Post by: Gyz on September 16, 2005, 05:33:53 PM
I would realy appreciate it if someone can help me to sort out this Trojan problem. I have run add aware and it does not seem to fix the problem.
Please see my HijackThis log.
Logfile of HijackThis v1.99.1
Scan saved at 12:26:37 AM, on 2005/09/17
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\System32\LckFldService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\Services\{9DB830C1-7B9C-45DE-8F53-0DD3F2F6207E}\SVCHOST.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\Ad Aware\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/ (http://\"http://www.clicksearchclick.com/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.freeze.com (http://\"http://start.freeze.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\system32\services\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{9DB830C1-7B9C-45DE-8F53-0DD3F2F6207E}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{9DB830C1-7B9C-45DE-8F53-0DD3F2F6207E}\SECURITY.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Huti] C:\Documents and Settings\Administrator\Application Data\orei.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Download Flash with Flash Capture - C:\Program Files\Flash Capture\dl.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab (http://\"http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab\")?
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab (http://\"http://secure2.comned.com/signuptemplates/ActiveSecurity.cab\")
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/chedownzip.cab (http://\"http://cabs.roings.com/cabs/chedownzip.cab\")
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\fastload.dll
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\System32\LckFldService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Post by: guestolo on September 17, 2005, 02:44:56 AM
Download and Install Ad-Aware SE Personal 1.06 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
===================================
Download and Install Spybot 1.4 from
HERE (http://\"http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button\")
or HERE (http://\"http://www.safer-networking.org/en/download/index.html\")
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and download all updates
Click the Search & Destroy button on the left
Check for Problems---When the Scan is complete
FIX all selected promblems in RED
RESTART the computer to finish the cleaning process
After you have done the above
Do you have Proland AV installed on your system?
I'm not sure how effective it is
If your unsure about it please uninstall it
Download the free version of AVG 7 from the following link
http://free.grisoft.com/doc/2/lng/us/tpl/v5 (http://\"http://free.grisoft.com/doc/2/lng/us/tpl/v5\")
Scroll to the bottom
AVG Free Edition installation files
File Version
avg70free_344a618.exe <-click on this link or similiar
Save the installer to desktop
Double click to install and follow the prompts
Restart if prompted and ensure AVG is right up to date
Run a full system scan and then restart the computer again
Post back a fresh hijackthis log afterwards
Post by: Gyz on September 18, 2005, 08:01:09 AM
I did everything you asked me to do except uninstall Proland Av, I couldn't find it on my system.
Please see HijackThis log as requested, just check if I need to do anything more.
Thx
Logfile of HijackThis v1.99.1
Scan saved at 02:55:42 PM, on 2005/09/18
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\LckFldService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\Ad Aware\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mweb.co.za/ (http://\"http://www.mweb.co.za/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.freeze.com (http://\"http://start.freeze.com\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\system32\services\services.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Huti] C:\Documents and Settings\Administrator\Application Data\orei.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Download Flash with Flash Capture - C:\Program Files\Flash Capture\dl.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab (http://\"http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab\")?
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab (http://\"http://secure2.comned.com/signuptemplates/ActiveSecurity.cab\")
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\fastload.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\System32\LckFldService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Post by: guestolo on September 18, 2005, 07:14:46 PM
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Don't run this yet, we'll need it in a bit
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Navigate too, find and delete the following files if they exist
C:\WINDOWS\system32\services\services.exe <-file
C:\Documents and Settings\Administrator\Application Data\orei.exe <-file
Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\system32\services\services.exe
O4 - HKCU\..\Run: [Huti] C:\Documents and Settings\Administrator\Application Data\orei.exe
Optionally fix the next one too, not a bad guy but a registration reminder that's not needed on startup
O4 - Startup: PowerReg Scheduler.exe
After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Restart your computer back to Normal mode
Run Hijackthis again and post a fresh log
Could you also do the following
Open Notepad
START>>>RUN>>>type in notepad
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as find.bat
Save this file on the desktop
Code: [Select]
@echo off
cd C:\WINDOWS\system32\services
dir /s /a > C:\services.txt
notepad C:\services.txt
del /q C:\services.txtDouble click on find.batA text file will open, can you copy and paste the contents back here please
Also, this is what I found on what I suspected as
Proland AV
It's possible your using the AV
But take a look and let me know if you know what parts of their software you use
http://www.pspl.com/ (http://\"http://www.pspl.com/\")
or
http://www.pspl.com/support/faqpage.htm (http://\"http://www.pspl.com/support/faqpage.htm\")
Post by: Gyz on September 21, 2005, 03:58:23 PM
Firstly, thank you for helping me to sort out all these problems - I really appreciate it.
O.K.
See as requested new HijackThis log.
Logfile of HijackThis v1.99.1
Scan saved at 10:42:40 PM, on 2005/09/21
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\LckFldService.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\My Documents\Downloads\Ad Aware\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mweb.co.za/ (http://\"http://www.mweb.co.za/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.freeze.com (http://\"http://start.freeze.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Download Flash with Flash Capture - C:\Program Files\Flash Capture\dl.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab (http://\"http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab\")?
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab (http://\"http://secure2.comned.com/signuptemplates/ActiveSecurity.cab\")
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\fastload.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\System32\LckFldService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Please see as requested the find.bat reply
Volume in drive C has no label.
Volume Serial Number is B88E-8F5C
Directory of C:\Documents and Settings\Administrator\Desktop
2005/09/21 10:49 PM <DIR> .
2005/09/21 10:49 PM <DIR> ..
2005/09/03 05:32 PM 1,819 Age of Empires II.lnk
2005/09/21 10:49 PM 120 find.bat
2004/03/12 10:22 PM 675 Flash Capture.lnk
2004/06/02 06:20 PM 670 FolderAccess.lnk
2005/08/10 10:17 AM 2,473 Microsoft Word.lnk
2004/02/04 07:41 PM 1,700,096 mweb_accelerator.exe
2005/09/21 10:00 PM 2,661 note.txt
2004/11/01 08:24 PM 576 Shortcut to m-web.lnk
2005/09/17 09:12 PM 933 Spybot - Search & Destroy.lnk
2004/03/20 09:02 PM 5,167,261 update710.exe
2003/11/27 02:16 PM 630 Webshots Desktop.lnk
2004/07/28 06:18 PM 654 Winamp.lnk
12 File(s) 6,878,568 bytes
Total Files Listed:
12 File(s) 6,878,568 bytes
2 Dir(s) 16,786,681,856 bytes free
A few questions and some feedback.
1. I could not find the orei.exe file
2. I think I found the services.exe file, but its a program - I couldn't delete it- Maybe I did something wrong?
3. I am not using Avant Browser anymore, can I remove the Avant links on the HijackThis log.
I have'nt yet had time to lookk into the Proland Av problem - will look into it a.s.a.p.
Thanx
Post by: guestolo on September 21, 2005, 06:35:54 PM
/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> Yes, if you have uninstalled Avant we'll get rid of those entries
Do another scan with Hijackthis and put a check next to these entries:
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab (http://\"http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab\")?
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab (http://\"http://secure2.comned.com/signuptemplates/ActiveSecurity.cab\")
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart your computer
Back in windows
Your way behind on Windows Updates, this is very unsafe well being online
You should visit Windows updates and install all Latest Critical (High Priority) updates and Service Packs to help keep you secure
After installing the updates
One final check
You have a legitmate services.exe in your System32 folder
Leave it alone
The bad one showed up as services.exe in a possible Services folder in the System32 folder
Does that make sense
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Here is the path of the Legitimate services.exe
C:\WINDOWS\SYSTEM32\services.exe
I wanted you too look for a bad guy in this location
C:\WINDOWS\system32\services\services.exe <-file
It may not be found, but take a look
Also, post a fresh Hijackthis log afterwards
Post by: Gyz on September 22, 2005, 03:49:33 PM
I am busy with the Updates it might take a while to complete. But I have a new problem, I hope you can help.
It seems my sound system stoped working for no apparent reason.
I have a C-Media AC 97 Audio Device installed. It says that the device can not start (Code 10) I have uninstalled it, and when Windows picks it up it says that the device could not be installed correctly and might not work properly.
Do you have any advice that might help to sort out this problem?
Thanx
Post by: Gyz on September 22, 2005, 03:54:13 PM
Post by: guestolo on September 22, 2005, 10:28:23 PM
Post by: Gyz on September 23, 2005, 01:17:47 PM
I have dowloaded moest of the critical updates available and some others, I have not yet started with the service packs - Will do that over time.
Please see new HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 08:14:54 PM, on 2005/09/23
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\LckFldService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Propel Accelerator\PropelAC.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\Ad Aware\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mweb.co.za/ (http://\"http://www.mweb.co.za/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.freeze.com (http://\"http://start.freeze.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\RunOnce: [Q828026] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download Flash with Flash Capture - C:\Program Files\Flash Capture\dl.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADF7114C-285E-4D20-BB4D-B7EB27E07CAE}: NameServer = 196.2.24.10 196.2.45.101
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~2\WINDOW~1\fastload.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LckFldService - Unknown owner - C:\WINDOWS\System32\LckFldService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Post by: guestolo on September 24, 2005, 09:37:42 PM