Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

winfixer help, asap [RESOLVED]

Started by emijin , Aug 21 2005 09:47 PM

This topic is locked

#1
emijin

Posted 21 August 2005 - 09:47 PM

Member

Member
10 posts

umm not too much to say, my boyfriend's computer had over 400 spyware/viruses on it. i managed to get all of them off except winfixer. When i delete it from add/remove programs, it downloads itself as soon as the computer is restarted. here is the hijack this log, hope you can help!

Logfile of HijackThis v1.99.1
Scan saved at 11:41:54 PM, on 8/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\d?xplore.exe
C:\Program Files\aim\aim.exe
C:\Program Files\etea\rpen.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\meejt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\meejt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\meejt.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\meejt.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1C5ADF8F-E338-91E6-4F07-21E58D61A543} - C:\WINDOWS\ipcn.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {CB46984F-7EF1-2279-D6ED-0182CC682FC7} - C:\WINDOWS\system32\iwwowrdu.dll
O2 - BHO: (no name) - {FFA3F476-1AB8-1F14-B7AE-136402A84CE4} - C:\WINDOWS\System32\yumfpq.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msls2] C:\WINDOWS\System32\msls2.exe
O4 - HKCU\..\Run: [Poaxerl] C:\WINDOWS\System32\d?xplore.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Usrr] C:\Program Files\etea\rpen.exe
O4 - Global Startup: profile.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lhup.edu
O17 - HKLM\Software\..\Telephony: DomainName = lhup.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{24D6657F-7820-4BEF-88CF-532377E845B2}: Domain = lhup.edu
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Remote Procedure Call (RPC) Helper (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\system32\javaao32.exe (file missing)

Edited by Michelle, 25 August 2005 - 10:18 AM.

#2
Trevuren

Posted 21 August 2005 - 10:08 PM

Old Dog

Retired Staff
18,699 posts

Hi emijin and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.

a. Click on My Controls at the top right hand corner of the window.
b. In the left hand column, click "View Topics"
c. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. You have an About:Blank infection in addition to your "winfixer" problem

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

A. Close ALL windows except HJT

B. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

C. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

Regards,

Trevuren

#3
emijin

Posted 21 August 2005 - 11:48 PM

Member

Topic Starter
Member
10 posts

thanks for responding so quickly! Here's the new log

Logfile of HijackThis v1.99.1
Scan saved at 1:42:59 AM, on 8/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\d?xplore.exe
C:\Program Files\aim\aim.exe
C:\Program Files\etea\rpen.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\meejt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\meejt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\meejt.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\meejt.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1C5ADF8F-E338-91E6-4F07-21E58D61A543} - C:\WINDOWS\ipcn.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {CB46984F-7EF1-2279-D6ED-0182CC682FC7} - C:\WINDOWS\system32\iwwowrdu.dll
O2 - BHO: (no name) - {FFA3F476-1AB8-1F14-B7AE-136402A84CE4} - C:\WINDOWS\System32\yumfpq.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msls2] C:\WINDOWS\System32\msls2.exe
O4 - HKCU\..\Run: [Poaxerl] C:\WINDOWS\System32\d?xplore.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Usrr] C:\Program Files\etea\rpen.exe
O4 - Global Startup: profile.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lhup.edu
O17 - HKLM\Software\..\Telephony: DomainName = lhup.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{24D6657F-7820-4BEF-88CF-532377E845B2}: Domain = lhup.edu
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Remote Procedure Call (RPC) Helper (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\system32\javaao32.exe (file missing)

#4
Trevuren

Posted 22 August 2005 - 12:05 AM

Old Dog

Retired Staff
18,699 posts

Your system is infected with a variant of the About:Blank infection.

First we must STOP, and Disable a bad Added Service
- Click Start>Run and type in: services.msc
- Click OK
- In the Services window find: Remote Procedure Call (RPC) Helper
- Select/highlight and right click the entry, and choose: Properties
- On the General tab, under Service Status click the Stop button
- Beside: Startup Type, in the drop menu, select: Disabled
- Click Apply, then OK
Download CWShredder
Click check for updates. Do not use it yet.
Download Aboutbuster 5
Unzip the file to its own folder (C:\AB) Do not use it yet.
Download: HomeSearchfix. Unzip it to your desktop. Do not use it yet.
Download Killbox
Choose save as to your desktop. Unzip the file. Do not use it yet.

Take care: some files can be hidden, so first go to start > control panel > folder options > view (tab) > mark “show hidden files en extensions >OK

Please print out these directions for in safe mode you will have to be disconnected from the internet. You should entirely disconnect (UNPLUG) from the internet!!!
Reboot your system into safe mode for all OS
Close all windows and open HijackThis.
- Click "scan only” in the main window
- Put a checkmark beside the following entries and click “FIX checked”.
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\meejt.dll/sp.html#37049
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\meejt.dll/sp.html#37049
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\meejt.dll/sp.html#37049
  O2 - BHO: (no name) - {1C5ADF8F-E338-91E6-4F07-21E58D61A543} - C:\WINDOWS\ipcn.dll (file missing)
  O2 - BHO: (no name) - {CB46984F-7EF1-2279-D6ED-0182CC682FC7} - C:\WINDOWS\system32\iwwowrdu.dll
  O2 - BHO: (no name) - {FFA3F476-1AB8-1F14-B7AE-136402A84CE4} - C:\WINDOWS\System32\yumfpq.dll (file missing)
  O4 - HKCU\..\Run: [msls2] C:\WINDOWS\System32\msls2.exe
  O4 - HKCU\..\Run: [Poaxerl] C:\WINDOWS\System32\d?xplore.exe
  O4 - HKCU\..\Run: [Usrr] C:\Program Files\etea\rpen.exe
  O23 - Service: Remote Procedure Call (RPC) Helper (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\system32\javaao32.exe (file missing)
Run CWShredder and choose FIX
Start AboutBuster and press START, and then OK. The program will start scanning.
Doubleclick HomeSearchfix.reg to merge the info to the registry. You will be prompted to accept the merge, answer YES.
Start Killbox
- Place a checkmark next to [x] Delete On Reboot.
- Highlight the following list and Copy it (Ctrl+C) to the windows clipboard.
  
  C:\WINDOWS\System32\d?xplore.exe
  C:\Program Files\etea<===Folder
  C:\WINDOWS\meejt.dll
  C:\WINDOWS\ipcn.dll
  C:\WINDOWS\system32\iwwowrdu.dll
  C:\WINDOWS\System32\yumfpq.dllC:\WINDOWS\System32\msls2.exe
  C:\WINDOWS\system32\javaao32.exe
- Back in Killbox, go > file > paste from clipboard,
- Click the red highlighted X button and click yes to the prompt when all the files have been pasted.
- Then click OK
- Exit Killbox and Reboot your PC.
After the reboot, Start AboutBuster AGAIN and scan AGAIN.
Clean temporary files:
- Go > start > run and type cleanmgr and OK
- Scan your system for files to remove.
- Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
- Click OK to remove those files.
- Click Yes to confirm deletion.
Reboot your system into normal mode.
Download Ewido scan
- Check for updates.
- Let it do a full run.
- Copy the log. Past it to a blank Notepad file and save it to post here.
Finally, run HijackThis, click SCAN, produce a LOG and POST it and the EWIDOscan log in this thread for review.

Regards,

Trevuren

#5
emijin

Posted 24 August 2005 - 11:33 PM

Member

Topic Starter
Member
10 posts

ok, i tried to follow what you said, but i ran into some problems when i rebooted in safemode.

first, a few of the files i was supposed to fix in hijackthis weren't on the list:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Searc * O4 - HKCU\..\Run: [msls2] C:\WINDOWS\System32\msls2.exe
O4 - HKCU\..\Run: [Poaxerl] C:\WINDOWS\System32\d?xplore.exe
04 - HKCU\..\Run: [Usrr] C:\Program Files\etea\rpen.exe
O23 - Service: Remote Procedure Call (RPC) Helper (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\system32\javaao32.exe (file missing)h Page = http://red.clientapp...//www.yahoo.com

I fixed the rest of the files, besides the ones i listed above, but then i couldn't get to CWShredder while in safemode. I believe i saved it to the desktop, should it be somewhere else?

#6
Trevuren

Posted 24 August 2005 - 11:35 PM

Old Dog

Retired Staff
18,699 posts

Please post a fresh log

Trevuren

#7
emijin

Posted 24 August 2005 - 11:52 PM

Member

Topic Starter
Member
10 posts

here you go..........

Logfile of HijackThis v1.99.1
Scan saved at 1:51:12 AM, on 8/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\d?xplore.exe
C:\Program Files\aim\aim.exe
C:\Program Files\etea\rpen.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\meejt.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msls2] C:\WINDOWS\System32\msls2.exe
O4 - HKCU\..\Run: [Poaxerl] C:\WINDOWS\System32\d?xplore.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Usrr] C:\Program Files\etea\rpen.exe
O4 - Global Startup: profile.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lhup.edu
O17 - HKLM\Software\..\Telephony: DomainName = lhup.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{24D6657F-7820-4BEF-88CF-532377E845B2}: Domain = lhup.edu
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

#8
Trevuren

Posted 25 August 2005 - 12:00 AM

Old Dog

Retired Staff
18,699 posts

Please print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Prepare CWShredder for use:
- Download CWShredder.
- Save CWShredder.exe to a convenient location.
- Please do not do anything with it yet.
Prepare AboutBuster for use:
- Download AboutBuster.
- Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
- Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
- Click "OK" at the prompt with instructions.
- Click "Update" and then "Check For Update" to begin the update process.
- If any updates exist please download them by clicking "Download Update".
- You should not run the program yet so click "Exit".

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Run CWShredder:
- Double-click on CWShredder.exe.
- Click "Fix ->" and click "OK" at the prompt.
- CWShredder will scan and clean your system of CWS files.
- Click "Next->" and then "Exit".
Run AboutBuster and save the logs:
- Browse to where you saved AboutBuster and run AboutBuster.exe.
- Click "OK" at the directions Read: Important! prompt.
- Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
- Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
- Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
- When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
- Click "Exit" and "Exit" again to exit AboutBuster.
Clean out temporary files:
- Start | Run | type cleanmgr | OK
- Let it scan your system for files to remove.
- Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
- Click "OK" to remove them.
- Click "Yes" to confirm the deletion.
Restart your computer normally to return to normal mode.
Free TrendMicro Housecall scan:
- Vist the TrendMicro Housecall website.
- Select your country from the drop-down list and click "Go".
- Choose "Yes" at the ActiveX Security Warning prompt.
- Please wait while the Housecall engine is updated.
- Select the drives to be scanned by placing a check in their respective boxes.
- Check the "Auto Clean" box.
- Click "SCAN" in order to begin scanning your system.
- Please be patient while Housecall scans your system for malicious files.
- If not auto-cleaned, remove anything it finds.
- Click "Close" to exit the Housecall scanner.
- Choose "Yes" at the HouseCall message prompt.
Prepare your reply:
- Please post a fresh HijackThis log
- Please post the AboutBuster log.
- Please note any complications you had.

Regards,

Trevuren

#9
emijin

Posted 25 August 2005 - 09:43 AM

Member

Topic Starter
Member
10 posts

here is the AboutBuster log
AboutBuster 5.0 reference file 31
Scan started on [8/25/2005] at [3:11:10 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\A5W.INI:qqtxnl
Removed Stream! C:\WINDOWS\adddq32.dll:ucmaxn
Removed Stream! C:\WINDOWS\addoc32.dll:kdxiw
Removed Stream! C:\WINDOWS\addoc32.dll:ybhwdi
Removed Stream! C:\WINDOWS\addpb.dll:lrkmn
Removed Stream! C:\WINDOWS\addqx.dll:kyuop
Removed Stream! C:\WINDOWS\addqx.dll:syovr
Removed Stream! C:\WINDOWS\addrf.dll:tdlubf
Removed Stream! C:\WINDOWS\addsl32.dll:dzeuj
Removed Stream! C:\WINDOWS\addtz.dll:vaxzl
Removed Stream! C:\WINDOWS\addwe32.dll:ydpvqt
Removed Stream! C:\WINDOWS\addxx32.dll:vaiqh
Removed Stream! C:\WINDOWS\addym.dll:qukob
Removed Stream! C:\WINDOWS\AIM.ico:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Removed Stream! C:\WINDOWS\AolCInUn.exe:ernok
Removed Stream! C:\WINDOWS\apiam32.dll:ckbhsg
Removed Stream! C:\WINDOWS\apicd32.dll:vlbur
Removed Stream! C:\WINDOWS\apidm32.dll:ygpdh
Removed Stream! C:\WINDOWS\apihm32.dll:dmjycu
Removed Stream! C:\WINDOWS\apijp32.dll:yeirg
Removed Stream! C:\WINDOWS\apiwb32.dll:sxqsfi
Removed Stream! C:\WINDOWS\appfi32.dll:tejlpz
Removed Stream! C:\WINDOWS\apppj.dll:hzcdjr
Removed Stream! C:\WINDOWS\appsu.dll:xlbhho
Removed Stream! C:\WINDOWS\apptu.dll:qllmjy
Removed Stream! C:\WINDOWS\atlan.dll:axvbbg
Removed Stream! C:\WINDOWS\atlbx32.dll:bpnxc
Removed Stream! C:\WINDOWS\atlci32.dll:ghybb
Removed Stream! C:\WINDOWS\atleo32.dll:zirgv
Removed Stream! C:\WINDOWS\atlfk.dll:rjjmx
Removed Stream! C:\WINDOWS\atlmk32.dll:gabur
Removed Stream! C:\WINDOWS\atlmt.dll:msvco
Removed Stream! C:\WINDOWS\atlno.dll:diyszy
Removed Stream! C:\WINDOWS\atlno.dll:ftnpq
Removed Stream! C:\WINDOWS\atlpe32.dll:wjjxbj
Removed Stream! C:\WINDOWS\atlpe32.dll:xtgvk
Removed Stream! C:\WINDOWS\atlpv32.dll:ojbcvt
Removed Stream! C:\WINDOWS\crdw32.dll:ixvpt
Removed Stream! C:\WINDOWS\cren.dll:ochbg
Removed Stream! C:\WINDOWS\crga32.dll:dasnis
Removed Stream! C:\WINDOWS\crgl32.dll:wbdsld
Removed Stream! C:\WINDOWS\crww.exe:pzudki
Removed Stream! C:\WINDOWS\crxt32.dll:hsmqet
Removed Stream! C:\WINDOWS\cvecz.dat:asfwgd
Removed Stream! C:\WINDOWS\d3ab32.dll:stpbaf
Removed Stream! C:\WINDOWS\d3hv32.dll:mqtbm
Removed Stream! C:\WINDOWS\d3rk32.dll:stskz
Removed Stream! C:\WINDOWS\d3rk32.dll:stskz
Removed Stream! C:\WINDOWS\d3wp32.dll:rsyyo
Removed Stream! C:\WINDOWS\dahotfix.log:vvauw
Removed Stream! C:\WINDOWS\desktop.ini:fvllt
Removed Stream! C:\WINDOWS\emachines_32.bmp:atcuvb
Removed Stream! C:\WINDOWS\emachines_32.bmp:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Removed Stream! C:\WINDOWS\encarta.ico:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Removed Stream! C:\WINDOWS\hotbtnv.vxd:mbkay
Removed Stream! C:\WINDOWS\ICQ.ico:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Removed Stream! C:\WINDOWS\iedw32.dll:cmjic
Removed Stream! C:\WINDOWS\iedw32.dll:ekeui
Removed Stream! C:\WINDOWS\iefq32.dll:wlphk
Removed Stream! C:\WINDOWS\iehb32.dll:pehne
Removed Stream! C:\WINDOWS\ieia32.dll:evjgs
Removed Stream! C:\WINDOWS\ieps.dll:wtjah
Removed Stream! C:\WINDOWS\ieya.dll:mqdpn
Removed Stream! C:\WINDOWS\ieyg32.dll:kyrbu
Removed Stream! C:\WINDOWS\ieyg32.dll:vhxqt
Removed Stream! C:\WINDOWS\iezv.dll:czjgx
Removed Stream! C:\WINDOWS\InstIt.exe:fwtej
Removed Stream! C:\WINDOWS\ipde32.dll:kdvyf
Removed Stream! C:\WINDOWS\ipgq.dll:upkqeb
Removed Stream! C:\WINDOWS\ipnq.dll:xfyfa
Removed Stream! C:\WINDOWS\ipqm32.dll:swknpc
Removed Stream! C:\WINDOWS\ipuf32.dll:yxerl
Removed Stream! C:\WINDOWS\ipuf32.dll:yxerl
Removed Stream! C:\WINDOWS\ipui.dll:igcqx
Removed Stream! C:\WINDOWS\ipui.dll:krfru
Removed Stream! C:\WINDOWS\ipyp.dll:tinjt
Removed Stream! C:\WINDOWS\javacd.dll:loqoas
Removed Stream! C:\WINDOWS\javacr.dll:nbujg
Removed Stream! C:\WINDOWS\javagb32.dll:ycycdp
Removed Stream! C:\WINDOWS\javahb32.dll:rvqhxz
Removed Stream! C:\WINDOWS\javajz.dll:deicy
Removed Stream! C:\WINDOWS\javajz.dll:shgha
Removed Stream! C:\WINDOWS\javatu.dll:vfuzp
Removed Stream! C:\WINDOWS\javaxt.dll:nqlmu
Removed Stream! C:\WINDOWS\lyhyy.dll:euusr
Removed Stream! C:\WINDOWS\mfcjy.dll:tcxtm
Removed Stream! C:\WINDOWS\mfcrl32.dll:qwbuaj
Removed Stream! C:\WINDOWS\mfctq32.dll:iouzcu
Removed Stream! C:\WINDOWS\mfcug32.dll:vsvdrw
Removed Stream! C:\WINDOWS\mfcvf.dll:tpneww
Removed Stream! C:\WINDOWS\msah32.dll:zqxuv
Removed Stream! C:\WINDOWS\mshc32.dll:nyfejs
Removed Stream! C:\WINDOWS\mshz.dll:nsnkd
Removed Stream! C:\WINDOWS\msiq32.dll:fqpjdd
Removed Stream! C:\WINDOWS\msls.dll:ftxpx
Removed Stream! C:\WINDOWS\msoe32.dll:yrioxn
Removed Stream! C:\WINDOWS\msop32.dll:qtqds
Removed Stream! C:\WINDOWS\msqd.dll:iszzb
Removed Stream! C:\WINDOWS\msqs32.dll:iuiiu
Removed Stream! C:\WINDOWS\msqs32.dll:iuiiu
Removed Stream! C:\WINDOWS\msrm32.dll:assed
Removed Stream! C:\WINDOWS\msrs.dll:xqlrt
Removed Stream! C:\WINDOWS\mstd32.dll:aiqph
Removed Stream! C:\WINDOWS\msuz32.dll:kbaub
Removed Stream! C:\WINDOWS\msuz32.dll:luvxz
Removed Stream! C:\WINDOWS\mswl32.dll:dctzd
Removed Stream! C:\WINDOWS\mswo.dll:euocu
Removed Stream! C:\WINDOWS\mswo.dll:euocu
Removed Stream! C:\WINDOWS\netlt32.dll:mndna
Removed Stream! C:\WINDOWS\netpx.dll:ybyaa
Removed Stream! C:\WINDOWS\Netscape.ico:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Removed Stream! C:\WINDOWS\nortonav.ico:saeta
Removed Stream! C:\WINDOWS\NT4_98.reg:kboyc
Removed Stream! C:\WINDOWS\ntdtcsetup.log:cchew
Removed Stream! C:\WINDOWS\ntdtcsetup.log:cchew
Removed Stream! C:\WINDOWS\ntfu.dll:dnaoj
Removed Stream! C:\WINDOWS\ntkl.dll:znujc
Removed Stream! C:\WINDOWS\ntkt32.dll:cgkas
Removed Stream! C:\WINDOWS\OEWABLog.txt:sjzyy
Removed Stream! C:\WINDOWS\Q329390.log:njgex
Removed Stream! C:\WINDOWS\Q331953.log:fjykz
Removed Stream! C:\WINDOWS\Q810565.log:vckjt
Removed Stream! C:\WINDOWS\Q811493.log:ykrpt
Removed Stream! C:\WINDOWS\Q814033.log:izltd
Removed Stream! C:\WINDOWS\Q817606.log:tpecd
Removed Stream! C:\WINDOWS\rinopref.txt:luhrt
Removed Stream! C:\WINDOWS\RtlRack.ini:jaqyha
Removed Stream! C:\WINDOWS\Run32A50.mch:wurxv
Removed Stream! C:\WINDOWS\s3setup.log:cagoe
Removed Stream! C:\WINDOWS\SchedLgU.Txt:kfpbg
Removed Stream! C:\WINDOWS\SchedLgU.Txt:ovkcp
Removed Stream! C:\WINDOWS\SchedLgU.Txt:ovkcp
Removed Stream! C:\WINDOWS\sdkap32.dll:gxvxk
Removed Stream! C:\WINDOWS\sdkec32.dll:aiski
Removed Stream! C:\WINDOWS\sdkec32.dll:kbklz
Removed Stream! C:\WINDOWS\sdkuu32.dll:wsshd
Removed Stream! C:\WINDOWS\sysll.dll:rmymt
Removed Stream! C:\WINDOWS\sysou.dll:fdree
Removed Stream! C:\WINDOWS\twain.dll:zwnvm
Removed Stream! C:\WINDOWS\unvise32qt.exe:zcatq
Removed Stream! C:\WINDOWS\vbaddin.ini:rvhhw
Removed Stream! C:\WINDOWS\vcedi.dll:agytgw
Removed Stream! C:\WINDOWS\winai32.dll:gynzj
Removed Stream! C:\WINDOWS\Winamp1.ico:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Removed Stream! C:\WINDOWS\winbf.dll:zygel
Removed Stream! C:\WINDOWS\wincb32.dll:jzyjg
Removed Stream! C:\WINDOWS\winge.dll:nrbjn
Removed Stream! C:\WINDOWS\winhi.dll:ysetb
Removed Stream! C:\WINDOWS\winyv32.dll:wvuce
Removed Stream! C:\WINDOWS\winzu.dll:owmhg
Removed Stream! C:\WINDOWS\WMSysPrx.prx:hoxva
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 3:12:07 AM

And the Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 11:40:26 AM, on 8/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\d?xplore.exe
C:\Program Files\aim\aim.exe
C:\Program Files\etea\rpen.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msls2] C:\WINDOWS\System32\msls2.exe
O4 - HKCU\..\Run: [Poaxerl] C:\WINDOWS\System32\d?xplore.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Usrr] C:\Program Files\etea\rpen.exe
O4 - Global Startup: profile.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lhup.edu
O17 - HKLM\Software\..\Telephony: DomainName = lhup.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{24D6657F-7820-4BEF-88CF-532377E845B2}: Domain = lhup.edu
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

everything worked fine, no problems this time.

#10
Trevuren

Posted 25 August 2005 - 10:36 AM

Old Dog

Retired Staff
18,699 posts

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

First we need to make all files and folders VISIBLE:
- Go to start>control panel>folder options>view (tab)
- Choose to "show hidden files and folders,"
- Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
- Close the window with ok
Please RUN HijackThis.
. Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
O4 - HKCU\..\Run: [msls2] C:\WINDOWS\System32\msls2.exe
O4 - HKCU\..\Run: [Poaxerl] C:\WINDOWS\System32\d?xplore.exe
O4 - HKCU\..\Run: [Usrr] C:\Program Files\etea\rpen.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode
- Restart the computer.
- As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
- Use the arrow keys to select the Safe mode menu item
- Press Enter.
Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

C:\WINDOWS\System32\d?xplore.exe
C:\Program Files\etea<===Folder
C:\WINDOWS\System32\msls2.exe
c:\counter.cab
Exit Explorer, and REBOOT BACK INTO NORMAL MODE
Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.

Regards,

Trevuren

#11
emijin

Posted 25 August 2005 - 01:45 PM

Member

Topic Starter
Member
10 posts

ok, here's the new hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 3:43:38 PM, on 8/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Global Startup: profile.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lhup.edu
O17 - HKLM\Software\..\Telephony: DomainName = lhup.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{24D6657F-7820-4BEF-88CF-532377E845B2}: Domain = lhup.edu
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Also, i noticed that when i restart the computer something called profile.exe comes up and an error report message says it encoutered a problem. i'm not sure if i should be concerned about that.

#12
Trevuren

Posted 25 August 2005 - 05:53 PM

Old Dog

Retired Staff
18,699 posts

First we need to make all files and folders VISIBLE:
- Go to start>control panel>folder options>view (tab)
- Choose to "show hidden files and folders,"
- Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
- Close the window with ok
Please RUN HijackThis.
. Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:

O4 - Global Startup: profile.exe
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode
- Restart the computer.
- As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
- Use the arrow keys to select the Safe mode menu item
- Press Enter.
Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

profile.exe<===You will have to Search for this one
Exit Explorer, and REBOOT BACK INTO NORMAL MODE
Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.

Regards,

Trevuren

#13
emijin

Posted 25 August 2005 - 10:53 PM

Member

Topic Starter
Member
10 posts

after i rebooted into safe mode and searched for profile.exe, the only thing i found was profile.exe-17BA95B7.pf Should i delete that?

#14
Trevuren

Posted 25 August 2005 - 11:05 PM

Old Dog

Retired Staff
18,699 posts

Yes, I think it woould be wise.

Trevuren

#15
emijin

Posted 25 August 2005 - 11:24 PM

Member

Topic Starter
Member
10 posts

ok here's the new log:
Logfile of HijackThis v1.99.1
Scan saved at 1:21:34 AM, on 8/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lhup.edu
O17 - HKLM\Software\..\Telephony: DomainName = lhup.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{24D6657F-7820-4BEF-88CF-532377E845B2}: Domain = lhup.edu
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe