1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Adaware virus?

Discussion in 'Windows - Virus and spyware problems' started by mossfan18, Nov 9, 2010.

  1. mossfan18

    mossfan18 Regular member

    Joined:
    Feb 23, 2007
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    26
    This is so weird. I ran Ad-Aware on my old PC that runs XP as its OS. I just ran Ad-Aware to clean out any old bugs, I had the application in a folder from at least 2 years ago and then I installed it and updated it. Immediately after I had PC problems from hell.

    After running Ad-Aware it found Trojan.Win32.Agent.abzlz and recommended a restart. After the restart I was unable to get internet access and my desktop had changed, I had a completely new toolbar and System Restore and Avast were non functioning. I couldn't access the internet in Safe Mode or Safe Mode Networking. However, after rebooting in Safe Mode Debugging, I can access the internet and my desktop has returned to normal.

    I thought that the Trojan.Win32.Agent.abzlz that Ad-Aware found was the problem. I never once thought Ad-Aware could have been the source of the virus until I saw that Ad-aware was hogging my PC usage. The PC was crawling and I saw that aawwsc.exe is infected was at 78% so I killed it. Moments later, it started crawling again and Ad-AwareAdmin.exe was using 98% of the PC usage so I killed it next.

    What do you think I should do now? I'll post what Ad-Aware found and a Hijack this log.

    Thanks in advance!
     
  2. mossfan18

    mossfan18 Regular member

    Joined:
    Feb 23, 2007
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    26
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:09:28 PM, on 11/9/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\S3apphk.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\HP\KBD\KBD.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\America Online 7.0a\aoltray.exe
    C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
    C:\WINDOWS\system32\calc.exe
    C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\Owner\Desktop\try\Revo Uninstaller Pro\RevoUninPro.exe
    C:\Documents and Settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}\Ad-AwareInstall.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Documents and Settings\Owner\My Documents\Downloads\HijackThis.exe
    C:\WINDOWS\system32\msiexec.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netmail.verizon.net/webmail/driver?nimlet=showcanvas
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
    O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0a\aoltray.exe
    O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
    O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1287429362093
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: hpdj00 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj00.exe (file missing)
    O23 - Service: hpdj02 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj02.exe (file missing)
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 9257 bytes
     
  3. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    mossfan18,

    Ad-Aware is old technology and doesn’t perform as it did in the past (not recommended).

    You have NO Anti-Virus running and that’s a no-no when surfing the net. Download and install a good Free AV from this site -> Best Free Antivirus, your choice and make sure that the windows firewall is turned on.

    Now, there are a couple of randomly named Services in your machine that were loaded through a Temp file. That’s a bad sign and they need to go…


    Remove Bad Services

    Step # 1: Remove Hijackthis Entries
    • Run HijackThis
    • Click on the Scan button
    Put a check beside all of the items listed below (if present):


    O23 - Service: hpdj00 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj00.exe (file missing)

    O23 - Service: hpdj02 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj02.exe (file missing)


    Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.


    Step # 2: Delete Bad Services

    Please open Notepad. Ensure that word wrap is turned off. Click on Format and make sure that there is not a tick next to Word Wrap. If there's one, click on Word Wrap to remove it. Copy and paste the following in the code box into Notepad:

    Code:
    @echo off
    sc stop hpdj00
    sc delete hpdj00
    sc stop hpdj02
    sc delete hpdj02
    exit



    Click on File > Save As....

    In the File Name box, copy and paste in fix.bat
    In the Save as type box, select All Files from the drop-down list.

    Click Save and save it to your Desktop.

    Double click on fix.bat. A Command Prompt window will open and close quickly. That is normal.



    Step # 3 Clean with Malwarebytes’ Anti-Malware


    Download Malwarebytes' Anti-Malware to your desktop.

    Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
    • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt


    In your next post include the MBAM Log. A fresh HJT Log and let me know how the machine is acting……

    2oG
     
    Last edited: Nov 10, 2010
  4. mossfan18

    mossfan18 Regular member

    Joined:
    Feb 23, 2007
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    26
    2oldGeek,

    Thanks, I'm going to do just what you say and I'll let you know the results.

    The reason there was no virus protection running was because I had just deleted Avast and was in the process of installing a new program. You know how 2 virus programs conflict.

    The virus protection I got was Microsoft Security Essentials. You think that is sufficient? I've always went with AVAST or AVG but since AVAST missed this one, I'm willing to try something new.

    Anyhow, thanks for the help you have provided already!
     
  5. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Avast is very good, I personally prefer Avira but MS essential has come a long way and is also very good. AVG is a laugh.... NOT RECOMMENDED!

    2oG
     
  6. mossfan18

    mossfan18 Regular member

    Joined:
    Feb 23, 2007
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    26
    Dude you've been awesome. I already did everything you walked me through. As soon as Malwarebytes gets done scanning the system, I'll do a Hijackthis and submit log and let you know the machines status.

    Thanks!
     
  7. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    take your time, I'll be arond.
     
  8. mossfan18

    mossfan18 Regular member

    Joined:
    Feb 23, 2007
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    26
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5092

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    11/11/2010 11:15:29 AM
    mbam-log-2010-11-11 (11-15-29).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 287410
    Time elapsed: 2 hour(s), 30 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 26
    Files Infected: 32

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe (Adware.Casino) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9 (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\HKCU (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\HKLM (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\BrowserObjects (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Packages (Rogue.Multiple) -> No action taken.
    C:\Documents and Settings\Owner\Application Data\VirusRemover2008 (Rogue.VirusRemover) -> No action taken.
    C:\Documents and Settings\Owner\Application Data\VirusRemover2008\Logs (Rogue.VirusRemover) -> No action taken.
    C:\Program Files\rhc1qhj0e1d9 (Rogue.Multiple) -> No action taken.
    C:\Program Files\TimeSink (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\ba015753 (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\fa015753 (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Users (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Users\Owner (AdWare.Cydoor) -> No action taken.
    C:\WINDOWS\system32\v9 (Trojan.Downloader) -> No action taken.

    Files Infected:
    C:\RECYCLER\S-1-5-21-1417066420-3378386939-971929597-1003\Dc4\BadIntentionz\KewlButtonz.ocx (Hacktool.KewlButtonz) -> No action taken.
    C:\Program Files\Lucky Pyramid Casino\Install.exe (Adware.Casino) -> No action taken.
    C:\Program Files\MSN Messenger\msimg32.dll (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MSN Messenger\riched20.dll (Adware.MyWebSearch) -> No action taken.
    C:\Documents and Settings\Owner\Application Data\VirusRemover2008\Logs\scns.log (Rogue.VirusRemover) -> No action taken.
    C:\Program Files\rhc1qhj0e1d9\database.dat (Rogue.Multiple) -> No action taken.
    C:\Program Files\rhc1qhj0e1d9\rhc1qhj0e1d9.exe.local (Rogue.Multiple) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Done.cdb (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Done.idx (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Done1.cdb (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Done1.idx (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Pending.cdb (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Pending.idx (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Pending1.cdb (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Pending1.idx (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Done.cdb (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Done.idx (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Done1.cdb (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Done1.idx (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Pending.cdb (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Pending.idx (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Pending1.cdb (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Pending1.idx (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Users\Owner\Sched.cdb (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Users\Owner\Sched.idx (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Users\Owner\Sched1.cdb (AdWare.Cydoor) -> No action taken.
    C:\Program Files\TimeSink\AdGateway\Users\Owner\Sched1.idx (AdWare.Cydoor) -> No action taken.
    C:\WINDOWS\system32\phc5qhj0e1d9.bmp (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.
    C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> No action taken.

    Let me know whatcha think now.
     
  9. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78


    Don't look like you deleted any of the bad stuff..........
    Do it and post a new Log along with a HJT Log..

    2oG
     
  10. mossfan18

    mossfan18 Regular member

    Joined:
    Feb 23, 2007
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    26
    Here's my new Hijackthis log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:16:34 PM, on 11/11/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\notepad.exe
    c:\program files\avira\antivir desktop\avcenter.exe
    C:\Documents and Settings\Owner\Desktop\New Folder\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netmail.verizon.net/webmail/driver?nimlet=showcanvas
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
    O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10k_Plugin.exe -update plugin
    O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
    O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1287429362093
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 7339 bytes
     
  11. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    That looks real good now.
    Did you get all the crap removed that MBAM found?

    Hows it doing?
     
  12. mossfan18

    mossfan18 Regular member

    Joined:
    Feb 23, 2007
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    26
    Yep, I removed everything MBAM found, I did that as soon as I posted to you a log of what it found. I didn't want to erase something that may have given you insight on where the issue was before posting the log.

    Anyhow, I deleted what MBAM found and so far she's purrrrin' like a kitten.

    Thanks a lot! This has been my favorite self help site since at least '06 and I'll make sure I make a donation next Friday. Payday! (;
     
    Last edited: Nov 12, 2010
  13. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Just remember me in your "Will", the pay here sucks! LOL

    You are probably getting the Trojans through downloads using uTorrent. uTorrent is clean, the downloads aren't.

    I use and recommend Threatfire free. If a Trojan or malware cannot install itself, it cannot hurt you.... Threatfire stops them from installing.
    Try it:
    http://www.threatfire.com/download/

    Wash behind your ears, change your underwear and socks and keep your nose clean... :)

    2oG
     

Share This Page