Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unknown infection


  • This topic is locked This topic is locked

#1
Nocturnal

Nocturnal

    Member

  • Member
  • PipPip
  • 44 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:56:16 PM, on 6/15/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\PROGRAM FILES\AOL COMPUTER CHECK-UP\ACCAGNT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0A\AOLTRAY.EXE
C:\PROGRAM FILES\MSAC-FD1\MSSTAT.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\SPYWARE REMOVAL TOOLS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\COMPANION.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

Above is the HJT log. I'm still getting a lot of pop ups and I can't figure out what is causing it.
  • 0

Advertisements


#2
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Hello and Welcome to Geeks to Go! Im kool808 and I will be helping you today. I am working on your log, as soon as an Administrator or staff review this I will post a reply. Thank for your patience. :tazz:
  • 0

#3
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
It seems that your system is clean. To be sure, please run this fixes.
  • Please download Spybot Search & Destroy 1.4 then follow and print the instructions found HERE. For Ad-Aware 1.06 follow and print the instructions found HERE. Read More...
  • Please download ewido security suite it is a trial version of the program.
    • Install ewido security suite
    • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido, there should be an icon on your desktop double-click it.
    • The program will prompt you to update click the OK button
    • The program will now go to the main screen
    You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update
    • Click on Start
    The update will start and a progress bar will show the updates being installed.
    Once the updates are installed do the following:
    • Click on scanner
    • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
==================

We are almost done, but to make sure it is perfectly clean let us have the final check.
  • Reboot to Normal Mode.
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.

  • 0

#4
Nocturnal

Nocturnal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
When I attempt to do an ActiveScan what happens is it just automatically says the computer is clean. I know this is wrong. How do I fix this?
  • 0

#5
Nocturnal

Nocturnal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
MSAS keeps telling me every time I reboot and log into a user account that my internet settings are trying to be changed to lower than the default levels. I've scanned with multiple anti-spyware and anti-virus programs. I've taken off everything that may be spyware/viruses. Any ideas?
  • 0

#6
Nocturnal

Nocturnal

    Member

  • Topic Starter
  • Member
  • PipPip
  • 44 posts
OK I have a spyware dilemma. Basically this isnít my computer; I do this for a living. Iím trying to remove the spyware without having to format and reinstall Windows if at all possible.

Iím working on a computer running Windows XP Home with SP2 with five user accounts (all administrator accounts).

I removed the hard drive and put it into an enclosure and hooked it up to my computer. I ran Norton AV and Panda Software ActiveScan. After removing all viruses I hooked the hard drive back up to the computer. I went in and installed Ad-Aware, MS Anti-Spyware, Spybot Search and Destroy, Avast AV and CCleaner. I did all the updates and I started with the first account, scanned it with the programs, removed whatever spyware there was, rebooted. I didnít keep track of what I was doing and probably skipped a few accounts and went into them randomly to try and remove the spyware.

In a nutshell, the HJT log is clean, there are no viruses on the computer anymore. However, Microsoft Anti-Spyware is still saying upon random reboots that IBIS toolbar wants to install itself. Also, Microsoft Anti-Spyware catches something trying to lower the security zone settings for internet explorer.

I currently do not have the HJT log but I know for a fact it is clean. Iím wondering, how in the world does IBIS keep coming back? Is it through the registry? I removed ALL temp files from every single userís account so it canít be through there.

If it is the registry, Iím wondering where it is located.

Is there such thing as a hidden registry key unviewable by even administrators of said computer?
  • 0

#7
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Sorry for the delay.

Please skip running the Ewido Security Suite.

======================
  • Open HijackThis
  • go to Config, then Misc Tools
  • Open Uninstall Manager, then click Save List...
  • Post the results here
  • close HJT
======================
  • click Start > Run > command
  • type in cd\
  • cd progra~1 or cd program files
  • dir *.* >> c:\pflist.txt
  • exit
  • through windows explorer, locate c:\pflist.txt
  • post the results here

  • 0

#8
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP