Author Topic: Strange issues. (Read 1351 times)

Mek2005 · « **on:** March 06, 2005, 08:24:57 PM »

Hi there. I'm new to this forum and posting here as a last resort. I'm having some issues that I can't seem to kill, and they're unlike anything I've seen before.

I'm running Windows XP Home, and I'll provide a HijackThis log below, but here's a list of basic problems. First off, Task Manager auto-minimizes to the systray when I try to open it and refuses to display in window format. If it's minimized, it stops responding.

I use Trillian to chat with via AIM (no IRC/other messengers) and whenever I try to open a chat log file or receive a file, it stops responding, but it works fine if I don't touch those features.

If I try to download anything in Firefox, the download gets to about 95% and then the program stops responding. Firefox itself browses just fine, so long as I don't try to save or download anything.

If I'm in gmail and go to click "Browse" to attach a file to an e-mail, Firefox freezes and stops responding. I seem to be able to send and receive e-mail just fine.

If I'm in a particular gaming client that uses commands to pop open Firefox windows to access various parts of the game's website, and I input one of those commands, the client freezes and stops responding. I can still input text into the client window and play just fine.

I don't have any of these issues for the first few minutes after restarting my PC -- everything works fine. Within five minutes, though, without fail, it all pretty much goes to hell.

I recently ran full system scans with AdAware and Spyware Doctor cleared all of the spyware that it found off the PC while it was running in safe mode. I also ran a full system scan with TDS-3 (trojan checker) in safe mode and cleared all of the positive matches it found. I've manually gone through every faulty registry key, cleared those, and deleted malware found in Program Files and the system32 folders while in safe mode.

For some reason, the problem is continuing, and the programs continue to stop responding whenever I try any of the above activities (and more).

[Edited to add:] Another thing that crashes after about twenty minutes is my sound card. I stop being able to play sound files because it can't find it. This all sounds to me like something virus-associated, but I can't find any virii on the system.

People seem to appreciate hijackthis logs, so here's mine:

Logfile of HijackThis v1.99.0
Scan saved at 7:18:15 PM, on 3/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107918627181
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

If anybody's able to help with this, I'd greatly appreciate it. I'm at my wit's end in terms of figuring out what could be wrong.

-Mike

guestolo · « **Reply #1 on:** March 06, 2005, 09:59:31 PM »

I don't see anything malicious that could be causing this behaviour
Are you using the latest versions of Trillian and Firefox?

Does Task Manager open up in Safe mode?

In case Hijackthis isn't showing everything
You may want to download Process Explorer
Run it and save a log of the running processes and then post it

I'm not sure if one of these registry fixes will work or not?
http://www.kellys-korner-xp.com/taskbarplus!.htm

guestolo · « **Reply #2 on:** March 06, 2005, 10:31:16 PM »

Forgot the link to Process Explorer
Here you go
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Mek2005 · « **Reply #3 on:** March 06, 2005, 10:37:55 PM »

I'm not sure the registry fixes are going to be helpful, though I tried a few to no avail. Oddly, two IE windows popped up with porn advertisements last time I restarted my computer (that's never happened before). So there's something going on here.

I'm using the latest version of Firefox, though I'm using an older version of Trillian because I like that one better.

Basically what happens with the TaskManager is I hit ALT+CTR+DEL and it pops up the green monitor in the systray, but that's all it does -- it runs the process without actually popping up a window for it, and I can't get the window to appear no matter what I do.

I installed AVG's free antivirus software which found two bits of malicious data and removed them, but the problems are persisting, and programs are still crashing.

Here's a new log from HiJackThis and also from the program you gave me:

Logfile of HijackThis v1.99.0
Scan saved at 9:26:54 PM, on 3/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\veritas.exe
C:\WINDOWS\system32\spoolsv.exe
c:\g1.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\bar.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107918627181
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

From Process:
Process   PID   CPU   Description   Company Name
System Idle Process   0   94.29
Interrupts   n/a      Hardware Interrupts
DPCs   n/a      Deferred Procedure Calls
System   4   0.95
smss.exe   432      Windows NT Session Manager   Microsoft Corporation
csrss.exe   480      Client Server Runtime Process   Microsoft Corporation
winlogon.exe   508      Windows NT Logon Application   Microsoft Corporation
services.exe   552   2.86   Services and Controller app   Microsoft Corporation
svchost.exe   740      Generic Host Process for Win32 Services   Microsoft Corporation
svchost.exe   792      Generic Host Process for Win32 Services   Microsoft Corporation
wuauclt.exe   3432      Automatic Updates   Microsoft Corporation
svchost.exe   868      Generic Host Process for Win32 Services   Microsoft Corporation
svchost.exe   884      Generic Host Process for Win32 Services   Microsoft Corporation
CCSETMGR.EXE   1044      Symantec Settings Manager Service   Symantec Corporation
SPBBCSvc.exe   1164      SPBBC Service   Symantec Corporation
CCEVTMGR.EXE   1244      Symantec Event Manager Service   Symantec Corporation
spoolsv.exe   1732      Spooler SubSystem App   Microsoft Corporation
avgamsvr.exe   1036      AVG Alert Manager   GRISOFT, s.r.o.
avgupsvc.exe   1648      AVG Update Service   GRISOFT, s.r.o.
navapsvc.exe   1880      Norton AntiVirus Auto-Protect Service   Symantec Corporation
NPFMntor.exe   2076      Norton AntiVirus Firewall Install Monitor   Symantec Corporation
symlcsvc.exe   2156      Symantec Core Component   Symantec Corporation
lsass.exe   564      LSA Shell (Export Version)   Microsoft Corporation
taskmgr.exe   4012      Windows TaskManager   Microsoft Corporation
explorer.exe   1176      Windows Explorer   Microsoft Corporation
CCAPP.EXE   1508      Symantec User Session   Symantec Corporation
avgcc.exe   1568      AVG Control Center   GRISOFT, s.r.o.
avgemc.exe   1628      AVG E-Mail Scanner   GRISOFT, s.r.o.
veritas.exe   1640
g1.exe   1076
bar.exe   1840
firefox.exe   3292      Firefox   Mozilla
procexp.exe   4092   1.90   Sysinternals Process Explorer   Sysinternals
notepad.exe   3712      Notepad   Microsoft Corporation

Process: Procexp Pid: -2

Type   Name

Personally, I'm not seeing anything malicious either, but if there's nothing malicious, then where would those porn popups in IE windows have come from at startup?

The fact that taskmgr immediately minimizes to the systray and becomes inaccessible has me highly suspicious, I just can't see what's causing the problem.

-Mike

guestolo · « **Reply #4 on:** March 06, 2005, 10:47:58 PM »

Can you access this Online Malware Scan
Give this site time to load
Jotti's Online Malware scan

Use the browse button and navigate to this file
C:\WINDOWS\System32\veritas.exe<--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results

Well your there, could you do the same thing these files

C:\g1.exe
c:\bar.exe

Mek2005 · « **Reply #5 on:** March 06, 2005, 11:14:12 PM »

They're malware. The strange thing is that when I started this thread, they weren't there, and I hadn't visited any new sites. I kind of wonder how they got here in the last two hours.

Here's the scan results:

Service load:
0%              100%
File:    veritas.exe
Status:
INFECTED/MALWARE
Packers detected:
PE_PATCH, ASPROTECT, PE-DIMINISHER, PE-CRYPT

AntiVir
Worm/Spybot.160768 (0.37 seconds taken)
Avast
No viruses found (1.51 seconds taken)
AVG Antivirus
No viruses found (0.49 seconds taken)
BitDefender
No viruses found (0.71 seconds taken)
ClamAV
No viruses found (0.62 seconds taken)
Dr.Web
Win32.HLLW.MyBot (0.90 seconds taken)
F-Prot Antivirus
No viruses found (0.43 seconds taken)
Fortinet
No viruses found (0.44 seconds taken)
Kaspersky Anti-Virus
Backdoor.Win32.Rbot.gen (1.13 seconds taken)
mks_vir
No viruses found (0.24 seconds taken)
NOD32
probably unknown NewHeur_PE (probable variant) (1.55 seconds taken)
Norman Virus Control
No viruses found (1.32 seconds taken)

----------------

Service load:
0%              100%
File:    g1.exe
Status:
INFECTED/MALWARE
Packers detected:
PE-DIMINISHER, PE-CRYPT

AntiVir
No viruses found (0.83 seconds taken)
Avast
No viruses found (3.06 seconds taken)
AVG Antivirus
No viruses found (0.97 seconds taken)
BitDefender
Trojan.QLow.A (0.95 seconds taken)
ClamAV
No viruses found (0.72 seconds taken)
Dr.Web
Trojan.DownLoader.735 (0.89 seconds taken)
F-Prot Antivirus
No viruses found (0.12 seconds taken)
Fortinet
W32/Sdbot.KQ-net (0.42 seconds taken)
Kaspersky Anti-Virus
Trojan.Win32.LowZones.c (1.01 seconds taken)
mks_vir
No viruses found (0.22 seconds taken)
NOD32
No viruses found (0.73 seconds taken)
Norman Virus Control
Sandbox: W32/Malware; [ General information ]

* File length: 21530 bytes.

[ Changes to registry ]
* Sets value "Flags"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1001"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1004"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1200"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1201"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1206"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1400"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1402"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1405"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1406"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1407"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1601"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1604"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1605"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1606"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1607"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3". (0.67 seconds taken)

--------------

Service load:
0%              100%
File:    bar.exe
Status:
INFECTED/MALWARE
Packers detected:
PE-DIMINISHER, PE-CRYPT

AntiVir
No viruses found (1.19 seconds taken)
Avast
No viruses found (2.74 seconds taken)
AVG Antivirus
No viruses found (1.47 seconds taken)
BitDefender
Trojan.QLow.A (1.52 seconds taken)
ClamAV
No viruses found (1.70 seconds taken)
Dr.Web
Trojan.DownLoader.735 (2.86 seconds taken)
F-Prot Antivirus
No viruses found (0.28 seconds taken)
Fortinet
W32/Sdbot.KQ-net (1.26 seconds taken)
Kaspersky Anti-Virus
Trojan.Win32.LowZones.c (2.62 seconds taken)
mks_vir
No viruses found (0.40 seconds taken)
NOD32
No viruses found (0.99 seconds taken)
Norman Virus Control
Sandbox: W32/Malware; [ General information ]

* File length: 21530 bytes.

[ Changes to registry ]
* Sets value "Flags"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1001"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1004"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1200"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1201"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1206"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1400"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1402"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1405"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1406"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1407"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1601"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1604"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1605"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1606"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1607"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3". (1.29 seconds taken)

----------------

Just for fun, I've got ad.exe which I noticed was in my C directory as well. Doesn't look like Hijack picked it up:

Service load:
0%              100%
File:    ad.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain in the ass -, results will not be stored in the database.)
Packers detected:
UPX

AntiVir
No viruses found (0.40 seconds taken)
Avast
No viruses found (1.53 seconds taken)
AVG Antivirus
No viruses found (0.51 seconds taken)
BitDefender
No viruses found (0.61 seconds taken)
ClamAV
No viruses found (0.68 seconds taken)
Dr.Web
No viruses found (0.92 seconds taken)
F-Prot Antivirus
No viruses found (0.18 seconds taken)
Fortinet
No viruses found (0.47 seconds taken)
Kaspersky Anti-Virus
not-a-virus:AdWare.WinAD.ab (1.03 seconds taken)
mks_vir
No viruses found (0.46 seconds taken)
NOD32
No viruses found (1.03 seconds taken)
Norman Virus Control
No viruses found (1.87 seconds taken)

-------------

I'm using Spyware Blaster and IE-Spyad2 for protection against this sort of thing. It looks like viruses/spyware are getting in anyway. Something keeps on setting my restrictanonymous key in LSA back to 1.

guestolo · « **Reply #6 on:** March 07, 2005, 12:14:48 AM »

Here's what you may want to try
Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, etc...
Windows Cleanup
Install for now but Don't run a scan yet

Restart into Safe mode
Delete these files
c:\g1.exe
C:\WINDOWS\System32\veritas.exe
c:\bar.exe
c:\ad.exe

Stay in safe mode Access your Internet options via Control Panel
Check your Settings under
Security>>You may want to ensure you Click Custom level and Reset
for INTERNET
You may want to check all your zones

Also navigate to this key in the Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
and reset
restrictanonymous value
back to 0

Remember, it's not the same as restrictanonymoussam
Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run Windows CleanUp!
START>>All programs>>CleanUp
Click the CleanUp button
Let it finish scanning, when it's done restart back to Normal mode

Post back a fresh Hijackthis log
You may want to show another Process Explorer log too

Mek2005 · « **Reply #7 on:** March 07, 2005, 01:19:39 AM »

While that removed the spyware, the program crashes are continuing. They're actually now crashing in a variety of different ways that they weren't before, and it's exceptionally odd.

I appreciate your help so far. Hijack is now crashing whenever I try to save a log file, but I managed after a few tries.

Here's a new log of Hijack:

Logfile of HijackThis v1.99.0
Scan saved at 12:17:03 AM, on 3/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Admin\My Documents\procexpnt\procexp.exe
C:\PROGRA~1\SIMU\WIZARD\WIZARD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin\Desktop\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107918627181
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

I wasn't able to get another Process log. It's now crashing whenever I try to save a log file, but works fine otherwise.

Mek2005 · « **Reply #8 on:** March 07, 2005, 01:30:43 AM »

In addition, everything that was removed in the last shutdown (veritas.exe, g1, etc.) restored itself, and doesn't seem to be removable through safe mode or any sort of anti-spy software that I've got. It's not even detecting them as problems, though clearly they are.

There's something unseen here that's causing things removed to suddenly reappear.

guestolo · « **Reply #9 on:** March 07, 2005, 02:02:20 AM »

O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe <--can you run this file through the Online Malware scan, thanks

You may have another nasty that showed it's head
We may have to use Killbox on these files
I'll post tomorrow

Can you also update your version of Hijackthis to version 1.99.1
You can get the latest version from my Signature below
Save to a permanent folder and post back a fresh Hijackthis log from it

Mek2005 · « **Reply #10 on:** March 07, 2005, 02:11:08 PM »

New Hijack log. I tried to kill off a few things from the last one. I'm sure they'll be back:

Logfile of HijackThis v1.99.1
Scan saved at 1:10:06 PM, on 3/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Trillian\trillian.exe
C:\Documents and Settings\Admin\My Documents\procexpnt\procexp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Admin\My Documents\hijackthis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107918627181
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

Mek2005 · « **Reply #11 on:** March 07, 2005, 02:29:24 PM »

Five minutes later...

Logfile of HijackThis v1.99.1
Scan saved at 1:27:18 PM, on 3/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\itunes.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\SIMU\WIZARD\WIZARD.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Admin\My Documents\procexpnt\procexp.exe
C:\Documents and Settings\Admin\My Documents\hijackthis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ITUNES] itunes.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\RunServices: [ITUNES] itunes.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107918627181
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

And they're all coming back now.

guestolo · « **Reply #12 on:** March 07, 2005, 08:34:47 PM »

Well, I see some new entries, but I'm not sure what you have fixed to this time
O4 - HKLM\..\Run: [ITUNES] itunes.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\RunServices: [ITUNES] itunes.exe

Instead of going in Circles here, let's try some new steps
Download this virus checker from eScan
Mwav.exe
There's nothing to install, save it and then double click to run
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and paste it in your next reply.

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Post back a fresh hijackthis log afterwards too

If you have trouble running Mwav in Normal mode, try in safe mode, but I need to see the log afterwards

Mek2005 · « **Reply #13 on:** March 08, 2005, 04:03:18 AM »

Here are the logs. It looks like this virus scanner picked up a lot of stuff that programs like Spyware Doctor and AdAware missed:

File C:\PROGRA~1\CxtPls\cxtpls.dll infected by "not-a-virus:AdWare.Apropos.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msbe.dll infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\CxtPls\CxtPls.exe infected by "not-a-virus:AdWare.Apropos.f" Virus. Action Taken: No Action Taken.
File C:\PROGRA~1\CxtPls\WINGEN~1.DLL infected by "not-a-virus:AdWare.Apropos.f" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\zeta.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\a95kfrhe.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ahadp.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\angelex.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\exdl.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\exdl0.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\exdl1.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\exul.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\exul1.exe infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\instsrv.exe tagged as not-a-virus:RiskWare.Tool.ServiceRunner.f. No Action Taken.
File C:\WINDOWS\System32\javexulm.vxd infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mac80ex.idf infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mqexdlm.srg infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\netut80ex.vxd infected by "not-a-virus:AdWare.BargainBuddy.q" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\pingppac.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\q17i9a4j.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\qh4mkbv9.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\TFTP3728 infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\veritas.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\4QUSQIJZ\prompt[1].php infected by "Trojan-Downloader.JS.IstBar.b" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\8RS2UDEF\AproposClientInstaller[1].exe infected by "Trojan-Downloader.Win32.Apropo.s" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\8RS2UDEF\AutoUpdaterInstaller[1].exe infected by "Trojan-Downloader.Win32.Apropo.g" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\8RS2UDEF\iesetup6a[1].exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\8RS2UDEF\xo[2].exe infected by "Trojan.Win32.LowZones.g" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\IVQ3G23P\a770af7a[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\RSB345FP\dd[1].exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\RSB345FP\g1[1].exe infected by "Trojan.Win32.LowZones.c" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Admin\LOCALS~1\TEMPOR~1\Content.IE5\RSB345FP\iesetup6b[1].exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
File C:\!Submit\auf0.exe infected by "Trojan-Downloader.Win32.Apropo.s" Virus. Action Taken: No Action Taken.
File C:\!Submit\bin\adv.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\!Submit\bin\adx.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\!Submit\bin\bargains.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\!Submit\ieupdate.exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
File C:\!Submit\MediaPassK.exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\4QUSQIJZ\prompt[1].php infected by "Trojan-Downloader.JS.IstBar.b" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\8RS2UDEF\AproposClientInstaller[1].exe infected by "Trojan-Downloader.Win32.Apropo.s" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\8RS2UDEF\AutoUpdaterInstaller[1].exe infected by "Trojan-Downloader.Win32.Apropo.g" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\8RS2UDEF\iesetup6a[1].exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\8RS2UDEF\xo[2].exe infected by "Trojan.Win32.LowZones.g" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\IVQ3G23P\a770af7a[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\RSB345FP\dd[1].exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\RSB345FP\g1[1].exe infected by "Trojan.Win32.LowZones.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\RSB345FP\iesetup6b[1].exe infected by "not-a-virus:AdWare.WinAD.ab" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Admin\My Documents\Setups\setup_ares.exe infected by "not-a-virus:AdWare.NavExcel.d" Virus. Action Taken: No Action Taken.
File C:\Program Files\AIM\Sysfiles\WxBug.EXE infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\CxtPls\CxtPls.exe infected by "not-a-virus:AdWare.Apropos.f" Virus. Action Taken: No Action Taken.
File C:\Program Files\CxtPls\uninstaller.exe infected by "not-a-virus:AdWare.Apropos.f" Virus. Action Taken: No Action Taken.
File C:\Program Files\CxtPls\WinGenerics.dll infected by "not-a-virus:AdWare.Apropos.f" Virus. Action Taken: No Action Taken.
File C:\temp\Bargains.exe infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\a95kfrhe.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ahadp.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\u6f6uftuc_.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.

Here's a new Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 3:02:22 AM, on 3/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRA~1\SIMU\WIZARD\WIZARD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\SIMU\WIZARD\WIZARD.EXE
C:\Documents and Settings\Admin\Desktop\hijackthis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ITUNES] itunes.exe
O4 - HKLM\..\Run: [3s6X36O] vsssock.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\RunServices: [ITUNES] itunes.exe
O4 - HKCU\..\Run: [IBp7RWiqP] vfpsvpia.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {5721FA68-5ABD-40A8-81F1-4136691194BF} (Launcher Class) - https://www.play.net/components/activex/AXSAL.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107918627181
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

guestolo · « **Reply #14 on:** March 09, 2005, 10:35:50 PM »

I'm sorry for not getting back, How are you doing? Has anything changed in your log

Have you tried any new fixes

Can you post a fresh Hijackthis log
If you need a hand removing some files let me know

TheTechGuide Forum

News:

Author Topic: Strange issues. (Read 1351 times)

Mek2005

Strange issues.

guestolo

Strange issues.

guestolo

Strange issues.

Mek2005

Strange issues.

guestolo

Strange issues.

Mek2005

Strange issues.

guestolo

Strange issues.

Mek2005

Strange issues.

Mek2005

Strange issues.

guestolo

Strange issues.

Mek2005

Strange issues.

Mek2005

Strange issues.

guestolo

Strange issues.

Mek2005

Strange issues.

guestolo

Strange issues.