 Troj-Inject.D (msvcp.exe), Found trojan - Can't Remove |
Forum Rules
Greetings,
Before you post in this forum,please read and follow the instructions in this post: Guidelines for Posting in This Forum
Failure to follow these instructions will only result in delays of the cleaning and removal process.
If you ran other AntiVirus and/or AntiSpyware programs and have the logs available, please post them as well.
Our goal is to help you clean your PC and restore it to pre-infection condition wherever possible.
Thank You
  |
 Jan 25 2006, 12:51 AM
Post
#1
|
|
|
New Member  Group: Member Posts: 6 Joined: 25-January 06 Member No.: 17545  |
I have gone through all the steps in the Read This First guide. I have cleaned and removed multiple infections. Most scans are now clean. However, Trend Housecall online scanner reported Troj-Inject.D, but can not remove it. The file it finds is msvcp.exe in my Window/System32 directory.
Also, each time I reboot the PC, I get a series of alerts from EZ Firewall: "Changed programs" - Internet Explorer is trying to act as a server, Port Magic is trying to access the Internet, Win32Services is trying to access the internet, etc. (several other AOL related services). Each of these alerts can be "allowed" or "denied", and you can tell EZ to "remember the setting". However, even if you select "remember", you are still prompted on each start up. Another alert I get is "Internet Explorer is trying to transmit e-mail messages". Before I ran all of the scans I was getting alerts that Internet Explorer was sending multiple e-mail messages. The alerts were some frequent that you could not use the PC without turning off the EZ Firewall. Now you can deny this once per bootup, and the alert goes away. Here is my HiJack log. Any help is greatly appreciated. Logfile of HijackThis v1.99.1 Scan saved at 2:29:06 PM, on 1/22/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Dell\Support\Alert\bin\DAMon.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe c:\Program Files\Internet Explorer\IEXPLORE.EXE C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1112605795\ee\AOLHostManager.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\America Online 9.0a\waol.exe C:\Program Files\Common Files\AOL\1112605795\ee\AOLServiceHost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\wanmpsvc.exe c:\program files\common files\aol\1112605795\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1112605795\ee\AOLServiceHost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\System32\alg.exe C:\Program Files\America Online 9.0a\shellmon.exe C:\HiJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R3 - Default URLSearchHook is missing F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: jimmyhelp.CBrowserHelper - {4EE35A0F-0E49-4F45-80B2-6347BC2AA709} - C:\WINDOWS\xkubbyhhm.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: jimmyhelp.CBrowserHelper - {D77AC599-E603-4809-9FA8-B8C46BDCF058} - C:\WINDOWS\zzsiex.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1112605795\ee\AOLHostManager.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [ynmlwvaj] C:\WINDOWS\ynmlwvaj.exe O4 - HKLM\..\Run: [1n7e8t8n] C:\WINDOWS\system32\1n7e8t8n.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\system32\msvcp.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...75/mcinsctl.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A343C209-9930-4FA3-84B6-4CE697EC3F5A} (TSGVClientObj Class) - http://remote.dellfix.com/471/User/CybTech.CAB O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,17/mcgdmgr.cab O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/aol/plug...US.9.1.6.18.cab O20 - Winlogon Notify: msupdate - C:\WINDOWS\ O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe |
 |
|
|
Jan 25 2006, 11:12 AM
Post
#2
|
|
 The computer whisperer  Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954 |
Hi pharbert,
I see you have Ewido. Can you update that and run it. Save the log from Ewido and post it. Also go to the Panda Website and run ActiveScan. Save that log as well and post it. Please create a list of programs that can be removed using Add/Remove Programs Start HiJackThis. Click "Config"->"Misc Tools"->"Open Uninstall Manager" ->"Save List". Save the log to a convenient location, and copy it into this thread. You might want to save this page on your favorites, so you can find it again when you return. You can also click on your name and click on "Find All Posts" to find your thread. Go to Online malware scan and submit C:\WINDOWS\system32\ctfmon.exe. Tell me the result. Run HijackThis, click on "Scan" and check the boxes next to all these items. R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R3 - Default URLSearchHook is missing F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: jimmyhelp.CBrowserHelper - {4EE35A0F-0E49-4F45-80B2-6347BC2AA709} - C:\WINDOWS\xkubbyhhm.dll O2 - BHO: jimmyhelp.CBrowserHelper - {D77AC599-E603-4809-9FA8-B8C46BDCF058} - C:\WINDOWS\zzsiex.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) <insert file> has been delisted from Spyware Warrior's Rogue List. Since the program was on it I recommend to uninstall it and use programs from the trustworthy list which can be viewed on the same page. O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup O4 - HKLM\..\Run: [ynmlwvaj] C:\WINDOWS\ynmlwvaj.exe O4 - HKLM\..\Run: [1n7e8t8n] C:\WINDOWS\system32\1n7e8t8n.exe O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\system32\msvcp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe O20 - Winlogon Notify: msupdate - C:\WINDOWS\ Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer in Safe Mode. How do I Safe Boot my computer? Show hidden files. How do I show hidden files? At the end if the fix you can return the files to hidden status if you want. Delete the following files in red (it could be that they are deleted already): C:\WINDOWS\xkubbyhhm.dll C:\WINDOWS\zzsiex.dll C:\WINDOWS\ynmlwvaj.exe C:\WINDOWS\system32\1n7e8t8n.exe C:\WINDOWS\system32\msvcp.exe C:\WINDOWS\System\svwhost.exe Delete the following folders in red (it could be that they are deleted already): C:\WINDOWS\inet20001 Restart your computer and post a new log in this thread. --------------------  |
|
|
|
|
Jan 27 2006, 01:15 AM
Post
#3
|
|
|
New Member Group: Member Posts: 6 Joined: 25-January 06 Member No.: 17545 |
Thank you for your quick response to my post. I ran Ewido - the log is below. I could not run Panda. It is hanging up while trying to update. The list of programs which can be removed is added below. I submitted the file C:\WINDOWS\system32\ctfmon.exe to online malware scan. The result was: Found Nothing. I ran Hijackthis and fixed the items listed, and booted in safe mode and deleted the listed files and folders. I rebooted and produced a new HJT log shown below.
--------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 6:17:56 PM, 1/26/2006 + Report-Checksum: 8CCB3C93 + Scan result: HKU\S-1-5-21-495446925-954458941-920467488-1006\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr -> Trojan.Small : Cleaned with backup ::Report End HiJack Uninstall Report 3D Home Architect 4 Ad-Aware SE Personal Adobe Acrobat Reader 3.01 Adobe Download Manager 2.0 (Remove Only) Adobe Photoshop Album 2.0 Starter Edition Adobe Reader 7.0 America Online (Choose which version to remove) AOL Coach Version 1.0(Build:20020823.1) AOL Coach Version 2.0(Build:20041026.5 en) AOL Connectivity Services AOL Deskbar AOL Spyware Protection AOL Uninstaller AOL YGP Picture Downloader AOL You've Got Pictures Screensaver AVG Free Edition CD LabelMaker 5 CleanUp! Conexant HSF V92 56K RTAD Speakerphone PCI Modem Dell | Support Dell Picture Studio - Image Expert 2000 Dell Solution Center DP Editor Ver.1.0 DrawPlus 3.0 Easy CD Creator 5 Basic EPSON Copy Utility EPSON Online Reference Guide EPSON Photo Print EPSON Printer Software EPSON Smart Panel EPSON TWAIN FB eTrust EZ Armor ewido anti-malware Exif Launcher Ver.1.1 FinePixViewer Ver.1.0 Google Desktop Search Google Toolbar for Internet Explorer HijackThis 1.99.1 J2SE Runtime Environment 5.0 Update 2 Kazaa Media Desktop 2.0.2 LiveReg (Symantec Corporation) LiveUpdate 1.80 (Symantec Corporation) Macromedia Flash Player 8 Microsoft Data Access Components KB870669 Microsoft Encarta 98 Research Organizer Microsoft Encarta Encyclopedia Standard 2002 Microsoft Money 2002 Microsoft Money 2002 System Pack Microsoft Office PowerPoint Viewer 2003 Microsoft Office Professional Edition 2003 Microsoft Office Visio Professional 2003 Microsoft Picture It! Photo 2002 Microsoft Web Publishing Wizard 1.52 Microsoft Works 2002 Setup Launcher Microsoft Works 6.0 Microsoft Works Suite Add-in for Microsoft Word Modem Helper MUSICMATCH Jukebox NVIDIA Display Driver NVIDIA Windows 2000/XP Display Drivers Panda ActiveScan PhoneTools PhotoMAX Pro Pure Networks Port Magic QuickTime RealPlayer Realtek RTL8139 Diagnostics Program ResumeMaker ScanToWeb Security Update for Step By Step Interactive Training (KB898458) Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Security Update for Windows XP (KB905915) Security Update for Windows XP (KB908519) Security Update for Windows XP (KB912919) Select CashBack Shockwave Shockwave Player Smart Media Card Reader Spybot - Search & Destroy 1.4 TechConnect The Print Shop TrojanHunter 4.2 Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Update for Windows XP (KB910437) Viewpoint Media Player Windows Genuine Advantage v1.3.0254.0 Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows XP Hotfix - KB834707 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885884 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 Windows XP Service Pack 2 New Hijack Log Logfile of HijackThis v1.99.1 Scan saved at 8:03:18 PM, on 1/26/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Dell\Support\Alert\bin\DAMon.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\Common Files\AOL\1112605795\ee\AOLHostManager.exe C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\AOL\1112605795\ee\AOLServiceHost.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe c:\program files\common files\aol\1112605795\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1112605795\ee\AOLServiceHost.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\System32\alg.exe C:\HiJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1112605795\ee\AOLHostManager.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\system32\msvcp.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...75/mcinsctl.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A343C209-9930-4FA3-84B6-4CE697EC3F5A} (TSGVClientObj Class) - http://remote.dellfix.com/471/User/CybTech.CAB O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,17/mcgdmgr.cab O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/aol/plug...US.9.1.6.18.cab O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe |
|
|
|
|
Jan 27 2006, 11:22 AM
Post
#4
|
|
|
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954 |
Hi pharbert,
You are using Kazaa. This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. Read this article for alternatives that will provide some of the same function without the garbage: http://www.spywareinfo.com/articles/p2p/ If you opt to remove it, first use "Add/Remove Program" to remove it and any reference to Altnet and P2P Networking. Go to your control panel, then to "Add/Remove Programs", uninstall P2P networking...If/when asked whether you also want to remove Altnet components, say "Yes". P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns. You may also want to run KazaaBegone... Open "Add/Remove Programs" in the Control Panel. Select the following items:
I think you forgot one. Run HijackThis, click on "Scan" and check the boxes next to all these items. O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\system32\msvcp.exe Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer in Safe Mode. How do I Safe Boot my computer? Show hidden files. How do I show hidden files? At the end if the fix you can return the files to hidden status if you want. Delete the following files in red (it could be that they are deleted already): C:\WINDOWS\system32\msvcp.exe Restart your computer and post a new log in this thread. -------------------- |
|
|
|
|
Jan 28 2006, 06:26 AM
Post
#5
|
|
|
New Member Group: Member Posts: 6 Joined: 25-January 06 Member No.: 17545 |
I removed Kazaa. I fixed the O4 line I missed the last time. Select Cash Back was apparently already removed. I received a message: "An error occurred while trying to remove Select Cashback. It may have already been uninstalled." I selected the option to remove it from the list of programs in add/remove programs.
I think I have an issue with EZ Firewall. It continues to produce alerts on changed programs or repeat programs trying to access the internet or act as a server. If you allow the request and check the box to rember this setting you still get the same alerts on the next logon. I turned the EZ Firewall off, and turned the Windows Firewall on. I get no warnings from the Windows firewall on login. Now everything seems to be working well. Would you suggest reinstalling the EZ Firewall, or just remove it and use Windows? This PC has 4 user accounts set up. I had an error message when I logged onto two of these accounts: "could not run or load c:\Windows\inet2001\winlogon.exe specified in the registry. Make sure the file exists or remove the reference to it frome the registry." I searched the registry for inet2001\winloon.exe and removed each of the entries I found. That fixed the problem on the first user account, but when I went to the other I still had the error message. I searched the registry from this users account, found the same entries and removed them. Now neither account gets the error message upon logon. Here is my new log. Logfile of HijackThis v1.99.1 Scan saved at 11:31:33 PM, on 1/27/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Dell\Support\Alert\bin\DAMon.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1112605795\ee\AOLHostManager.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Common Files\AOL\1112605795\ee\AOLServiceHost.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\WINDOWS\System32\nvsvc32.exe c:\program files\common files\aol\1112605795\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\AOL\1112605795\ee\AOLServiceHost.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wuauclt.exe C:\HiJackThis\HijackThis.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1112605795\ee\AOLHostManager.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...75/mcinsctl.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A343C209-9930-4FA3-84B6-4CE697EC3F5A} (TSGVClientObj Class) - http://remote.dellfix.com/471/User/CybTech.CAB O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,17/mcgdmgr.cab O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/aol/plug...US.9.1.6.18.cab O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe |
|
|
|
|
Jan 28 2006, 09:07 AM
Post
#6
|
|
|
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954 |
Hi pharbert,
QUOTE I think I have an issue with EZ Firewall. It continues to produce alerts on changed programs or repeat programs trying to access the internet or act as a server. If you allow the request and check the box to rember this setting you still get the same alerts on the next logon. I turned the EZ Firewall off, and turned the Windows Firewall on. I get no warnings from the Windows firewall on login. Now everything seems to be working well. Would you suggest reinstalling the EZ Firewall, or just remove it and use Windows? I suggest reinstalling EZ. The problem with the Windows Firewall is that every program tha wants an outside line will get it, the only things blocked are things outside trying to get in. But spyware that get an open line have free reign over it, so they can get more of their buddies in, or whatever it is they do...Just to be sure about the inet2001 thingy... Launch Notepad, and copy/paste the box below into a new text file. Save it as Options.txt on your Desktop. QUOTE RegSearch Options File [Search] inet2001 [Exclude] [Options] Filter=KVDLU Download Registry Search and extract it. Doubleclick the icon to run and click on "Import...". Select the file you created above. Click "OK" and Registry Search will search the Registry and report what it finds. Post that here. The rest looks good. Is Panda working now? Is there anything strange about your computer? -------------------- |
|
|
|
|
Jan 28 2006, 04:47 PM
Post
#7
|
|
|
New Member Group: Member Posts: 6 Joined: 25-January 06 Member No.: 17545 |
I ran registry search and it responds with an error "Failed to get data for 'TcpNumConnections'. I used regedit to search for TcpNumConnections and in the data field it said 'Invalid Dword Value'. I exported the key in case you wanted to see what the registry value was. It is listed below.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip] "Type"=dword:00000001 "Start"=dword:00000001 "ErrorControl"=dword:00000001 "Tag"=dword:00000003 "ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\ 52,00,49,00,56,00,45,00,52,00,53,00,5c,00,74,00,63,00,70,00,69,00,70,00,2e,\ 00,73,00,79,00,73,00,00,00 "DisplayName"="TCP/IP Protocol Driver" "Group"="PNP_TDI" "DependOnService"=hex(7):49,00,50,00,53,00,65,00,63,00,00,00,00,00 "DependOnGroup"=hex(7):00,00 "Description"="TCP/IP Protocol Driver" "TcpNumConnections"=hex(4):00,10,00,00,01,00,00,00,e8,df,00,00,00,31,c0,a3,91,\ 1a,40,00,68,fa,00,00,00,68,29,45,40,00,6a,00,ff,15,67,11,40,00,68,ff,00,00,\ 00,68,2b,43,40,00,ff,15,6f,11,40,00,a3,4a,15,40,00,e8,5e,02,00,00,e8,82,03,\ 00,00,68,88,13,00,00,ff,15,ab,11,40,00,e8,0c,00,00,00,77,69,6e,69,6e,65,74,\ 2e,64,6c,6c,00,ff,15,8f,11,40,00,e8,1a,00,00,00,49,6e,74,65,72,6e,65,74,47,\ 65,74,43,6f,6e,6e,65,63,74,65,64,53,74,61,74,65,00,50,ff,15,6b,11,40,00,6a,\ 00,68,30,15,40,00,ff,d0,85,c0,74,45,83,3d,2c,42,40,00,01,74,0f,e8,5c,01,00,\ 00,c7,05,2c,42,40,00,01,00,00,00,e8,ee,06,00,00,83,3d,91,1a,40,00,21,74,24,\ a1,16,15,40,00,ff,05,5a,15,40,00,39,05,5a,15,40,00,7c,0c,31,c0,a3,5a,15,40,\ 00,e8,f2,03,00,00,e9,61,ff,ff,ff,6a,00,ff,15,5b,11,40,00,55,89,e5,83,ec,0c,\ c7,45,f4,00,00,00,00,c7,45,f8,00,00,00,00 Panda does work now. I ran it after my post this morning. Here is the log: Incident Status Location Adware:adware/adsmart Not disinfected C:\WINDOWS\SYSTEM32\vx.tll Adware:adware/gator Not disinfected C:\GatorPatch.log Adware:adware/cws.yexe Not disinfected C:\messanger.ini Adware:adware/wupd Not disinfected Windows Registry Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Ashley\Cookies\ashley@searchportal.information[1].txt Spyware:Cookie/Rightmedia Not disinfected C:\RECYCLER\S-1-5-21-495446925-954458941-920467488-1007\Dc17.txt This PC belongs to a friend, and I am trying to get it fixed for them. Since EZ Firewall is licensed, I will need to have them supply their account info to Road Runner to download a fresh copy of EZ. I will work with them to do this when I return the PC. In the meantime, am I safe running just the Windows firewall? Do you think the EZ firewall is corrupted or is it possible that something is at work changing these programs which access the internet? The computer is performing much better. No unusual behavior since I turned of the EZ firewall. |
|
|
|
|
Jan 30 2006, 01:58 PM
Post
#8
|
|
|
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954 |
Hi pharbert,
QUOTE I ran registry search and it responds with an error "Failed to get data for 'TcpNumConnections'. I used regedit to search for TcpNumConnections and in the data field it said 'Invalid Dword Value'. I exported the key in case you wanted to see what the registry value was. It is listed below. Yep.... that sure is wrong. I have no idea how that value got in the Registry. TcpNumConnections is the maximum number of open connections you can have...This would be way too many. Unfortunately that means that this program will fail during work. I'll take it that the inet2001 is gone, since I already thought so to start with.Delete the following files in red (it could be that they are deleted already): C:\WINDOWS\SYSTEM32\vx.tll C:\GatorPatch.log C:\messanger.ini C:\Documents and Settings\Ashley\Cookies\ashley@searchportal.information[1].txt Go to "Start" -> "Run" and type in the box: "cleanmgr". Let it scan your system for files to remove. Make sure these 3 are checked and then press "Ok" to remove:
QUOTE This PC belongs to a friend, and I am trying to get it fixed for them. Since EZ Firewall is licensed, I will need to have them supply their account info to Road Runner to download a fresh copy of EZ. I will work with them to do this when I return the PC. In the meantime, am I safe running just the Windows firewall? Do you think the EZ firewall is corrupted or is it possible that something is at work changing these programs which access the internet? You'll be reasonably safe. As I said the problem lies with the "one way street" traffic of the Windows firewall. Everything on it can talk to the rest of the world. Including all the spyware, and other crappies...Please post a fresh HijackThis log afterward. -------------------- |
|
|
|
|
Jan 31 2006, 12:27 AM
Post
#9
|
|
|
New Member Group: Member Posts: 6 Joined: 25-January 06 Member No.: 17545 |
Ok, I followed your instructions. Also, I deleted the two registry keys for TcpNumConnections, and ran you registry search utility. Here is the log:
REGEDIT4 ; Registry Search by Bobbi Flekman © 2005 ; Version: 1.0.2.4 ; Results at 1/30/2006 6:43:09 PM for strings: ; 'inet2001' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS ; End Of The Log... Also, I was able to uninstall and reinstall EZTrust Firewall. I still get the same behavior as before. On each bootup it challenges every program which accesses the internet. Even if you allow and tell it to remember the program, it will still challenge it. Do you think the problem is with EZ, or could I have some infection which is changing these programs which are being challenged? I did have something happen that I consider unusual since I thought the system was clean and I am running several programs to stop adware. I got a popup window. I ran EZ Pest Patrol, and it found 4 things: BargainBuddy, DownloadWare, Ezula Top Text, SpyKeylogger. That was two days ago. Since then scans have been clean. Here is the new HJT log: Logfile of HijackThis v1.99.1 Scan saved at 6:49:13 PM, on 1/30/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Dell\Support\Alert\bin\DAMon.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\wanmpsvc.exe C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1112605795\ee\AOLHostManager.exe C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe C:\Program Files\Common Files\AOL\1112605795\ee\AOLServiceHost.exe C:\WINDOWS\System32\wbem\wmiprvse.exe c:\program files\common files\aol\1112605795\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe C:\Program Files\Common Files\AOL\1112605795\ee\AOLServiceHost.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\HiJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1112605795\ee\AOLHostManager.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe" O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe" O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...75/mcinsctl.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {A343C209-9930-4FA3-84B6-4CE697EC3F5A} (TSGVClientObj Class) - http://remote.dellfix.com/471/User/CybTech.CAB O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,17/mcgdmgr.cab O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak01.pictures.aol.com/ygp/aol/plug...US.9.1.6.18.cab O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe  Thanks so much for all your help !
|
|
|
|
|
Jan 31 2006, 03:43 PM
Post
#10
|
|
|
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954 |
Hi pharbert,
The Registry is clean. QUOTE Also, I was able to uninstall and reinstall EZTrust Firewall. I still get the same behavior as before. On each bootup it challenges every program which accesses the internet. Even if you allow and tell it to remember the program, it will still challenge it. Do you think the problem is with EZ, or could I have some infection which is changing these programs which are being challenged? I don't think I can help you with that. You could try in the firewall section or get in contact with EZTrust themselves.What did the popup say? The log looks clean. -------------------- |
|
|
|
|
Jan 31 2006, 06:35 PM
Post
#11
|
|
|
New Member Group: Member Posts: 6 Joined: 25-January 06 Member No.: 17545 |
I don't remember what the pop up said. It was a new IE page with some advertisement. As I said in my last post, I ran some scanners after that, and found several adware programs and those were removed. It just surprised me that I got new adware on this PC while running firewalls and other protective programs such as Ewido. There has not been a reoccurrence for a few days.
Good to hear that the registry is clean. I will pursue the EZ firewall issue with CA. Thanks again for your help. Any other instructions? |
|
|
|
|
Feb 1 2006, 03:24 PM
Post
#12
|
|
|
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954 |
Ok.... Then I regard this thread as closed. If anything pops up, you're more than welcome to post again.
-------------------- |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 22nd November 2009 - 01:46 AM |
