Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help please with this virus!

Started by looktotheskys , Apr 30 2005 04:53 PM

Please log in to reply

#1
looktotheskys

Posted 30 April 2005 - 04:53 PM

Member

Member
30 posts

Hello,

I've been working on this all day. I followed all the posted steps-here is the log!
This is a hard bug to kill. I also have that damm yellow warning Icon flashing on my task bar and pop ups also get thru. I use Avast antivirus and have run all the software that was suggested. I'm new at this and need clear, concise instructions. Thanks very much for looking at my log.

Sincerely,

looktotheskys

Logfile of HijackThis v1.99.1
Scan saved at 3:25:52 PM, on 4/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\intmonp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.surfline.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://surfline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.surfline.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Nicole\Application Data\Mozilla\Profiles\default\qo1xzgrx.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Bugnosis - {630CB4FA-AA9E-4bf2-BBD1-81C239203E2F} - C:\Program Files\Bugnosis\WebBug.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {BB0CD8BC-2E4B-40F6-AC0B-8876B4ACDC34} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BB0CD8BC-2E4B-40F6-AC0B-8876B4ACDC34} - (no file) (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF} - http://www.haptek.co...data/latest.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} -
O19 - User stylesheet: (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#2
Wizard

Posted 30 April 2005 - 06:48 PM

Retired Staff

Retired Staff
5,661 posts

Howdy Looktotheskys and Welcome to G2G!!!

First thing to do is to Disable Spybots Tea Timer:

Open Spybot and Mode >> Advanced Mode
Then on the left panel
Tools >> Resident
Remove the check mark for Resident "TeaTimer"
Reboot the system and TeaTimer will no longer be resident.

You may need to disable Spyware Guard while making any fixes!!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qfind.net/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.qfind.net/search.php?qq=%s

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.surfline.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://surfline.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.surfline.com

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Nicole\Application Data\Mozilla\Profiles\default\qo1xzgrx.slt\prefs.js)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Microsoft AntiSpyware helper - {BB0CD8BC-2E4B-40F6-AC0B-8876B4ACDC34} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BB0CD8BC-2E4B-40F6-AC0B-8876B4ACDC34} - (no file) (HKCU)

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) -

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB

O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) -
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx

O16 - DPF: {DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF} - http://www.haptek.co...data/latest.cab

O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.h...cdetection3.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} -

O19 - User stylesheet: (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!
Here is a link to help with that:
http://www.bleepingc...showtutorial=62

Locate and Delete:

C:\WINDOWS\popuper.exe<< File Only!

C:\WINDOWS\System32\intmonp.exe<< File Only!

C:\WINDOWS\System32\msole32.exe<< File Only!

C:\WINDOWS\System32\msmsgs.exe<< File Only and in that folder only!

When finished,Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!
Make Sure Normal Startup is Checked!!

Select the tab labeled Startup and put a Check by every box there!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart back in Normal Mode and Download Microsoft AntiSpyware:
http://www.bleepingc...ware-tut98.html
Everything you need is in the Link!
Download,Install,Update and Scan!
Save the Report and Place it in the next post!

Using Internet Explorer only,Have the PC scanned here:
http://www.pandasoft...n_principal.htm
Save the Report from there also!

Once all is Completed,Scan the PC with HijackThis again and Post those results along with the 2 Resports I asked for!

I will need to know if you were unable to delete any of the files I listed!

#3
looktotheskys

Posted 30 April 2005 - 07:57 PM

Member

Topic Starter
Member
30 posts

Thanks cretemonster!!

I'll proceed as mentioned and I will get back to you and this thread. Greatly appreciated.

Sincerely,

looktotheskys

#4
looktotheskys

Posted 01 May 2005 - 01:30 PM

Member

Topic Starter
Member
30 posts

Hello Cretemonster,

I think the problem is fixed!! THANK YOU very much! I followed your instructions but the last two, because, I'm not happy with Microsoft and Windows and I'm going to use a different browser and I do have alot of spyware protection on my machine. I may change my mind in the future. At the Panda site I could'nt find the Axtive X download, I did run a search??. Anyway, I have included the lastest log for you. Thanks again. You people are cool!

Sincerely,

Looktotheskys

Logfile of HijackThis v1.99.1
Scan saved at 12:06:57 PM, on 5/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.surfline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Nicole\Application Data\Mozilla\Profiles\default\qo1xzgrx.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java

Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Bugnosis - {630CB4FA-AA9E-4bf2-BBD1-81C239203E2F} - C:\Program Files\Bugnosis\WebBug.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF} -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} -
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#5
Wizard

Posted 01 May 2005 - 02:30 PM

Retired Staff

Retired Staff
5,661 posts

Thats is fine,I am glad to hear things are better!!

Ad Aware and Spybot are just as good as Microsoft AntiSpyware!

Now Lets get Tea Timer Disabled until I can deem the System Clean,The instructions are in my previous post!
You will have to Restart to make the Changes take!!

What became of the File Deletions,were you able to find all of them and delete them?

Since IE is out of the question,we will use a different Scan,its a alot more intensive and takes a while to complete,but this way I will know whats left on the System!!

Download Microworlds Antivirus Toolkit Utility:
http://www.mwti.net/...e_utilities.asp

Once at the site select Download Link 1

Download,Extract all files and Install!

Double-click it to run it,make sure these have a check by them:

Memory
StartUp Folders
Drive
All Local Drives
Scan All Files
Registry
System Folders
Services

Now Click "Scan" and when it is completed, anything found will be displayed in the lower pane.

To Copy&Paste the Results,you will need to Highlight everything in the lower pane and press(At the same time) Ctrl+C
Now,Open Notepad,place the Pointer inside it and Right Click and Select Paste!

Post those results along with a fresh HijackThis Log!!

#6
looktotheskys

Posted 06 May 2005 - 02:35 PM

Member

Topic Starter
Member
30 posts

Just a quick note to let you know that I did download http://www.mwti.net/...e_utilities.asp but I have alot of data/images on my hard drives. The mwti software ran for 12 1/2 hrs. and found 50 viruses/problems and did not even finish. When I can let mwti run for 24+ hrs. I'll then save the log and post it. You have been great. My question to you is, why when I do a deep scan with Avast, it doen'nt pick-up these issues and viruses? Thanks Again.

Sincerely,

Looktotheskys :tazz:

#7
Wizard

Posted 07 May 2005 - 04:22 AM

Retired Staff

Retired Staff
5,661 posts

OK,I know its a pain but this is one of the most in depth scans I know of!!!

I am sorry that it takes so long,but better to be sure than be infected!!!

Take your time,post back when you are ready!

#8
looktotheskys

Posted 10 May 2005 - 12:12 AM

Member

Topic Starter
Member
30 posts

Dear Cretemonster,

Here they are. My question to you is, why, when I do a deep scan with Avast, Avast doen'nt pick-up these issues , errors and viruses? Where do we go from here? Thanks Again.

Sincerely,

Looktotheskys

Logfile of HijackThis v1.99.1
Scan saved at 10:59:01 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.surfline.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.surfline.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.surfline.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.surfline.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.surfline.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Nicole\Application Data\Mozilla\Profiles\default\qo1xzgrx.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Bugnosis - {630CB4FA-AA9E-4bf2-BBD1-81C239203E2F} - C:\Program Files\Bugnosis\WebBug.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} -
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF} -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay10...ex/HMAtchmt.ocx
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

File System Found infected by "sys Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Narrator Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "morpheus Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ole32vbs.exe infected by "Trojan.Win32.Favadd.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Nicole\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6d2f0597-342a51a7.RB0 infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\ml00!.exe infected by "Trojan-Downloader.Win32.Small.aru" Virus. Action Taken: No Action Taken.
File C:\Program Files\Iomega\DriveIcons\imghr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\System32\Win2kDrivers.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\KaZa Lite\My Shared Folder\Poser-4.rar tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\KaZaA\My Shared Folder\New Stuff1\SOFTWARE\Hollywood FX PRO v5.1 build 35=Create 3D transitions,titles,animation effects,etc-FULL.zip tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\KaZaA\New Folder (2)\BSINSTALL.exe infected by "not-a-virus:AdWare.ToolBar.CommonName.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP125\A0018436.exe infected by "Trojan.Win32.Puper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP126\A0018753.exe infected by "Trojan.Win32.Puper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP126\A0019754.exe infected by "Trojan.Win32.Puper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP126\A0019766.exe infected by "Trojan.Win32.Puper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP126\A0019772.exe infected by "Trojan-Clicker.Win32.Agent.cr" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP126\A0019773.exe infected by "Trojan.Win32.Puper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP126\A0019798.exe infected by "Trojan.Win32.Puper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP126\A0019800.exe infected by "Trojan.Win32.Puper.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP126\A0019819.exe infected by "Trojan.Win32.Puper.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP127\A0019867.exe infected by "Trojan.Win32.Puper.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP129\A0024839.exe infected by "Trojan.Win32.Puper.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP129\A0024863.exe infected by "Trojan.Win32.Puper.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP129\A0024875.exe infected by "Trojan.Win32.Puper.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP129\A0024895.exe infected by "Trojan.Win32.Puper.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP129\A0024951.exe infected by "Trojan.Win32.Puper.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP129\A0024955.exe infected by "Trojan.Win32.Puper.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP129\A0024958.exe infected by "Trojan.Win32.Puper.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3C3DFFBD-A970-44C8-A7D8-9A6BFFB0411F}\RP148\A0025662.exe infected by "Trojan-Downloader.Win32.Small.aru" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ole32vbs.exe infected by "Trojan.Win32.Favadd.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\wldr.dll infected by "Trojan-Downloader.Win32.Agent.le" Virus. Action Taken: No Action Taken.
File H:\Desktop\KaZa Lite\Incomplete\T-3793825-Adobe Premiere Plugins.zip tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File H:\KaZa Lite\Incomplete\T-3793825-Adobe Premiere Plugins.zip tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File H:\KaZa Lite\Incomplete\T-76961593-Macromedia.Flash.MX.PRO.2004.v7.0.Incl.Crack-Paradox.ShareConnector.com.rar tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

Mon May 09 22:18:31 2005 => Result: ERROR!!! File H:\KaZa Lite\My Shared Folder\Newtek - Lightwave - 3D Trees Library.zip is Not Scanned
Mon May 09 22:18:33 2005 => Scanning Folder: H:\KaZa Lite\Incomplete\*.*
Mon May 09 22:29:40 2005 => Scanning Folder: H:\INCINERATE\*.*

Mon May 09 22:29:44 2005 => ***** Checking for specific ITW Viruses *****
Mon May 09 22:29:45 2005 => Checking for Welchia Virus...
Mon May 09 22:29:46 2005 => Checking for LovGate Virus...
Mon May 09 22:29:47 2005 => Checking for CodeRed Virus...
Mon May 09 22:29:48 2005 => Checking for OpaServ Virus...
Mon May 09 22:29:49 2005 => Checking for Sobig.e Virus...
Mon May 09 22:29:50 2005 => Checking for Winupie Virus...
Mon May 09 22:29:51 2005 => Checking for Swen Virus...
Mon May 09 22:29:52 2005 => Checking for JS.Fortnight Virus...
Mon May 09 22:29:53 2005 => Checking for Novarg Virus...
Mon May 09 22:29:54 2005 => Checking for Pagabot Virus...
Mon May 09 22:29:55 2005 => Checking for Parite.b Virus...
Mon May 09 22:29:56 2005 => Checking for Parite.a Virus...

Mon May 09 22:29:58 2005 => ***** Scanning complete. *****
Mon May 09 22:30:00 2005 => Total Objects Scanned: 107598
Mon May 09 22:30:01 2005 => Total Virus(es) Found: 35
Mon May 09 22:30:02 2005 => Total Disinfected Files: 0
Mon May 09 22:30:03 2005 => Total Files Renamed: 0
Mon May 09 22:30:04 2005 => Total Deleted Objects: 0
Mon May 09 22:30:05 2005 => Total Errors: 71
Mon May 09 22:30:06 2005 => Time Elapsed: 47:36:17
Mon May 09 22:30:07 2005 => Virus Database Date: 2005/05/02
Mon May 09 22:30:08 2005 => Virus Database Count: 127997

Mon May 09 22:30:10 2005 => Scan Completed.

#9
looktotheskys

Posted 10 May 2005 - 06:05 PM

Member

Topic Starter
Member
30 posts

Hello Cretemonster,
I posted the results for you to look at. Just waiting for your relpy so that I can clean up my infected computer.

Thanks,

Looktotheskys

#10
Wizard

Posted 13 May 2005 - 08:33 PM

Retired Staff

Retired Staff
5,661 posts

I do apologize for your having to wait on me!!

Unfortuanltly I was called out of town for work,let me get ducks in a row and I will post a response ASAP!!!

I will look into the best Configuration for Avast that I can!!!

#11
looktotheskys

Posted 16 May 2005 - 07:30 PM

Member

Topic Starter
Member
30 posts

Dear Cretemonster,

What do I do about all the infected files! Thanks again.

Sincerely,

Looktotheskys

#12
Wizard

Posted 16 May 2005 - 09:07 PM

Retired Staff

Retired Staff
5,661 posts

My Apologies again,I lost this post somehow!!!

Ok, first disable the System Restore feature in Windows XP
Here's a link on how to do this:
http://service1.syma...src=sec_doc_nam

Make sure Windows is still Configureed to Show Hidden Files!!

Locate and Delete:

C:\WINDOWS\system32\wldr.dll<< File Only!

C:\WINDOWS\system32\ole32vbs.exe<< File Only!

C:\Program Files\KaZaA\New Folder (2)\BSINSTALL.exe<< File Only!

C:\ml00!.exe

C:\Documents and Settings\Nicole\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6d2f0597-342a51a7.RB0<< File Only!

Let me know if you cant fond any of those!

Restart the PC in Normal Mode and have a visit here:
http://forum.avast.com/

Thats The Avast Home Forum and I can think of no better place than that to find out how to Configure you Antivirus for the best possible Settings!!

I have never used it before,so anything I would tell you would be useless!

Post back and let me know how it went!

#13
looktotheskys

Posted 17 May 2005 - 03:23 PM

Member

Topic Starter
Member
30 posts

Dear Cretemonster,

I located the first three files and deleted them but did not find these two files:

C:\ml00!.exe

C:\Documents and Settings\Nicole\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6d2f0597-342a51a7.RB0<< File Only!
I did find a .IDX and a .ZIP file with the same name but not a .RBO file

I ran a search for both.

What about the long list of infected files and virues that I posted above??

Thanks again,

Looktotheskys :tazz:

#14
Wizard

Posted 17 May 2005 - 03:55 PM

Retired Staff

Retired Staff
5,661 posts

I think it will be fine to delete the 2 files you identified and as for the long list:

C:\System Volume= System Restore!!

Now for the one you couldnt find!!

Click Start>>Click Run>>Type in CMD and Click OK!

At the Command Prompt Screen Type in cd C:\ (Note the Space between cd and C)

Hit Enter!

Now type in del C:\ml00!.exe (Note the Space between del and C)

Hit Enter!

Close Out Command Prompt!

Now Renable System Restore and Restart once again!

Once you restart all old restore points are flushed and a new one is created!

Reconfigure Windows to Hide Files!

Reset the Startup area of Msconfig to the way your prefer you PC to Startup!!

Have a visit here and get Spyware Blaster and while you are there,Check out Spyware Guard,its always a plus to have!
http://www.javacools...m/products.html

Everything else looks good!!!

Whatcha Think,PC acting OK?