[Linkmaster]

Try and run me another Log from HijackThis !!

[Advertisements]

I forgot to mention one more thing. After I use the Ewido it seems like it is worse in term of CPU usage.Ewido cleans out Trojans and Spyware but I still see the wuaudt.exe keeps poping in and out and the CPU usage can shows up to 100%. Is it the Windows Automatic Update program?

Attached Files

•  hijackthis.txt   10.41KB   204 downloads

[trimtran20147]

I forgot to mention one more thing. After I use the Ewido it seems like it is worse in term of CPU usage.Ewido cleans out Trojans and Spyware but I still see the wuaudt.exe keeps poping in and out and the CPU usage can shows up to 100%. Is it the Windows Automatic Update program?

Attached Files

•  hijackthis.txt   10.41KB   204 downloads

[Linkmaster]

Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

Hit Ctrl-Alt-Delete, Click on TaskManager
Select Applications tab
Select New Task
In the name field, type "eventvwr.msc" then hit OK

Look in the System section and the Application section for any errors and try to post them as well.

Download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

Run HijackThis and Check the following for removal : ( if present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)

O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab

Click on Fix Checked

Reboot and run another HijackThis log.

I also noticed that you have 2 antivirus programs installed. They tend to not get along with each other. After we get this fixed, i recommend you uninstall one of them.

[trimtran20147]

I ran Lavasoft before VX2 and remove AVG antivirus software then reboot. Miraculously, the desktop comes back. However, it painfully slowing painting each icon on desktop as it comes back. I cannot tell what is going since whatever I scan it all comes back and says clean. I mean Spybot, Lava, Ewido they all say clean. It takes about more than a minute or two to see the desktop icons after the wall paper already appears. Then the hardrive LED keeping lights up constantly to tell me that something is still hogging but I just can tell. However, about 5 minutes after the desktop is on completely things seems to be normal. What is your recommandation for Spyware and Virus protection anyway. Is Ewido any good? It scans eerything but memory (still gets stuck at VM_7FFE0000 everytime-I sent email and ask them already). I used LAvasoft before and I thought Spybot was better but this time I think Lavasoft probably the one that help me out along with Ewido. I am greatly appreciate your devotion fo support. Can I make some donation thru Paypal or something?

[Linkmaster]

I am glad you got your desktop back !!

I would like you to run another HijackThis log and post it here.

I can then check to make absolutly sure you are clean !!

[trimtran20147]

let me know if you see something that slow down the boot up process.

Attached Files

•  hijackthis.txt   7.65KB   289 downloads

[Linkmaster]

If you would open the log file on your pc. it will open in Notepad
Highlight the contents and right click on select Copy
Then paste it in your reply here

Thank you

[trimtran20147]

Logfile of HijackThis v1.99.1
Scan saved at 11:35:10 AM, on 10/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PPMG42B\STGLG42B.EXE
C:\PPMG42B\STLG42B.EXE
C:\PPMG42B\STGRG42B.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\LRSG42B.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,LRSG42B.EXE
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {76026873-0935-499C-B66A-9FF5EEF45BEA} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127695016582
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NetOp Helper version 6.00 (1999060) (NetOp Host for NT Service) - Unknown owner - C:\NetOp\host\HOST\NHOSTSVC.EXE
O23 - Service: Remote Management Client G42B - 1 (RSMClientG42B_1) - Peregrine Systems, Inc. - C:\PPMG42B\LG42B.EXE
O23 - Service: Remote Management Client Gateway G42B - 1 (RSMClientGatewayG42B_1) - Peregrine Systems, Inc. - C:\PPMG42B\GLG42B.EXE
O23 - Service: Remote Management Client Gateway G42B Starter (RSMClientGatewayStarterG42B) - Unknown owner - C:\PPMG42B\STGLG42B.EXE
O23 - Service: Remote Management Client G42B Starter (RSMClientStarterG42B) - Unknown owner - C:\PPMG42B\STLG42B.EXE
O23 - Service: Remote Management Manager Gateway G42B - 1 (RSMManagerGatewayG42B_1) - Peregrine Systems, Inc. - C:\PPMG42B\GRG42B.EXE
O23 - Service: Remote Management Manager Gateway G42B Starter (RSMManagerGatewayStarterG42B) - Unknown owner - C:\PPMG42B\STGRG42B.EXE

[Linkmaster]

There are a couple files I am concerned about.

I would like you to go here :

Jotti Virusscan

At the top hit the browse button and browse to these files, one at a time, and hit the submit button after each :

C:\PPMG42B\STLG42B.EXE
C:\WINDOWS\system32\LRSG42B.EXE

Copy the results and paste them here for each file !

I will then proceed when I get the results !!

[trimtran20147]

those are good files. These are exe from my remote control program like PC anywhere.

[Linkmaster]

If you want to donate:
Support Our Site

How is your system running now ??

Congratulations! Your log is CLEAN

Real Time Prevention
SpywareBlaster

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.
IESpyad : This will add several hundred Restricted Sites to the Restricted site zone in IE.

Cleaner:
CCleaner is a good app to clean out temp files, cookies, recent folder(win2000) and Prefetch folder(XP), etc

Spyware Scanners:
Ad-aware SE Scans your system for spyware and other threats
a² Scanner : Scans for Malware and Trojans on your system.

Good Free Antivirus Programs:
AVG
Avast!

Windows Update:
It's also very important to keep your system up to date to avoid unnecessary security risks.
Windows Update

Firewalls:
If you have an "always on " internet connection, such as DSL or Cable, I recommend a firewall:
Sygate
ZoneAlarm

These next steps are optional, but will provide the greatest protection
Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness.

Alternatives Browsers:
FireFox
Opera

Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the HijackThis folder if everything is working okay.

Remember always use just 1 antivirus program at a time. Using more than one causes a conflict between the programs !!

Using these apps, your system will be thoroughly protected from future threats.

[trimtran20147]

I clicked on Donate to go Paypal and this what I got (in PayPal website):

Error Detected
You have entered unsupported characters for this field. Currently only Western European and Chinese characters are supported. Please try again with different characters.
--------------------------------

Please give me the email account from Paypal so I can donate as a token of appreciation.

[Linkmaster]

Try this link

https://www.paypal.c...

[trimtran20147]

this is what I see when I click on your provided link to PayPal. Just give me an email in PayPal I will donate.

Attached Thumbnails

• 

[Linkmaster]

try this one

http://s1.amazon.com...4405593-1295264

Also try Internet explorer to access Paypal instead of Firefox

Edited by Linkmaster, 05 October 2005 - 05:32 PM.