STRUCK by the AXE again!

[guestolo]

Hi again, can you do the following please

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\RunServices: [MSN Messenger] C:\WINDOWS\system32\msn.exe
O4 - HKCU\..\RunServices: [MSN Messenger] C:\WINDOWS\system32\msn.exe


After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Back in Windows, find and delete the following files,
Exact file names and locations please
C:\explorer.old
C:\WINDOWS\system32\msn.old

Post back a fresh hijackthis log and let me know how things are running

[Firestrider]

Logfile of HijackThis v1.99.1
Scan saved at 6:56:20 PM, on 2/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\HijackThis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msn.exe
O4 - HKLM\..\RunServices: [MSN Messenger] C:\WINDOWS\system32\msn.exe
O4 - HKCU\..\Run: [MSN Messenger] C:\WINDOWS\system32\msn.exe
O4 - HKCU\..\RunServices: [MSN Messenger] C:\WINDOWS\system32\msn.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe

I could not find the files:

C:\explorer.old
C:\WINDOWS\system32\msn.old

OR

C:\explorer.exe
C:\WINDOWS\system32\msn.exe

I think there is something wrong with my AVG email scanner also, since when I open thunderbird
AVG connects to the wrong address or something and it shows a POP3 error.

[guestolo]

I could not find the files:

C:\explorer.old
C:\WINDOWS\system32\msn.old

OR

C:\explorer.exe
C:\WINDOWS\system32\msn.exe

You should of mentioned this before my last reply  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' />
Do you have
Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.
If not, do that now and look for those files again, remember exact file names in the exact locations please

Can you also do the following
Download F-Secure's BlackLight from HERE and save it to your Desktop.
Locate and double click blbeta.exe to run it - you will need to accept the license agreement.

Click the Scan button to start and then Next when it has finished scanning.
Do not rename any files if given the choice, I need to see the log
A text file, fsbl-date/time, will be saved to your Desktop, copy and paste this into your next post.

[Firestrider]

02/19/06 23:17:33 [Info]: BlackLight Engine 1.0.32 initialized
02/19/06 23:17:33 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/19/06 23:17:33 [Note]: 7019 4
02/19/06 23:17:33 [Note]: 7005 0
02/19/06 23:17:34 [Note]: 7006 0
02/19/06 23:17:34 [Note]: 7011 1812
02/19/06 23:17:35 [Note]: FSRAW library version 1.7.1015
02/19/06 23:17:54 [Note]: 7007 0


Here's a fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:21:06 PM, on 2/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\HijackThis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe

[guestolo]

Your log looks better, were you able to delete
C:\explorer.old
C:\WINDOWS\system32\msn.old

OR

C:\explorer.exe
C:\WINDOWS\system32\msn.exe

If not, please run Wpfind again and post the log from it
It can be run in Normal mode, but after click Start scan
Do not open or close any windows or it won't work

Why are you not keeping me updated?
Remember I'm not sitting at your computer

[Firestrider]

Yes I was able to rename them from .exe to .old and then delete them.

Thanks for the help MAS doesn't show the message anymore.

I have a problem with POP3 email and AVG's email scanner though, might or might not be related to spyware.
I get the message from Thunderbird that password or username hasn't succeeded, and AVG's message that it couldn't connect to the POP3 server. I tried uninstalling Thunderbird with add/remove programs and then clearing the cookies/cache in Firefox, then reinstalling Thunderbird and still get the same errors. I'm sure I set up the preferences right. It didn't work after changing my password on Gmail.

Also do you have any recommendations on a hardware firewall, because spyware keeps coming back even with the protection.

[guestolo]

As far as hardware firewall's
It's a good decision, you will have to decide which one you like

I would make sure you do final cleanup procedures again I posted earlier
on page 1

*If everything is running better
Final Cleanup
We should clear all your restore points to ensure you don't restore any nasties that may be sitting idle

Go to START>>RUN>>In the open field
Type in

msconfig
Click OK
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
[/list]                          
Back in Windows, Go back and take the check out of "Turn off system restore"
This will reenable the System Restore feature and creates a new restore point

                 [indent][color=\"#CC0000\"]Protect yourself against Future Attacks[/color][/i][/b][/indent]
*Make sure you keep SpywareBlaster updated
                   
*Keep up to date on Windows updates
In the event your not set to Autoupdate, make a habit of checking Microsoft's website for latest High priority updates
This is very important in keeping your system secure

*Make sure your Anti-Virus software is always kept up to date and actively running in the background

From my experience Windows Firewall is unreliable.

*A Firewall is very important in the protection of your computer
Windows Service pack 2 contains an adequate firewall protection
If you would like to consider a firewall with more controlled protection
Install one of the following
Sunbelt Kerio Personal Firewall

Zone Alarm by Zonelabs

OutPost by Agnitum

Sygate Personal Firewall

It's important to only use one Software firewall protection, this includes the one supplied with XP
More than one can cause a conflict

*Check for updates with your anti-spyware programs and run a scan on a regular basis
A great addition to Ad-Aware and Microsoft AntiSpyware
is Spybot 1.4, I recommend installing it if you don't have it
You can download it from HERE
 or HERE

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check all boxes and then download all updates
After update is complete
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer if any Red entries were fixed
Please Immunize after every update

You may also choose to hold onto Ewido
Ewido will become a Limited version in a couple weeks
It's still a very good scanner to update and run once a month

I have a problem with POP3 email and AVG's email scanner though, might or might not be related to spyware.
I get the message from Thunderbird that password or username hasn't succeeded, and AVG's message that it couldn't connect to the POP3 server. I tried uninstalling Thunderbird with add/remove programs and then clearing the cookies/cache in Firefox, then reinstalling Thunderbird and still get the same errors. I'm sure I set up the preferences right. It didn't work after changing my password on Gmail.

Have you tried uninstall AVG and reinstalling?
Does sound like a setting or misconfiguration in your email program however

[guestolo]

As these problems appear resolved, I'll lock this topic
Take care  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />