I'm a long time reader, in the past when I googled for help against malware, I was able to solve my problems by the things you guys recommended to others.
Now I am in a big binde, and I would really appreciate some expert help on this because I really really really need it. I'm sorry for the length of my message, I'm just trying to be as detailed as possible.
Since yesterday I am having big troubles with another attack by various malware software self-installed on my pc, the problems include:
1.A toolbar added to Windows Explorer (like a Google Search one except theres links to gambling,pharmacy,finance,adult). (I am able to "hide" it on other accounts, but not my main one, the options are greyed out under: View --> Toolbar)
2.URL's that will redirect.
3.An unbelivable amount of "not responding" programs and freeze-ups, I am happy that I can just open firefox and actually post this, its been my 3rd reboot just to be able to open firefox and hijackthis at the same time). Which also means that whenever I use my Adware/Spy Removal, they freeze midway. I have runned scans with Venus Fly Trap, Spybot, Spyware Doctor and AVG Antivirus only to stop them because they were no longer responding. They detect minor problems, "clean" them up, and then redetect then everytime again. Though Venus FlyTrap did remove these from startup on "msconfig" (I tried manually, but they reappeared every time I restarted before using FlyTrap):
Jaguar.exe
Kargo.exe
wormexe.exe
utsgmon.exe
4.Ware Out Inc. was self-installed on my computer, I removed it.
5.Pop-up Bubble Messages that tell me there's spyware, while it's actually being executed by the malware so that I go on sites that it wants me to go on. (Only happens when I'm using IE rathar then Firefox).
Also, I'm tying to figure out why it's so slow by using Windows Task Manager. When idle, my CPU is at 7% usage(95% of that is System Idle..is it suppose to be that much??). Before the malwares installed, it used to be 3-4%, though I don't think it matters much. Also my page filed used is 250 Mb by the time my PC is started, with 60Mb free. Yet, it reacts incredibly slower then normal.
I tried shutting down some of the "bigger" tasks (except explorer.exe) that hogged my memory, and when I closed one of the svchost.exe, there was a message that countdowns to 60 seconds and says Windows must shut-down by the NT/Administrator because of a Remote Procedure Call (RPC). Is that normal???
Because in the past, when I tried to shut down all sorts of tasks "for fun", I never got this 60 second countdown...and the word "remote" scares me also...
I'm sorry once again for the long rambling...please help, I will be eternally grateful.
Here's my HiJack log:
Logfile of HijackThis v1.99.1
Scan saved at 10:10:34 PM, on 19/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\MathLab\webserver\bin\win32\matlabserver.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
c:\mathlab\bin\win32\matlab.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Shan\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {83165855-35FD-9812-4608-C42FC0A457C5} - utsgmon.dll (file missing)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Shan\Application Data\Mozilla\Profiles\default\jw91rha3.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\xqoxe.dll
O2 - BHO: Name - {139F423B-D185-469A-9418-E8843C5BAE3D} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {1711163E-0759-4822-B2D6-BEB4A35FB43D} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {19A5B51E-83D3-46C9-92C8-3C594FC61E17} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {20884615-9E58-47D0-9E0C-F5A0C406C583} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {3D0A2D30-983F-4368-8D4B-487640934165} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {3E45873E-E274-41B8-B1EA-02EB41A13A9A} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {3F2832C9-13AB-4C3E-B8E5-5F457C4454B7} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Name - {5C8E26E0-CFEA-44BA-B246-B72862D1AB9A} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {72B9229F-2179-4615-8047-6AED5631A372} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {750A77E4-124E-4CEE-90CB-9C7E417F322E} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {75B47C19-CEAC-4DAC-BCEB-416E378FD786} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: Name - {A5F4EBC2-183F-4A47-BD57-42510EA116F7} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {A77C2B23-7AD6-48C5-9FFA-EF441D937F85} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {B4254571-47CD-47A1-9117-ECA30B8F9D8B} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O2 - BHO: Name - {CF8ADA9D-922C-46A3-AD8B-2704BA34CAD8} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {DE419A1C-06BE-423C-BA31-362AD5E17791} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {E10A3900-08C8-4D5F-8B68-3D97DB3D2006} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {F14F383C-A26C-40CF-97E8-1A29FC2B051D} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {F5B49C98-FB1C-4961-9FBC-20FDFE1520F7} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {F5FFE383-FBBF-4F6F-A0AF-93FD68882AC2} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {F60A9D8D-C47A-4EF9-9D5D-52F311E2584F} - C:\WINDOWS\System32\msolx.dll (file missing)
O2 - BHO: Name - {FE0A35F3-640C-4E88-B3D3-E94CC477A4D1} - C:\WINDOWS\System32\msolx.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-ca\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\xqoxe.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [br0ken] UserSp1.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] C:\Program Files\SpyCat\DeleteSatellite.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {22222222-2222-2222-2222-222222222222} - file://c:\x.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - http://67.68.70.131/web/NetCam.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109200142302
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zon...ot.cab31267.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{633A6F70-EC6F-4182-94D7-0081FEB099E6}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0B34E30-24FD-4D36-9BC0-EC485D83B80C}: NameServer = 69.50.184.86,85.255.112.9
O21 - SSODL: SystemCheck - {54645654-2225-4455-44A1-9F4543D34544} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MathLab\webserver\bin\win32\matlabserver.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe