[beeps]

Hello

I have been following Trevurens advice given in another thread to remove Bloodhound.32.EP.

I have scanned with Trojan Hunter and Kapersky AntiVirus as described. They both found various dangerous objects and deleted or disinfected them. Kapersky in particular found 6 objects not found by any other previous scan and dealt with them.

The next part of Trevurens instructions are to delete certain files using HijackThis.
None of the files specified appear on my log however. Here is my log, maybe there are other nasties on my system instead?


Logfile of HijackThis v1.99.1
Scan saved at 13:13:08, on 16/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
C:\Program Files\Browser MOUSE\R2M.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\WINDOWS\System32\atwtusb.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Documents and Settings\shane\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
O4 - HKLM\..\Run: [FLMBROWSEMOUSE2] C:\Program Files\Browser MOUSE\R2M.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [SysCab] c:\windows\syscab\ntsys.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


The thing is since the Kapersky scan, on the surface my sytem appears to be working fine once more. Dare I hope I am cured?

Thanks in advance

*Edit* It seems my system is in fact not running fine. I am still getting messages telling me that windows has critical errors. There seems to be less errors than before though, it was 40ish errors and it is now 20ish errors. Apart from that things seem better, IE is working again for starters.

Edited by beeps, 16 July 2005 - 07:19 AM.

[Advertisements]

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items:
===================================================
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [SysCab] c:\windows\syscab\ntsys.exe
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.
• You will need to step through the process of cleaning files one-by-one.
• If ewido detects a file you KNOW to be legitimate, select none as the action.
• DO NOT select "Perform action on all infections"
• If you are unsure of any entry found select none for now.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

[therock247uk]

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items:
===================================================
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [SysCab] c:\windows\syscab\ntsys.exe
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.
• You will need to step through the process of cleaning files one-by-one.
• If ewido detects a file you KNOW to be legitimate, select none as the action.
• DO NOT select "Perform action on all infections"
• If you are unsure of any entry found select none for now.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

[beeps]

Thanks for your help therock.


Ok, I followed your instructions. I may have made an error though, I clicked " fix checked" and closed Hijack this before opening smitRem which you did not specify to do.
I also ignored 67 infected files on the Ewido scan, all connected to Mozilla, because I had no idea whether they were false positives or not.
I am still getting the window error message.

Here are the log files:




Logfile of HijackThis v1.99.1
Scan saved at 16:24:56, on 16/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
C:\Program Files\Browser MOUSE\R2M.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\WINDOWS\System32\atwtusb.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Documents and Settings\shane\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
O4 - HKLM\..\Run: [FLMBROWSEMOUSE2] C:\Program Files\Browser MOUSE\R2M.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 16:18:06, 16/07/2005
+ Report-Checksum: 6D3181F4

+ Scan result:

:mozilla.23:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Bluestreak : Ignored
:mozilla.26:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Mediaplex : Ignored
:mozilla.32:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Doubleclick : Ignored
:mozilla.34:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Ignored
:mozilla.35:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Fastclick : Ignored
:mozilla.36:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Atdmt : Ignored
:mozilla.37:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Fastclick : Ignored
:mozilla.38:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Fastclick : Ignored
:mozilla.93:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.94:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.95:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.96:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.97:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.98:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.99:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.100:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.101:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.102:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.103:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.104:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.105:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.2o7 : Ignored
:mozilla.119:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignored
:mozilla.120:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Ignored
:mozilla.124:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Ru4 : Ignored
:mozilla.125:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Ru4 : Ignored
:mozilla.133:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Doubleclick : Ignored
:mozilla.180:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.181:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.182:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.183:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.184:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.199:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Bfast : Ignored
:mozilla.201:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Ignored
:mozilla.204:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Adviva : Ignored
:mozilla.205:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Adviva : Ignored
:mozilla.206:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Adviva : Ignored
:mozilla.209:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Questionmarket : Ignored
:mozilla.211:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.212:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.213:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.214:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.215:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.216:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.217:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.225:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.226:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.227:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.228:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.229:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.230:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Serving-sys : Ignored
:mozilla.288:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.289:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.291:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.292:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Hitbox : Ignored
:mozilla.328:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.329:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.355:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Pointroll : Ignored
:mozilla.356:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Pointroll : Ignored
:mozilla.357:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Pointroll : Ignored
:mozilla.372:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Adtech : Ignored
:mozilla.373:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Adtech : Ignored
:mozilla.437:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Centrport : Ignored
:mozilla.438:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Centrport : Ignored
:mozilla.448:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Ignored
:mozilla.449:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Ignored
:mozilla.450:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Ignored
:mozilla.451:C:\Documents and Settings\shane\Application Data\Mozilla\Firefox\Profiles\mwh6n683.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Ignored


::Report End

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard.lnk
PSGuard.com
PSGuard.lnk


~~~ Favorites ~~~



~~~ system32 folder ~~~

wp.bmp


~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard.lnk


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN!

*Edit* I was unable to run the Panda scan. It seems it is not supported by my browser.

Edited by beeps, 16 July 2005 - 09:39 AM.

[therock247uk]

1. Download and unzip http://skads.org/special/rkfiles.zip to a folder.

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode go to the folder you unzipped rkfiles to and run rkfiles.bat. It will take a long time and it will make a log log.txt. Reboot into normal mode and post that log here in a reply.

[beeps]

The log produced:


C:\Documents and Settings\shane\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\1.exe: FSG!
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

I am assuming I followed the instructions in the last post correctly yes?

Cheers

[therock247uk]

Can you send this file C:\WINDOWS\system32\1.exe as an attachment to submit @ atribune.org remove the spaces between the @.

[beeps]

Ok,I have just done so.

[therock247uk]

Can you try sending that file again and also sending avpx32.exe from c:\windows\system32

[beeps]

I sent the first file again, I recieved this message though:

The files 1.exe(0.05 MB) may be unsafe. Many recipients would not be able to open these attachments. You may want to delete these attachments before sending your message. More Info...


I could not find a file called avpx32.exe.

This does not bode well. I guess I have something particularly nasty?

[therock247uk]

Can you see if you can find avpx32.exe when you enable show hidden files go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

Also can you zip 1.exe and try sending it.

[beeps]

It appears I had already enabled the hidden files to be shown. I think I did it when I was bumbling around attempting to solve the problem myself from various other threads.

There is no avpx32.exe in c:\windows\system32. Unless it is inside a folder within sytem32 somewhere?

There are many files with similar names but certainly no avpx32.exe.

Also can you zip 1.exe and try sending it.

I have sent you what I think is a zipped 1.exe.

[therock247uk]

You have a Horseserver infection which requires some tools to get rid of.

• First, download HSFix from here
• After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.
• Next, download CleanUp! Install it, but do not run it yet.
• Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
• Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"
• A log will be produced which you can close out of.
• Then run HijackThis again, close any open windows and browsers and fix these:
  O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll
• Run CleanUp! and let it clean your computer of temp files. Decline when it asks you to log off.
• Restart your computer into normal mode and run at least one of the following free, online virus scans:
  http://housecall.tre.../start_corp.asp
  http://www.pandasoft...n_principal.htm
  http://www3.ca.com/t...sinfo/scan.aspx
• Restart your computer one last time and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt

Also delete if still there 1.exe

[beeps]

I followed your instructions until the online scans. Unfortunately none of the online scanners seemed to be supported by my browser. Maybe I should I find something else to scan with?

Here are the new HijackThis log and the HSFix log.



Logfile of HijackThis v1.99.1
Scan saved at 20:18:26, on 16/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
C:\Program Files\Browser MOUSE\R2M.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\WINDOWS\System32\atwtusb.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Documents and Settings\shane\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
O4 - HKLM\..\Run: [FLMBROWSEMOUSE2] C:\Program Files\Browser MOUSE\R2M.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe



Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
ps.a3d
tmp*.exe
w32tm.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-





I deleted 1.exe no problem.

Edited by beeps, 16 July 2005 - 01:26 PM.

[therock247uk]

Ok lets do this again sometimes this needs to be done 2 times.

• Boot into safe mode again: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
• Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"
• A log will be produced which you can close out of.
• Then run HijackThis again, close any open windows and browsers and fix these:
  O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll
• Run CleanUp! and let it clean your computer of temp files. Decline when it asks you to log off.
• Restart your computer and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt

[beeps]

Heres the resulting logs:



Logfile of HijackThis v1.99.1
Scan saved at 20:50:29, on 16/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
C:\Program Files\Browser MOUSE\R2M.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\WINDOWS\System32\atwtusb.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Documents and Settings\shane\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Speaker Configuration] C:\PROGRA~1\C-Media\WIN_ME\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HotKey] C:\WINDOWS\Twain_32\SlimU2\HotKey.exe
O4 - HKLM\..\Run: [FLMBROWSEMOUSE2] C:\Program Files\Browser MOUSE\R2M.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 5 Bundled Edition\Abmtsr.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24....es/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe


Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
ps.a3d
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-