TheTechGuide Forum
General Category => Tech Clinic => Topic started by: Mek2005 on March 06, 2005, 08:24:57 PM
-
Hi there. I'm new to this forum and posting here as a last resort. I'm having some issues that I can't seem to kill, and they're unlike anything I've seen before.
I'm running Windows XP Home, and I'll provide a HijackThis log below, but here's a list of basic problems. First off, Task Manager auto-minimizes to the systray when I try to open it and refuses to display in window format. If it's minimized, it stops responding.
I use Trillian to chat with via AIM (no IRC/other messengers) and whenever I try to open a chat log file or receive a file, it stops responding, but it works fine if I don't touch those features.
If I try to download anything in Firefox, the download gets to about 95% and then the program stops responding. Firefox itself browses just fine, so long as I don't try to save or download anything.
If I'm in gmail and go to click "Browse" to attach a file to an e-mail, Firefox freezes and stops responding. I seem to be able to send and receive e-mail just fine.
If I'm in a particular gaming client that uses commands to pop open Firefox windows to access various parts of the game's website, and I input one of those commands, the client freezes and stops responding. I can still input text into the client window and play just fine.
I don't have any of these issues for the first few minutes after restarting my PC -- everything works fine. Within five minutes, though, without fail, it all pretty much goes to hell.
I recently ran full system scans with AdAware and Spyware Doctor cleared all of the spyware that it found off the PC while it was running in safe mode. I also ran a full system scan with TDS-3 (trojan checker) in safe mode and cleared all of the positive matches it found. I've manually gone through every faulty registry key, cleared those, and deleted malware found in Program Files and the system32 folders while in safe mode.
For some reason, the problem is continuing, and the programs continue to stop responding whenever I try any of the above activities (and more).
[Edited to add:] Another thing that crashes after about twenty minutes is my sound card. I stop being able to play sound files because it can't find it. This all sounds to me like something virus-associated, but I can't find any virii on the system.
People seem to appreciate hijackthis logs, so here's mine:
Logfile of HijackThis v1.99.0
Scan saved at 7:18:15 PM, on 3/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab (http://\"http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab (http://\"http://ppupdates.ca.com/downloads/scanner/axscanner.cab\")
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx (http://\"https://www.play.net/components/activex/AXSAL.ocx\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107918627181 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107918627181\")
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
If anybody's able to help with this, I'd greatly appreciate it. I'm at my wit's end in terms of figuring out what could be wrong.
-Mike
-
I don't see anything malicious that could be causing this behaviour
Are you using the latest versions of Trillian and Firefox?
Does Task Manager open up in Safe mode?
In case Hijackthis isn't showing everything
You may want to download Process Explorer
Run it and save a log of the running processes and then post it
I'm not sure if one of these registry fixes will work or not?
http://www.kellys-korner-xp.com/taskbarplus!.htm (http://\"http://www.kellys-korner-xp.com/taskbarplus!.htm\")
-
Forgot the link to Process Explorer
Here you go
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml (http://\"http://www.sysinternals.com/ntw2k/freeware/procexp.shtml\")
-
I'm not sure the registry fixes are going to be helpful, though I tried a few to no avail. Oddly, two IE windows popped up with porn advertisements last time I restarted my computer (that's never happened before). So there's something going on here.
I'm using the latest version of Firefox, though I'm using an older version of Trillian because I like that one better.
Basically what happens with the TaskManager is I hit ALT+CTR+DEL and it pops up the green monitor in the systray, but that's all it does -- it runs the process without actually popping up a window for it, and I can't get the window to appear no matter what I do.
I installed AVG's free antivirus software which found two bits of malicious data and removed them, but the problems are persisting, and programs are still crashing.
Here's a new log from HiJackThis and also from the program you gave me:
Logfile of HijackThis v1.99.0
Scan saved at 9:26:54 PM, on 3/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\veritas.exe
C:\WINDOWS\system32\spoolsv.exe
c:\g1.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\bar.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab (http://\"http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab (http://\"http://ppupdates.ca.com/downloads/scanner/axscanner.cab\")
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx (http://\"https://www.play.net/components/activex/AXSAL.ocx\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107918627181 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107918627181\")
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
From Process:
Process PID CPU Description Company Name
System Idle Process 0 94.29
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4 0.95
smss.exe 432 Windows NT Session Manager Microsoft Corporation
csrss.exe 480 Client Server Runtime Process Microsoft Corporation
winlogon.exe 508 Windows NT Logon Application Microsoft Corporation
services.exe 552 2.86 Services and Controller app Microsoft Corporation
svchost.exe 740 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 792 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 3432 Automatic Updates Microsoft Corporation
svchost.exe 868 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 884 Generic Host Process for Win32 Services Microsoft Corporation
CCSETMGR.EXE 1044 Symantec Settings Manager Service Symantec Corporation
SPBBCSvc.exe 1164 SPBBC Service Symantec Corporation
CCEVTMGR.EXE 1244 Symantec Event Manager Service Symantec Corporation
spoolsv.exe 1732 Spooler SubSystem App Microsoft Corporation
avgamsvr.exe 1036 AVG Alert Manager GRISOFT, s.r.o.
avgupsvc.exe 1648 AVG Update Service GRISOFT, s.r.o.
navapsvc.exe 1880 Norton AntiVirus Auto-Protect Service Symantec Corporation
NPFMntor.exe 2076 Norton AntiVirus Firewall Install Monitor Symantec Corporation
symlcsvc.exe 2156 Symantec Core Component Symantec Corporation
lsass.exe 564 LSA Shell (Export Version) Microsoft Corporation
taskmgr.exe 4012 Windows TaskManager Microsoft Corporation
explorer.exe 1176 Windows Explorer Microsoft Corporation
CCAPP.EXE 1508 Symantec User Session Symantec Corporation
avgcc.exe 1568 AVG Control Center GRISOFT, s.r.o.
avgemc.exe 1628 AVG E-Mail Scanner GRISOFT, s.r.o.
veritas.exe 1640
g1.exe 1076
bar.exe 1840
firefox.exe 3292 Firefox Mozilla
procexp.exe 4092 1.90 Sysinternals Process Explorer Sysinternals
notepad.exe 3712 Notepad Microsoft Corporation
Process: Procexp Pid: -2
Type Name
Personally, I'm not seeing anything malicious either, but if there's nothing malicious, then where would those porn popups in IE windows have come from at startup?
The fact that taskmgr immediately minimizes to the systray and becomes inaccessible has me highly suspicious, I just can't see what's causing the problem.
-Mike
-
Can you access this Online Malware Scan
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")
Use the browse button and navigate to this file
C:\WINDOWS\System32\veritas.exe<--this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results
Well your there, could you do the same thing these files
C:\g1.exe
c:\bar.exe
-
They're malware. The strange thing is that when I started this thread, they weren't there, and I hadn't visited any new sites. I kind of wonder how they got here in the last two hours.
Here's the scan results:
Service load:
0% 100%
File: veritas.exe
Status:
INFECTED/MALWARE
Packers detected:
PE_PATCH, ASPROTECT, PE-DIMINISHER, PE-CRYPT
AntiVir
Worm/Spybot.160768 (0.37 seconds taken)
Avast
No viruses found (1.51 seconds taken)
AVG Antivirus
No viruses found (0.49 seconds taken)
BitDefender
No viruses found (0.71 seconds taken)
ClamAV
No viruses found (0.62 seconds taken)
Dr.Web
Win32.HLLW.MyBot (0.90 seconds taken)
F-Prot Antivirus
No viruses found (0.43 seconds taken)
Fortinet
No viruses found (0.44 seconds taken)
Kaspersky Anti-Virus
Backdoor.Win32.Rbot.gen (1.13 seconds taken)
mks_vir
No viruses found (0.24 seconds taken)
NOD32
probably unknown NewHeur_PE (probable variant) (1.55 seconds taken)
Norman Virus Control
No viruses found (1.32 seconds taken)
----------------
Service load:
0% 100%
File: g1.exe
Status:
INFECTED/MALWARE
Packers detected:
PE-DIMINISHER, PE-CRYPT
AntiVir
No viruses found (0.83 seconds taken)
Avast
No viruses found (3.06 seconds taken)
AVG Antivirus
No viruses found (0.97 seconds taken)
BitDefender
Trojan.QLow.A (0.95 seconds taken)
ClamAV
No viruses found (0.72 seconds taken)
Dr.Web
Trojan.DownLoader.735 (0.89 seconds taken)
F-Prot Antivirus
No viruses found (0.12 seconds taken)
Fortinet
W32/Sdbot.KQ-net (0.42 seconds taken)
Kaspersky Anti-Virus
Trojan.Win32.LowZones.c (1.01 seconds taken)
mks_vir
No viruses found (0.22 seconds taken)
NOD32
No viruses found (0.73 seconds taken)
Norman Virus Control
Sandbox: W32/Malware; [ General information ]
* File length: 21530 bytes.
[ Changes to registry ]
* Sets value "Flags"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1001"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1004"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1200"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1201"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1206"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1400"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1402"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1405"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1406"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1407"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1601"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1604"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1605"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1606"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1607"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3". (0.67 seconds taken)
--------------
Service load:
0% 100%
File: bar.exe
Status:
INFECTED/MALWARE
Packers detected:
PE-DIMINISHER, PE-CRYPT
AntiVir
No viruses found (1.19 seconds taken)
Avast
No viruses found (2.74 seconds taken)
AVG Antivirus
No viruses found (1.47 seconds taken)
BitDefender
Trojan.QLow.A (1.52 seconds taken)
ClamAV
No viruses found (1.70 seconds taken)
Dr.Web
Trojan.DownLoader.735 (2.86 seconds taken)
F-Prot Antivirus
No viruses found (0.28 seconds taken)
Fortinet
W32/Sdbot.KQ-net (1.26 seconds taken)
Kaspersky Anti-Virus
Trojan.Win32.LowZones.c (2.62 seconds taken)
mks_vir
No viruses found (0.40 seconds taken)
NOD32
No viruses found (0.99 seconds taken)
Norman Virus Control
Sandbox: W32/Malware; [ General information ]
* File length: 21530 bytes.
[ Changes to registry ]
* Sets value "Flags"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1001"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1004"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1200"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1201"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1206"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1400"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1402"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1405"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1406"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1407"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1601"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1604"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1605"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1606"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1607"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3". (1.29 seconds taken)
----------------
Just for fun, I've got ad.exe which I noticed was in my C directory as well. Doesn't look like Hijack picked it up:
Service load:
0% 100%
File: ad.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain in the ass -, results will not be stored in the database.)
Packers detected:
UPX
AntiVir
No viruses found (0.40 seconds taken)
Avast
No viruses found (1.53 seconds taken)
AVG Antivirus
No viruses found (0.51 seconds taken)
BitDefender
No viruses found (0.61 seconds taken)
ClamAV
No viruses found (0.68 seconds taken)
Dr.Web
No viruses found (0.92 seconds taken)
F-Prot Antivirus
No viruses found (0.18 seconds taken)
Fortinet
No viruses found (0.47 seconds taken)
Kaspersky Anti-Virus
not-a-virus:AdWare.WinAD.ab (1.03 seconds taken)
mks_vir
No viruses found (0.46 seconds taken)
NOD32
No viruses found (1.03 seconds taken)
Norman Virus Control
No viruses found (1.87 seconds taken)
-------------
I'm using Spyware Blaster and IE-Spyad2 for protection against this sort of thing. It looks like viruses/spyware are getting in anyway. Something keeps on setting my restrictanonymous key in LSA back to 1.
-
Here's what you may want to try
Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, etc...
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now but Don't run a scan yet
Restart into Safe mode
Delete these files
c:\g1.exe
C:\WINDOWS\System32\veritas.exe
c:\bar.exe
c:\ad.exe
Stay in safe mode Access your Internet options via Control Panel
Check your Settings under
Security>>You may want to ensure you Click Custom level and Reset
for INTERNET
You may want to check all your zones
Also navigate to this key in the Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
and reset
restrictanonymous value
back to 0
Remember, it's not the same as restrictanonymoussam
Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Run Windows CleanUp!
START>>All programs>>CleanUp
Click the CleanUp button
Let it finish scanning, when it's done restart back to Normal mode
Post back a fresh Hijackthis log
You may want to show another Process Explorer log too
-
While that removed the spyware, the program crashes are continuing. They're actually now crashing in a variety of different ways that they weren't before, and it's exceptionally odd.
I appreciate your help so far. Hijack is now crashing whenever I try to save a log file, but I managed after a few tries.
Here's a new log of Hijack:
Logfile of HijackThis v1.99.0
Scan saved at 12:17:03 AM, on 3/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Admin\My Documents\procexpnt\procexp.exe
C:\PROGRA~1\SIMU\WIZARD\WIZARD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab (http://\"http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab (http://\"http://ppupdates.ca.com/downloads/scanner/axscanner.cab\")
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx (http://\"https://www.play.net/components/activex/AXSAL.ocx\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107918627181 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107918627181\")
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
I wasn't able to get another Process log. It's now crashing whenever I try to save a log file, but works fine otherwise.
-
In addition, everything that was removed in the last shutdown (veritas.exe, g1, etc.) restored itself, and doesn't seem to be removable through safe mode or any sort of anti-spy software that I've got. It's not even detecting them as problems, though clearly they are.
There's something unseen here that's causing things removed to suddenly reappear.
-
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe <--can you run this file through the Online Malware scan, thanks
You may have another nasty that showed it's head
We may have to use Killbox on these files
I'll post tomorrow
Can you also update your version of Hijackthis to version 1.99.1
You can get the latest version from my Signature below
Save to a permanent folder and post back a fresh Hijackthis log from it
-
New Hijack log. I tried to kill off a few things from the last one. I'm sure they'll be back:
Logfile of HijackThis v1.99.1
Scan saved at 1:10:06 PM, on 3/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Trillian\trillian.exe
C:\Documents and Settings\Admin\My Documents\procexpnt\procexp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Admin\My Documents\hijackthis.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab (http://\"http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab (http://\"http://ppupdates.ca.com/downloads/scanner/axscanner.cab\")
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx (http://\"https://www.play.net/components/activex/AXSAL.ocx\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107918627181 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107918627181\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)
-
Five minutes later...
Logfile of HijackThis v1.99.1
Scan saved at 1:27:18 PM, on 3/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\itunes.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\SIMU\WIZARD\WIZARD.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Admin\My Documents\procexpnt\procexp.exe
C:\Documents and Settings\Admin\My Documents\hijackthis.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ITUNES] itunes.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\RunServices: [ITUNES] itunes.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab (http://\"http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab (http://\"http://ppupdates.ca.com/downloads/scanner/axscanner.cab\")
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx (http://\"https://www.play.net/components/activex/AXSAL.ocx\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107918627181 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107918627181\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)
And they're all coming back now.
-
Well, I see some new entries, but I'm not sure what you have fixed to this time
O4 - HKLM\..\Run: [ITUNES] itunes.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\RunServices: [ITUNES] itunes.exe
Instead of going in Circles here, let's try some new steps
Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, save it and then double click to run
It will self extract
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and paste it in your next reply.
****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are
Post back a fresh hijackthis log afterwards too
If you have trouble running Mwav in Normal mode, try in safe mode, but I need to see the log afterwards
-
Here are the logs. It looks like this virus scanner picked up a lot of stuff that programs like Spyware Doctor and AdAware missed:
File C:\PROGRA~1\CxtPls\cxtpls.dll infected by "not-a-virus:AdWare.Apropos.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msbe.dll infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\CxtPls\CxtPls.exe infected by "not-a-virus:AdWare.Apropos.f" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\CxtPls\WINGEN~1.DLL infected by "not-a-virus:AdWare.Apropos.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\zeta.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\a95kfrhe.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ahadp.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\angelex.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\exdl.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\exdl0.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\exdl1.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\exul.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\exul1.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\instsrv.exe tagged as not-a-virus:RiskWare.Tool.ServiceRunner.f. No Action Taken.
File C:\WINDOWS\System32\javexulm.vxd infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mac80ex.idf infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mqexdlm.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\netut80ex.vxd infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\pingppac.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\q17i9a4j.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\qh4mkbv9.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\TFTP3728 infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\veritas.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\4QUSQIJZ\prompt[1].php infected by "Trojan-Downloader.JS.IstBar.b" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\8RS2UDEF\AproposClientInstaller[1].exe infected by "Trojan-Downloader.Win32.Apropo.s" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\8RS2UDEF\AutoUpdaterInstaller[1].exe infected by "Trojan-Downloader.Win32.Apropo.g" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\8RS2UDEF\iesetup6a[1].exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\8RS2UDEF\xo[2].exe infected by "Trojan.Win32.LowZones.g" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\IVQ3G23P\a770af7a[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\RSB345FP\dd[1].exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\RSB345FP\g1[1].exe infected by "Trojan.Win32.LowZones.c" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\RSB345FP\iesetup6b[1].exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
File C:\!Submit\auf0.exe infected by "Trojan-Downloader.Win32.Apropo.s" Virus. Action Taken: No Action Taken.
File C:\!Submit\bin\adv.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\!Submit\bin\adx.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\!Submit\bin\bargains.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\!Submit\ieupdate.exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
File C:\!Submit\MediaPassK.exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\4QUSQIJZ\prompt[1].php infected by "Trojan-Downloader.JS.IstBar.b" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\8RS2UDEF\AproposClientInstaller[1].exe infected by "Trojan-Downloader.Win32.Apropo.s" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\8RS2UDEF\AutoUpdaterInstaller[1].exe infected by "Trojan-Downloader.Win32.Apropo.g" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\8RS2UDEF\iesetup6a[1].exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\8RS2UDEF\xo[2].exe infected by "Trojan.Win32.LowZones.g" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\IVQ3G23P\a770af7a[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\RSB345FP\dd[1].exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\RSB345FP\g1[1].exe infected by "Trojan.Win32.LowZones.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\RSB345FP\iesetup6b[1].exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\My Documents\Setups\setup_ares.exe infected by "not-a-virus:AdWare.NavExcel.d" Virus. Action Taken: No Action Taken.
File C:\Program Files\AIM\Sysfiles\WxBug.EXE infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\CxtPls\CxtPls.exe infected by "not-a-virus:AdWare.Apropos.f" Virus. Action Taken: No Action Taken.
File C:\Program Files\CxtPls\uninstaller.exe infected by "not-a-virus:AdWare.Apropos.f" Virus. Action Taken: No Action Taken.
File C:\Program Files\CxtPls\WinGenerics.dll infected by "not-a-virus:AdWare.Apropos.f" Virus. Action Taken: No Action Taken.
File C:\temp\Bargains.exe infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\a95kfrhe.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ahadp.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
Here's a new Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 3:02:22 AM, on 3/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRA~1\SIMU\WIZARD\WIZARD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\SIMU\WIZARD\WIZARD.EXE
C:\Documents and Settings\Admin\Desktop\hijackthis.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ITUNES] itunes.exe
O4 - HKLM\..\Run: [3s6X36O] vsssock.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\RunServices: [ITUNES] itunes.exe
O4 - HKCU\..\Run: [IBp7RWiqP] vfpsvpia.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab (http://\"http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab\")
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab (http://\"http://ppupdates.ca.com/downloads/scanner/axscanner.cab\")
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx (http://\"https://www.play.net/components/activex/AXSAL.ocx\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107918627181 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107918627181\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe
-
I'm sorry for not getting back, How are you doing? Has anything changed in your log
Have you tried any new fixes
Can you post a fresh Hijackthis log
If you need a hand removing some files let me know