[matriarc]

Hi - Thank you in advance for any help you can give me
I have spent the day downloading various programs - Housecall and Panda online virus scans generate error messages and won't run. Kaspersky.com resolved a web.exe trojan but not another virus it identified: wsetup.exe/wink.exe not-a-virus.adware.win32.agentp.
I get continuous pop ups and IE crashes. When IE crashes it says in the error report that cause is unknown.
When I tried to download CleanUp from your website, the I was kicked back the google homepage. Sigh.
This all started when my daughter signed up at MySpace.com and apparently downloaded some junk which also has messed up our Mcafeevirus scan. I'm giving her the silent treatment and she's thrilled so at least maybe I can fix the laptop?
Here is log

Logfile of HijackThis v1.99.1
Scan saved at 5:17:59 PM, on 2/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\HPConfig.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\NetZero\exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: http://www.snapfiles.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141157613109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1141148764077
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.90...ges/PopupSh.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{05F6C70A-B25D-4204-A34F-7474C7F071A5}: NameServer = 64.136.28.120 64.136.20.120
O17 - HKLM\System\CS1\Services\Tcpip\..\{05F6C70A-B25D-4204-A34F-7474C7F071A5}: NameServer = 64.136.28.120 64.136.20.120
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINNT\System32\HPConfig.exe
O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe

[Advertisements]

Hi matriarc

Welcome to G2G!

I don't see any malware in the HJT log. Please do the following:

* Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.


* Download Rootkit Revealer from here (link is at the very bottom of the page).

• Unzip it to your desktop.
• Open the rootkitrevealer folder and double-click rootkitrevealer.exe
• Click the Scan button (bottom right)
• It may take a while to scan (don't do anything while it's running)
• When it's done, go up to File > Save. Choose to save it to your desktop.
• Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

[Flrman1]

Hi matriarc

Welcome to G2G!

I don't see any malware in the HJT log. Please do the following:

* Open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.


* Download Rootkit Revealer from here (link is at the very bottom of the page).

• Unzip it to your desktop.
• Open the rootkitrevealer folder and double-click rootkitrevealer.exe
• Click the Scan button (bottom right)
• It may take a while to scan (don't do anything while it's running)
• When it's done, go up to File > Save. Choose to save it to your desktop.
• Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

[matriarc]

Hi Flrman1,
Thank you for such a fast response - Here is the HJT uninstall list:

3Com 56K V.90 Mini PCI Modem
Ad-Aware SE Personal
Adobe Acrobat 4.0
ATI Win2k Display Driver
avast! Antivirus
Google Toolbar for Internet Explorer
Harry Potter and the Goblet of Fire™
HijackThis 1.99.1
HP e-center
Intel SpeedStep technology Applet
J2SE Runtime Environment 5.0 Update 6
Kaspersky On-line Scanner
Learn2 Player (Uninstall Only)
McAfee VirusScan
Microsoft Office 2000 SR-1 Premium
NetZero Internet
QuickTime
RealPlayer Basic
Spybot - Search & Destroy 1.4
Synaptics TouchPad
Viewpoint Media Player
Windows 2000 Service Pack 4
WinZip

RootKit Revealer reports "no discrepencies" and has no text to save when I try to select the save option.

[Flrman1]

Uninstall Viewpoint Media Player.


* Run Kaspersky online virus scan here.

When given the option, choose the "Extended database" for the scan.

When the scan is finished, Save the results from the scan!

Post a new HiJackThis log along with the results from Kaspersky scan

[matriarc]

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, March 01, 2006 7:19:02 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 1/03/2006
Kaspersky Anti-Virus database records: 179548
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 24845
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:39:52

Infected Object Name / Virus Name / Last Action
C:\Recycled\Dc7.exe Infected: not-a-virus:AdWare.Win32.Agent.p skipped
C:\Recycled\Dc8.exe Infected: not-a-virus:AdWare.Win32.Agent.p skipped
C:\wsetup.exe/Wink.exe Infected: not-a-virus:AdWare.Win32.Agent.p skipped
C:\wsetup.exe CreateInstall: infected - 1 skipped

Scan process completed.

[Flrman1]

* Click Here and download Killbox and save it to your desktop.

* Double-click on Killbox.exe to run it.

• Put a tick by Delete on Reboot.
• Copy the following list of files to clipboard:
  
  C:\Recycled\Dc7.exe
  C:\Recycled\Dc8.exe
  C:\wsetup.exe
  
  
• Next in Killbox go to File > Paste from clipboard
• Click on the All Files button.
• Next click on the button that has the red circle with the white X in the middle.
• It will ask for confimation to delete the files on next reboot and ask you if you want to reboot now.
• Click Yes and let the computer reboot.

* After it reboots, go here and do the BitDefender online virus scan.

• Click "I Agree" to agree to the EULA.
• Allow the ActiveX control to install when prompted.
• Click "Click here to scan" to begin the scan.
• Please refrain from using the computer until the scan is finished.
• When the scan is finished, click on "Click here to export the scan results"
• Save the report to your desktop then come back here and attach it to your next reply.

[matriarc]

The Killbox successfully removed the infected files and the bitdefender virus scan showed no virus. I really appreciate your help with that. Unfortunately. IE continues to crash - a recent development since the virus download. Do you know why it would continue to crash?

[Flrman1]

Tell me exactly what happens when it crashes. Do you get an error? If so give me the details of the error please.

[matriarc]

A box pops up that says:
Microsoft Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience........
AppName: iexplore.exe AppVer: 6.0.2800.1106 ModName: unknown
ModVer: 0.0.0.0 Offset: 0015dc8c
It then says that an error report has been created but I am unable to copy the data in the error report and it doesn't report a specific error code that I can see - although at the very top of the list it says:
Exception Information - Code: 0xc0000005 Flags: 0x00000000 Record: 0x0000000000000000 Address: 0x000000000015dc8c
Below That is a long list of system information, module data, thread and memory data

[matriarc]

Hi Flrman1,
I just wanted to thank you again for helping me with the virus issue. I finally figured out that a google toolbar had been installed the same day the virus downloaded - I got rid of that and everything is working perfectly.
Thanks, Katherine

[Flrman1]

I apologize for not replying sooner. I wasn't feeling well yesterday.

I'm glad you got that straightened out. There are a few final things that we need to do to finish this up.

Please open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.

[matriarc]

3Com 56K V.90 Mini PCI Modem
Ad-Aware SE Personal
Adobe Acrobat 4.0
ATI Win2k Display Driver
Harry Potter and the Goblet of Fire™
HijackThis 1.99.1
HP e-center
Intel SpeedStep technology Applet
J2SE Runtime Environment 5.0 Update 6
Kaspersky On-line Scanner
Learn2 Player (Uninstall Only)
McAfee VirusScan
Microsoft Office 2000 SR-1 Premium
NetZero Internet
QuickTime
RealPlayer Basic
Spybot - Search & Destroy 1.4
Synaptics TouchPad
Windows 2000 Service Pack 4
WinZip

[Flrman1]

Everything looks good. How is the computer doing now?

[matriarc]

Everything is great - a big relief. Thank you again for your help
Katherine

[Flrman1]

My pleasure!

* Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.


* Go to Windows update and install all "High Priority Updates".