This is so weird. I ran Ad-Aware on my old PC that runs XP as its OS. I just ran Ad-Aware to clean out any old bugs, I had the application in a folder from at least 2 years ago and then I installed it and updated it. Immediately after I had PC problems from hell. After running Ad-Aware it found Trojan.Win32.Agent.abzlz and recommended a restart. After the restart I was unable to get internet access and my desktop had changed, I had a completely new toolbar and System Restore and Avast were non functioning. I couldn't access the internet in Safe Mode or Safe Mode Networking. However, after rebooting in Safe Mode Debugging, I can access the internet and my desktop has returned to normal. I thought that the Trojan.Win32.Agent.abzlz that Ad-Aware found was the problem. I never once thought Ad-Aware could have been the source of the virus until I saw that Ad-aware was hogging my PC usage. The PC was crawling and I saw that aawwsc.exe is infected was at 78% so I killed it. Moments later, it started crawling again and Ad-AwareAdmin.exe was using 98% of the PC usage so I killed it next. What do you think I should do now? I'll post what Ad-Aware found and a Hijack this log. Thanks in advance!
Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 7:09:28 PM, on 11/9/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe C:\Program Files\Unlocker\UnlockerAssistant.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\S3apphk.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\HP\KBD\KBD.EXE C:\windows\system\hpsysdrv.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\America Online 7.0a\aoltray.exe C:\Program Files\hp center\137903\Program\BackWeb-137903.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Java\Java Update\jucheck.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Microsoft Office\Office10\EXCEL.EXE C:\WINDOWS\system32\calc.exe C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Owner\Desktop\try\Revo Uninstaller Pro\RevoUninPro.exe C:\Documents and Settings\All Users\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}\Ad-AwareInstall.exe C:\WINDOWS\system32\rundll32.exe C:\Documents and Settings\Owner\My Documents\Downloads\HijackThis.exe C:\WINDOWS\system32\msiexec.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netmail.verizon.net/webmail/driver?nimlet=showcanvas R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [S3apphk] S3apphk.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM') O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user') O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user') O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0a\aoltray.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1287429362093 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: hpdj00 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj00.exe (file missing) O23 - Service: hpdj02 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj02.exe (file missing) O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 9257 bytes
mossfan18, Ad-Aware is old technology and doesn’t perform as it did in the past (not recommended). You have NO Anti-Virus running and that’s a no-no when surfing the net. Download and install a good Free AV from this site -> Best Free Antivirus, your choice and make sure that the windows firewall is turned on. Now, there are a couple of randomly named Services in your machine that were loaded through a Temp file. That’s a bad sign and they need to go… Remove Bad Services Step # 1: Remove Hijackthis Entries • Run HijackThis • Click on the Scan button Put a check beside all of the items listed below (if present): O23 - Service: hpdj00 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj00.exe (file missing) O23 - Service: hpdj02 - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj02.exe (file missing) • Close all open windows and browsers/email, etc... • Click on the "Fix Checked" button • When completed, close the application. Step # 2: Delete Bad Services Please open Notepad. Ensure that word wrap is turned off. Click on Format and make sure that there is not a tick next to Word Wrap. If there's one, click on Word Wrap to remove it. Copy and paste the following in the code box into Notepad: Code: @echo off sc stop hpdj00 sc delete hpdj00 sc stop hpdj02 sc delete hpdj02 exit Click on File > Save As.... In the File Name box, copy and paste in fix.bat In the Save as type box, select All Files from the drop-down list. Click Save and save it to your Desktop. Double click on fix.bat. A Command Prompt window will open and close quickly. That is normal. Step # 3 Clean with Malwarebytes’ Anti-Malware Download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. • If an update is found, it will download and install the latest version. • Once the program has loaded, select Perform full scan, then click Scan. • When the scan is complete, click OK, then Show Results to view the results. • Make sure that everything is checked, and click Remove Selected. <-- Don't forget this. • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt In your next post include the MBAM Log. A fresh HJT Log and let me know how the machine is acting…… 2oG
2oldGeek, Thanks, I'm going to do just what you say and I'll let you know the results. The reason there was no virus protection running was because I had just deleted Avast and was in the process of installing a new program. You know how 2 virus programs conflict. The virus protection I got was Microsoft Security Essentials. You think that is sufficient? I've always went with AVAST or AVG but since AVAST missed this one, I'm willing to try something new. Anyhow, thanks for the help you have provided already!
Avast is very good, I personally prefer Avira but MS essential has come a long way and is also very good. AVG is a laugh.... NOT RECOMMENDED! 2oG
Dude you've been awesome. I already did everything you walked me through. As soon as Malwarebytes gets done scanning the system, I'll do a Hijackthis and submit log and let you know the machines status. Thanks!
Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 5092 Windows 5.1.2600 Service Pack 3 Internet Explorer 6.0.2900.5512 11/11/2010 11:15:29 AM mbam-log-2010-11-11 (11-15-29).txt Scan type: Full scan (C:\|D:\|) Objects scanned: 287410 Time elapsed: 2 hour(s), 30 minute(s), 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 26 Files Infected: 32 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe (Adware.Casino) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9 (Rogue.Multiple) -> No action taken. C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine (Rogue.Multiple) -> No action taken. C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun (Rogue.Multiple) -> No action taken. C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\HKCU (Rogue.Multiple) -> No action taken. C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> No action taken. C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\HKLM (Rogue.Multiple) -> No action taken. C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> No action taken. C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> No action taken. C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> No action taken. C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\BrowserObjects (Rogue.Multiple) -> No action taken. C:\Documents and Settings\Owner\Application Data\rhc1qhj0e1d9\Quarantine\Packages (Rogue.Multiple) -> No action taken. C:\Documents and Settings\Owner\Application Data\VirusRemover2008 (Rogue.VirusRemover) -> No action taken. C:\Documents and Settings\Owner\Application Data\VirusRemover2008\Logs (Rogue.VirusRemover) -> No action taken. C:\Program Files\rhc1qhj0e1d9 (Rogue.Multiple) -> No action taken. C:\Program Files\TimeSink (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\ba015753 (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\fa015753 (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Users (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Users\Owner (AdWare.Cydoor) -> No action taken. C:\WINDOWS\system32\v9 (Trojan.Downloader) -> No action taken. Files Infected: C:\RECYCLER\S-1-5-21-1417066420-3378386939-971929597-1003\Dc4\BadIntentionz\KewlButtonz.ocx (Hacktool.KewlButtonz) -> No action taken. C:\Program Files\Lucky Pyramid Casino\Install.exe (Adware.Casino) -> No action taken. C:\Program Files\MSN Messenger\msimg32.dll (Adware.MyWebSearch) -> No action taken. C:\Program Files\MSN Messenger\riched20.dll (Adware.MyWebSearch) -> No action taken. C:\Documents and Settings\Owner\Application Data\VirusRemover2008\Logs\scns.log (Rogue.VirusRemover) -> No action taken. C:\Program Files\rhc1qhj0e1d9\database.dat (Rogue.Multiple) -> No action taken. C:\Program Files\rhc1qhj0e1d9\rhc1qhj0e1d9.exe.local (Rogue.Multiple) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Done.cdb (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Done.idx (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Done1.cdb (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Done1.idx (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Pending.cdb (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Pending.idx (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Pending1.cdb (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\ba015753\Owner\egames-fullcd\Pending1.idx (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Done.cdb (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Done.idx (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Done1.cdb (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Done1.idx (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Pending.cdb (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Pending.idx (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Pending1.cdb (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Profiles\fa015753\Owner\egames-fullcd\Pending1.idx (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Users\Owner\Sched.cdb (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Users\Owner\Sched.idx (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Users\Owner\Sched1.cdb (AdWare.Cydoor) -> No action taken. C:\Program Files\TimeSink\AdGateway\Users\Owner\Sched1.idx (AdWare.Cydoor) -> No action taken. C:\WINDOWS\system32\phc5qhj0e1d9.bmp (Trojan.FakeAlert) -> No action taken. C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken. C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> No action taken. Let me know whatcha think now.
Don't look like you deleted any of the bad stuff.......... Do it and post a new Log along with a HJT Log.. 2oG
Here's my new Hijackthis log Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 5:16:34 PM, on 11/11/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\notepad.exe c:\program files\avira\antivir desktop\avcenter.exe C:\Documents and Settings\Owner\Desktop\New Folder\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netmail.verizon.net/webmail/driver?nimlet=showcanvas R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10k_Plugin.exe -update plugin O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM') O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user') O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user') O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1287429362093 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe -- End of file - 7339 bytes
Yep, I removed everything MBAM found, I did that as soon as I posted to you a log of what it found. I didn't want to erase something that may have given you insight on where the issue was before posting the log. Anyhow, I deleted what MBAM found and so far she's purrrrin' like a kitten. Thanks a lot! This has been my favorite self help site since at least '06 and I'll make sure I make a donation next Friday. Payday! (;
Just remember me in your "Will", the pay here sucks! LOL You are probably getting the Trojans through downloads using uTorrent. uTorrent is clean, the downloads aren't. I use and recommend Threatfire free. If a Trojan or malware cannot install itself, it cannot hurt you.... Threatfire stops them from installing. Try it: http://www.threatfire.com/download/ Wash behind your ears, change your underwear and socks and keep your nose clean... 2oG
