[brownstar]

Greetings-

I've been working at this for several weeks, and although I've gotten my system stable at several points, still have these same problems popping up, seemingly out of nowhere... The ones I've seen the most are ClickSearchClick (Soooo annoying!) DOAsearch, CoolWWWSearch.Yexe, Websearch, and Agobot. I've utilized several anti spyware and anti virus programs, including Ad-Aware, Spybot, Microsoft Anti-Spyware, Spyware Blaster, Stinger, Sophos, Avast, and McAfee 2005, with all current definitions. PSGuard showed up, but I can't find a trace of it at this point, although it still might be kicking around... Any help would be greatly appreciated. Here is my current HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:44:37 AM, on 7/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PeoplePC\ISP6130\Browser\Bartshel.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\PeoplePC\ISP6130\Browser\PPShared.exe
C:\WINDOWS\System32\Services\{61822398-0912-4D35-8601-0E1D996DA29F}\SVCHOST.EXE
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Brownstar\Desktop\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...ndex.php?aff=19
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll (file missing)
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O4 - HKLM\..\Run: [IRC Client] updated.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6130\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{61822398-0912-4D35-8601-0E1D996DA29F}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{61822398-0912-4D35-8601-0E1D996DA29F}\SECURITY.EXE
O4 - HKLM\..\RunServices: [IRC Client] updated.exe
O4 - HKCU\..\Run: [IRC Client] updated.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: http://www.lavasoft.de
O15 - Trusted Zone: http://my.pcc.edu
O15 - Trusted Zone: http://webct.pcc.edu
O15 - Trusted Zone: http://www.pcc.edu
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc...oad/ppcwebi.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121055360685
O17 - HKLM\System\CCS\Services\Tcpip\..\{2822DFDA-D0EE-4717-BB89-BA8049E5C7E8}: NameServer = 204.157.3.13 205.137.48.5
O20 - Winlogon Notify: iexplore - s01mY.dll (file missing)
O21 - SSODL: System - {E4D9F09A-4315-417C-BC5D-B30534672C4A} - vr_sys.dll (file missing)
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe

Ryan C Brown
[email protected]
Portland, OR

Edited by brownstar, 11 July 2005 - 02:48 AM.

[Advertisements]

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

[Buckeye_Sam]

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

[brownstar]

Thanks for the reply, but I think I got 'er all fixed up now...

I had to replace wininet.dll to get rid of Alernod.b.dll, which I was finally able to detect after getting the most current definitions for my McAfee 2k5... Everything seems stable at this point, and has been so for many days.

Any future problems, I'll definatly use this place as a resource.

Thanks again!
rbrown