not "malicious" but it is used by Realtek to gather data about their customers. You can keep it if you want...

Then delete this item, if found (in bold):

C:\WINDOWS\SYSTEM\blank.htm
  • 0

#149
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Also, do you have or have you ever had the program SpySweeper?

Please post a new HiJackThis log.
  • 0

#150
Pantrwrstl

Pantrwrstl

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 172 posts
It kinda sounds familiar, i may have downloaded it once, i honestly dont know tho...

Logfile of HijackThis v1.99.1
Scan saved at 1:58:47 AM, on 4/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\KMaestro\KMaestro.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\user\Desktop\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {5DD731E6-D4F0-11D3-BE3F-00105A6FDA50} (V3ProX Control) - http://ahnlabdownloa...n/myv3/myv3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101264785109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4940B58-3477-435E-9902-34E9FF328239}: NameServer = 209.47.15.118,64.157.143.38,
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP