Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Rootkit Win32.Agent.P [RESOLVED]

Started by eyespy1 , Sep 04 2006 09:33 PM

This topic is locked

#1
eyespy1

Posted 04 September 2006 - 09:33 PM

Member

Member
28 posts

Hi people great site glad I found it have been reading alot but it seems each fix is individual,a little history I have reformatted about 6 times in 2 weeks,win xp pro,when I install avg,adaware and run and remove spyware and trogens,basically shuts me down so I have learned to take care of popups,but everytime I restart pc,I get 2 warnings Rootkit Win32.Agent.p which cannot be removed by shaw secure,and the other message at startup is windows cannot find asus.exe I'm sure they are both viruses I hope someone has the time to help me out I am new to alot of these programs so I DL'ed HJT here is the log that it produced.
I have never had problems like this since io went to ME to Xp pro always ran Adawre and AVG...thanks in advance

Logfile of HijackThis v1.99.1
Scan saved at 9:23:40 AM, on 04/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsrw.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\PROGRA~1\SHAWSE~1\ANTI-S~1\fsaw.exe
C:\Program Files\Shaw Secure\FSGUI\ispnews.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brent\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/
F2 - REG:system.ini: Shell=Explorer.exe asus.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,asus.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Update WinFix] tjonpxhmdxrr.exe
O4 - HKLM\..\Run: [prosesor] qnxrkmzeh.exe
O4 - HKLM\..\Run: [Tilerun] Tilerun.com
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\RunServices: [Update WinFix] tjonpxhmdxrr.exe
O4 - HKLM\..\RunServices: [prosesor] qnxrkmzeh.exe
O4 - HKLM\..\RunServices: [Tilerun] Tilerun.com
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Shaw Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1156595632934
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1156595621227
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - BackWeb Technologies Inc. - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\axdcfasb.exe (file missing)

#2
sari

Posted 07 September 2006 - 09:05 AM

GeekU Admin

Community Leader
21,806 posts

eyespy1,

This is quite a nasty log - looks like you have some bad infections there.

Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

Double-click blbeta.exe then accept the agreement, click > "Scan" then > "Next".

You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
If it wants to install an ActiveX component allow it
Select either Home User or Company
Click the big Scan Now button
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Thanks,

sari

#3
eyespy1

Posted 08 September 2006 - 05:35 AM

Member

Topic Starter
Member
28 posts

Hi.Sari thankyou so much for replying unfortunately I just had surgery on my right shoulder so bare with me if I report back a little slow, but here are the logs you requested

09/08/06 04:44:12 [Info]: BlackLight Engine 1.0.46 initialized
09/08/06 04:44:12 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/08/06 04:44:12 [Note]: 7019 4
09/08/06 04:44:12 [Note]: 7005 0
09/08/06 04:44:27 [Note]: 7006 0
09/08/06 04:44:27 [Note]: 7011 3936
09/08/06 04:44:27 [Note]: 7026 0
09/08/06 04:44:27 [Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Brent\Cookies\[email protected][2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Brent\Cookies\brent@burstnet[1].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Brent\Cookies\brent@cdfreaks[2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Brent\Cookies\[email protected][2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Brent\Cookies\brent@com[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Brent\Cookies\[email protected][1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Brent\Cookies\brent@toplist[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Bryce\Cookies\bryce@burstnet[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Bryce\Cookies\[email protected][2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Bryce\Cookies\bryce@yadro[2].txt
Virus:W32/Gaobot.OAS.wormNote]: 7026 0
09/08/06 04:44:40 [Note]: FSRAW library version 1.7.1019
09/08/06 04:47:39 [Note]: 7006 0
09/08/06 04:47:39 [Note]: 7011 3936
09/08/06 04:47:39 [Note]: 7026 0
09/08/06 04:47:40 [Note]: 7026 0
09/08/06 04:47:49 [Note]: FSRAW library version 1.7.1019
09/08/06 04:51:36 [Note]: 7007 0

#4
sari

Posted 08 September 2006 - 02:30 PM

GeekU Admin

Community Leader
21,806 posts

eyespy1,

I'm sorry to hear about your shoulder. Just reply as you can.

It looks like your panda log might have been pasted in the middle of the blacklight log, making it difficult to read. Could you re-paste the panda log, since the blacklight log looks clean?

Thanks

sari

#5
eyespy1

Posted 08 September 2006 - 05:03 PM

Member

Topic Starter
Member
28 posts

sorry will try again

Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Brent\Cookies\[email protected][2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Brent\Cookies\brent@burstnet[1].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Brent\Cookies\brent@cdfreaks[2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Brent\Cookies\[email protected][2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Brent\Cookies\brent@com[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Brent\Cookies\[email protected][1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Brent\Cookies\brent@toplist[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Bryce\Cookies\bryce@burstnet[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Bryce\Cookies\[email protected][2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Bryce\Cookies\bryce@yadro[2].txt
Virus:W32/Gaobot.OAS.worm

#6
eyespy1

Posted 11 September 2006 - 07:43 PM

Member

Topic Starter
Member
28 posts

Sorry but can I bump this for some help this thing is driving me crazy

#7
sari

Posted 12 September 2006 - 08:49 AM

GeekU Admin

Community Leader
21,806 posts

eyespy1,

I apologize for the delay - I had a family emergency over the weekend.

First, I need you to find the following files - they may be in c:\windows\system32:

Show Hidden Files:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Search for these files, and note the path to the filename:

tjonpxhmdxrr.exe
qnxrkmzeh.exe
Tilerun.com
asus.exe

Please go here to upload a suspicious file for analysis.

Enter your username from this forum
Copy and paste the link to this thread
Browse for this filename: tjonpxhmdxrr.exe Use the full path that you found in the above step, i.e., c:\windows\system32, or whatever it was
In the next window, repeat this step for this filename: qnxrkmzeh.exe
In the next window, repeat this step for this filename: Tilerun.com
In the next window, repeat this step for this filename: asus.exe
In the comments, please mention that I asked you to upload this file
Click on Send File

You may want to print the following instructions, or save them to a notepad file, as you will be in safemode during the fix, and unable to access the internet.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Thanks,

sari

Edited by sari, 12 September 2006 - 08:50 AM.

#8
eyespy1

Posted 12 September 2006 - 09:21 AM

Member

Topic Starter
Member
28 posts

Hi Sari I hope everthing is ok with your family and I know your busy so appreciate your time.

I did the show hidden files part but when I go and try to search files and folders,all I get is search is complete no files found I can't even find win\sys32 files am I doing something wrong not to computor savy.
Please be patient with me lol

#9
sari

Posted 12 September 2006 - 09:32 AM

GeekU Admin

Community Leader
21,806 posts

eyespy1,

It's ok - I'll walk you through this. I assume sometimes that people know what they're doing - that's my fault.

Go to Start > Search.
On the left side, click on All Files and Folders.
In the next window, copy/paste the first filename I listed for you. Make sure it's set to search Local Hard Drives (C:).
Select More Advanced Options. Make sure Search System Folders, Search Hidden Files and Folders, and Search Subfolders are selected.
Click on Search.

Repeat this step with each of the files; the path name will come up in the right hand pane of the search window.

sari

#10
eyespy1

Posted 12 September 2006 - 10:06 AM

Member

Topic Starter
Member
28 posts

Nope I'm sorry Sari its not working checked over and over to see if settings are right to check hidden files when its scanning I notice thats its checking c drive but not hidden files and folders I noticed that Hide extensions for known files is checked do I maybe uncheck this?...thanks

Okay I finally got it to search all files and hidden files and sub folders but it finds nothing I'm lost here what should I do now...thanks

Edited by eyespy1, 12 September 2006 - 10:22 AM.

#11
sari

Posted 12 September 2006 - 11:10 AM

GeekU Admin

Community Leader
21,806 posts

eyespy1,

I'm sorry you're having trouble - sometimes these files can hide in normal mode. Print these instructions for reference while you're in safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Repeat the search. If the file is found, then right click on the file name in the search results pane, and select Send To... In the next drop-down menu, select Compressed File. This will create a zipped file with the same filename, but it will end in .zip. Note the directory the file is in. Repeat this for the other 3 files. When you reboot into normal mode, you should be able to find the zipped files and upload those.

sari

#12
eyespy1

Posted 12 September 2006 - 11:47 AM

Member

Topic Starter
Member
28 posts

Hi sari,did a search in safe mode and nothing found except win\sys32 file looked through that no files under them names,still get pop up boxes asus.exe and when computor sits idle then Rootkit win32.agent.p is there anyway that this changes names making difficult to find?.....

#13
sari

Posted 12 September 2006 - 11:58 AM

GeekU Admin

Community Leader
21,806 posts

eyespy1,

Hmm, I'm not sure why they're being so difficult. Let's go ahead and run the fix and see if it cleans them up. I know it will get the asus.exe, but we just wanted to see the others for analysis.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Thanks,

sari

#14
eyespy1

Posted 12 September 2006 - 01:30 PM

Member

Topic Starter
Member
28 posts

Hui Sari here are the logs
SDfix log

SDFix: Version 1.21
-------------------------

Scan Time / Date: 13:12:37.08 / 12/09/2006

Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Brent\Desktop\SDFix

Stage One...

Checking Services...

Service Name:
------------------

rdriv

File Path:
------------

\??\C:\WINDOWS\system32\rdriv.sys

Removing Services:
------------------------

rdriv ... deleted

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting!

Stage Two...

Registry Cleaning Finished...

Checking For Malware Files:
----------------------------------

Backing Up and Removing any Files Found...

Final Check:

Remaining Services:
------------------------

Remaining Files:
-------------------

FINISHED

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 1:24:57 PM, on 12/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsqh.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsrw.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Shaw Secure\FSGUI\ispnews.exe
C:\PROGRA~1\SHAWSE~1\ANTI-S~1\fsaw.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
C:\Program Files\Shaw Secure\FSGUI\fsguidll.exe
C:\Documents and Settings\Brent\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Update WinFix] tjonpxhmdxrr.exe
O4 - HKLM\..\Run: [prosesor] qnxrkmzeh.exe
O4 - HKLM\..\Run: [Tilerun] Tilerun.com
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\RunServices: [Update WinFix] tjonpxhmdxrr.exe
O4 - HKLM\..\RunServices: [prosesor] qnxrkmzeh.exe
O4 - HKLM\..\RunServices: [Tilerun] Tilerun.com
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Shaw Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1156595632934
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1156595621227
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - BackWeb Technologies Inc. - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\axdcfasb.exe (file missing)

#15
sari

Posted 13 September 2006 - 07:30 AM

GeekU Admin

Community Leader
21,806 posts

eyespy1,

Quck edit - someone made a suggestion that we try to fix those first and see if they go away.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [Update WinFix] tjonpxhmdxrr.exe
O4 - HKLM\..\Run: [prosesor] qnxrkmzeh.exe
O4 - HKLM\..\Run: [Tilerun] Tilerun.com
O4 - HKLM\..\RunServices: [Update WinFix] tjonpxhmdxrr.exe
O4 - HKLM\..\RunServices: [prosesor] qnxrkmzeh.exe
O4 - HKLM\..\RunServices: [Tilerun] Tilerun.com

Now close all windows other than HiJackThis, then click Fix Checked.

Reboot, and then post a new hijackthis log.

Thanks,

sari

Edited by sari, 13 September 2006 - 07:58 AM.