[Nocturnal]

Logfile of HijackThis v1.99.1
Scan saved at 1:56:16 PM, on 6/15/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\PROGRAM FILES\AOL COMPUTER CHECK-UP\ACCAGNT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0A\AOLTRAY.EXE
C:\PROGRAM FILES\MSAC-FD1\MSSTAT.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\SPYWARE REMOVAL TOOLS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\COMPANION.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

Above is the HJT log. I'm still getting a lot of pop ups and I can't figure out what is causing it.

[Advertisements]

Hello and Welcome to Geeks to Go! Im kool808 and I will be helping you today. I am working on your log, as soon as an Administrator or staff review this I will post a reply. Thank for your patience.

[kool808]

Hello and Welcome to Geeks to Go! Im kool808 and I will be helping you today. I am working on your log, as soon as an Administrator or staff review this I will post a reply. Thank for your patience.

[kool808]

It seems that your system is clean. To be sure, please run this fixes.

• Please download Spybot Search & Destroy 1.4 then follow and print the instructions found HERE. For Ad-Aware 1.06 follow and print the instructions found HERE. Read More...
  
• Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
  You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
  The update will start and a progress bar will show the updates being installed.
  Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop

==================

We are almost done, but to make sure it is perfectly clean let us have the final check.

• Reboot to Normal Mode.
• Close all windows, open HijackThis then SCAN.
• Post a NEW HijackThis Log.

[Nocturnal]

When I attempt to do an ActiveScan what happens is it just automatically says the computer is clean. I know this is wrong. How do I fix this?

[Nocturnal]

MSAS keeps telling me every time I reboot and log into a user account that my internet settings are trying to be changed to lower than the default levels. I've scanned with multiple anti-spyware and anti-virus programs. I've taken off everything that may be spyware/viruses. Any ideas?

[Nocturnal]

OK I have a spyware dilemma. Basically this isn’t my computer; I do this for a living. I’m trying to remove the spyware without having to format and reinstall Windows if at all possible.

I’m working on a computer running Windows XP Home with SP2 with five user accounts (all administrator accounts).

I removed the hard drive and put it into an enclosure and hooked it up to my computer. I ran Norton AV and Panda Software ActiveScan. After removing all viruses I hooked the hard drive back up to the computer. I went in and installed Ad-Aware, MS Anti-Spyware, Spybot Search and Destroy, Avast AV and CCleaner. I did all the updates and I started with the first account, scanned it with the programs, removed whatever spyware there was, rebooted. I didn’t keep track of what I was doing and probably skipped a few accounts and went into them randomly to try and remove the spyware.

In a nutshell, the HJT log is clean, there are no viruses on the computer anymore. However, Microsoft Anti-Spyware is still saying upon random reboots that IBIS toolbar wants to install itself. Also, Microsoft Anti-Spyware catches something trying to lower the security zone settings for internet explorer.

I currently do not have the HJT log but I know for a fact it is clean. I’m wondering, how in the world does IBIS keep coming back? Is it through the registry? I removed ALL temp files from every single user’s account so it can’t be through there.

If it is the registry, I’m wondering where it is located.

Is there such thing as a hidden registry key unviewable by even administrators of said computer?

[kool808]

Sorry for the delay.

Please skip running the Ewido Security Suite.

======================

• Open HijackThis
• go to Config, then Misc Tools
• Open Uninstall Manager, then click Save List...
• Post the results here
• close HJT

======================

• click Start > Run > command
• type in cd\
• cd progra~1 or cd program files
• dir *.* >> c:\pflist.txt
• exit
• through windows explorer, locate c:\pflist.txt
• post the results here

[kool808]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.