|
Adaware virus?
|
|
|
mossfan18
Member
|
9. November 2010 @ 19:06 |
Link to this message
|
This is so weird. I ran Ad-Aware on my old PC that runs XP as its OS. I just ran Ad-Aware to clean out any old bugs, I had the application in a folder from at least 2 years ago and then I installed it and updated it. Immediately after I had PC problems from hell.
After running Ad-Aware it found Trojan.Win32.Agent.abzlz and recommended a restart. After the restart I was unable to get internet access and my desktop had changed, I had a completely new toolbar and System Restore and Avast were non functioning. I couldn't access the internet in Safe Mode or Safe Mode Networking. However, after rebooting in Safe Mode Debugging, I can access the internet and my desktop has returned to normal.
I thought that the Trojan.Win32.Agent.abzlz that Ad-Aware found was the problem. I never once thought Ad-Aware could have been the source of the virus until I saw that Ad-aware was hogging my PC usage. The PC was crawling and I saw that aawwsc.exe is infected was at 78% so I killed it. Moments later, it started crawling again and Ad-AwareAdmin.exe was using 98% of the PC usage so I killed it next.
What do you think I should do now? I'll post what Ad-Aware found and a Hijack this log.
Thanks in advance!
|
|
Advertisement
|
|
|
|
|
mossfan18
Member
|
9. November 2010 @ 19:09 |
Link to this message
|
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:09:28 PM, on 11/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\America Online 7.0a\aoltray.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\system32\calc.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\try\Revo Uninstaller Pro\RevoUninPro.exe
C:\Documents and Settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}\Ad-AwareInstall.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HijackThis.exe
C:\WINDOWS\system32\msiexec.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netmail.verizon.net/webmail/driver?nimlet=showcanvas
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0a\aoltray.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1287429362093
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: hpdj00 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj00.exe (file missing)
O23 - Service: hpdj02 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj02.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 9257 bytes
Eddie Dennison
|
AfterDawn Addict
|
10. November 2010 @ 10:12 |
Link to this message
|
mossfan18,
Ad-Aware is old technology and doesn?t perform as it did in the past (not recommended).
You have NO Anti-Virus running and that?s a no-no when surfing the net. Download and install a good Free AV from this site -> Best Free Antivirus, your choice and make sure that the windows firewall is turned on.
Now, there are a couple of randomly named Services in your machine that were loaded through a Temp file. That?s a bad sign and they need to go?
Remove Bad Services
Step # 1: Remove Hijackthis Entries
? Run HijackThis
? Click on the Scan button
Put a check beside all of the items listed below (if present):
O23 - Service: hpdj00 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj00.exe (file missing)
O23 - Service: hpdj02 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj02.exe (file missing)
? Close all open windows and browsers/email, etc...
? Click on the "Fix Checked" button
? When completed, close the application.
Step # 2: Delete Bad Services
Please open Notepad. Ensure that word wrap is turned off. Click on Format and make sure that there is not a tick next to Word Wrap. If there's one, click on Word Wrap to remove it. Copy and paste the following in the code box into Notepad:
@echo off
sc stop hpdj00
sc delete hpdj00
sc stop hpdj02
sc delete hpdj02
exit
Click on File > Save As....
In the File Name box, copy and paste in fix.bat
In the Save as type box, select All Files from the drop-down list.
Click Save and save it to your Desktop.
Double click on fix.bat. A Command Prompt window will open and close quickly. That is normal.
Step # 3 Clean with Malwarebytes? Anti-Malware
Download Malwarebytes' Anti-Malware to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
? At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
? If an update is found, it will download and install the latest version.
? Once the program has loaded, select Perform full scan, then click Scan.
? When the scan is complete, click OK, then Show Results to view the results.
? Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
? When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
In your next post include the MBAM Log. A fresh HJT Log and let me know how the machine is acting??
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves...This message has been edited since posting. Last time this message was edited on 10. November 2010 @ 10:21
|
|
mossfan18
Member
|
10. November 2010 @ 15:31 |
Link to this message
|
2oldGeek,
Thanks, I'm going to do just what you say and I'll let you know the results.
The reason there was no virus protection running was because I had just deleted Avast and was in the process of installing a new program. You know how 2 virus programs conflict.
The virus protection I got was Microsoft Security Essentials. You think that is sufficient? I've always went with AVAST or AVG but since AVAST missed this one, I'm willing to try something new.
Anyhow, thanks for the help you have provided already!
Eddie Dennison
|
AfterDawn Addict
|
10. November 2010 @ 16:22 |
Link to this message
|
Avast is very good, I personally prefer Avira but MS essential has come a long way and is also very good. AVG is a laugh.... NOT RECOMMENDED!
2oG
|
|
mossfan18
Member
|
10. November 2010 @ 19:01 |
Link to this message
|
Originally posted by mossfan18:
2oldGeek,
Thanks, I'm going to do just what you say and I'll let you know the results.
The reason there was no virus protection running was because I had just deleted Avast and was in the process of installing a new program. You know how 2 virus programs conflict.
The virus protection I got was Microsoft Security Essentials. You think that is sufficient? I've always went with AVAST or AVG but since AVAST missed this one, I'm willing to try something new.
Anyhow, thanks for the help you have provided already!
Originally posted by 2oldGeek:
Avast is very good, I personally prefer Avira but MS essential has come a long way and is also very good. AVG is a laugh.... NOT RECOMMENDED!
2oG
Dude you've been awesome. I already did everything you walked me through. As soon as Malwarebytes gets done scanning the system, I'll do a Hijackthis and submit log and let you know the machines status.
Thanks!
Eddie Dennison
|
AfterDawn Addict
|
10. November 2010 @ 20:28 |
Link to this message
|
|
take your time, I'll be arond.
|
|
mossfan18
Member
|
11. November 2010 @ 13:34 |
Link to this message
|
Originally posted by 2oldGeek:
take your time, I'll be arond.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5092
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
11/11/2010 11:15:29 AM
mbam-log-2010-11-11 (11-15-29).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 287410
Time elapsed: 2 hour(s), 30 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 26
Files Infected: 32
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe (Adware.Casino) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9 (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\HKCU (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\HKLM (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\BrowserObjects (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Packages (Rogue.Multiple) -> No action taken.
C:\Documents and Settings\Owner\Application Data\VirusRemover2008 (Rogue.VirusRemover) -> No action taken.
C:\Documents and Settings\Owner\Application Data\VirusRemover2008\Logs (Rogue.VirusRemover) -> No action taken.
C:\Program Files\rhc1qhj0e1d9 (Rogue.Multiple) -> No action taken.
C:\Program Files\TimeSink (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\ba015753 (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\fa015753 (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Users (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Users\Owner (AdWare.Cydoor) -> No action taken.
C:\WINDOWS\system32\v9 (Trojan.Downloader) -> No action taken.
Files Infected:
C:\RECYCLER\S-1-5-21-1417066420-3378386939-971929597-1003\Dc4\BadIntentionz\KewlButtonz.ocx (Hacktool.KewlButtonz) -> No action taken.
C:\Program Files\Lucky Pyramid Casino\Install.exe (Adware.Casino) -> No action taken.
C:\Program Files\MSN Messenger\msimg32.dll (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MSN Messenger\riched20.dll (Adware.MyWebSearch) -> No action taken.
C:\Documents and Settings\Owner\Application Data\VirusRemover2008\Logs\scns.log (Rogue.VirusRemover) -> No action taken.
C:\Program Files\rhc1qhj0e1d9\database.dat (Rogue.Multiple) -> No action taken.
C:\Program Files\rhc1qhj0e1d9\rhc1qhj0e1d9.exe.local (Rogue.Multiple) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Done.cdb (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Done.idx (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Done1.cdb (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Done1.idx (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Pending.cdb (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Pending.idx (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Pending1.cdb (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Pending1.idx (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Done.cdb (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Done.idx (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Done1.cdb (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Done1.idx (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Pending.cdb (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Pending.idx (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Pending1.cdb (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Pending1.idx (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Users\Owner\Sched.cdb (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Users\Owner\Sched.idx (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Users\Owner\Sched1.cdb (AdWare.Cydoor) -> No action taken.
C:\Program Files\TimeSink\AdGateway\Users\Owner\Sched1.idx (AdWare.Cydoor) -> No action taken.
C:\WINDOWS\system32\phc5qhj0e1d9.bmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> No action taken.
Let me know whatcha think now.
|
AfterDawn Addict
|
11. November 2010 @ 13:43 |
Link to this message
|
Quote:
? Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
Don't look like you deleted any of the bad stuff..........
Do it and post a new Log along with a HJT Log..
2oG
|
|
mossfan18
Member
|
11. November 2010 @ 17:16 |
Link to this message
|
Here's my new Hijackthis log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:16:34 PM, on 11/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Documents and Settings\Owner\Desktop\New Folder\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netmail.verizon.net/webmail/driver?nimlet=showcanvas
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10k_Plugin.exe -update plugin
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1287429362093
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 7339 bytes
Eddie Dennison
|
AfterDawn Addict
|
11. November 2010 @ 17:23 |
Link to this message
|
|
That looks real good now.
Did you get all the crap removed that MBAM found?
Hows it doing?
|
|
mossfan18
Member
|
12. November 2010 @ 17:07 |
Link to this message
|
Originally posted by 2oldGeek:
That looks real good now.
Did you get all the crap removed that MBAM found?
Hows it doing?
Yep, I removed everything MBAM found, I did that as soon as I posted to you a log of what it found. I didn't want to erase something that may have given you insight on where the issue was before posting the log.
Anyhow, I deleted what MBAM found and so far she's purrrrin' like a kitten.
Thanks a lot! This has been my favorite self help site since at least '06 and I'll make sure I make a donation next Friday. Payday! (;
Eddie Dennison
This message has been edited since posting. Last time this message was edited on 12. November 2010 @ 17:09
|
|
Advertisement
|
|
|
AfterDawn Addict
|
12. November 2010 @ 18:11 |
Link to this message
|
Originally posted by mossfan18:
Originally posted by 2oldGeek:
That looks real good now.
Did you get all the crap removed that MBAM found?
Hows it doing?
Yep, I removed everything MBAM found, I did that as soon as I posted to you a log of what it found. I didn't want to erase something that may have given you insight on where the issue was before posting the log.
Anyhow, I deleted what MBAM found and so far she's purrrrin' like a kitten.
Thanks a lot! This has been my favorite self help site since at least '06 and I'll make sure I make a donation next Friday. Payday! (;
Just remember me in your "Will", the pay here sucks! LOL
You are probably getting the Trojans through downloads using uTorrent. uTorrent is clean, the downloads aren't.
I use and recommend Threatfire free. If a Trojan or malware cannot install itself, it cannot hurt you.... Threatfire stops them from installing.
Try it:
http://www.threatfire.com/download/
Wash behind your ears, change your underwear and socks and keep your nose clean... :)
2oG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
