View Full Version : multiple malware
MarnieLan
2007-01-29, 21:13
Hi -- my first post and will appreaciate any advice/help. HJT Log attached.
I have been battling a bad infection for several weeks. Have run Sophos anti-virus, and PrevX, also spybot S&D. Ran kapersky online scanner and it said I have Hktl_prockill.A
Tspy_wren
tspy_small.dhr
pe_luder.A
Have never been able to fuly disenfect.
Cant run anything in safe mode as when I boot to safe mode 'explorer.exe' is using all system resources so nothing will happen. This is not the case in normal mode.
What can I do?
Logfile of HijackThis v1.99.1
Scan saved at 1:02:48 PM, on 1/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.unm.edu/~marni1/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 68.35.68.238
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: IEFilter - {49391531-C848-4791-95EA-98668923FF1A} - C:\WINDOWS\system32\IEFilter.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sophos AutoUpdate Service - Unknown owner - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe (file missing)
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
MarnieLan
2007-01-30, 03:14
I ran WebRoots Spysweeper and it came up with trojan-nuwar and trojan-relayer-alpiok.
Also, is there a free/cheap program that would allow me to see how my computer is accessing the internet and if there is any incoming traffic to my machine? Also, that would allow me to see any emails that might be sent from my machine?
pskelley
2007-01-31, 16:19
Welcome to the forum, if you still need help and are not receiving it elsewhere, here is what I see:
1) An out of date Java program tha ty is going to get you infected if it has not already, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_06 <<< out of date
2) System Configuration Untility (msconfig) is running in Selective Startup mode, so I do not know if I am seeing the malware at all? If you proceed, place it in Normal Mode until we finish.
3) O21 - SSODL: IEFilter - {49391531-C848-4791-95EA-98668923FF1A} - C:\WINDOWS\system32\IEFilter.dll which is probably this trojan:
http://www.sophos.com/virusinfo/analyses/trojsrchspya.html
Steals information
Installs itself in the Registry
So any secure information you have on the computer is at risk and probably compromised.
4) I see no online virus scan results so I have to assume you missed this information:
"BEFORE you POST" -Preliminary Steps
http://forums.spybot.info/showthread.php?t=288
5) I see C:\Program Files\Prevx1\ and you said:
I ran WebRoots Spysweeper and it came up with trojan-nuwar and trojan-relayer-alpiok. and I do not have a HJT log run after Spysweeper, so I do not know what it remove. If we proceed I need to know if you purchased either of those programs. While they are good programs, they probably conflict running together and they are both intense resource users which will slow the computer considerably, especially Prevx1.
6) Unless I am missing something, I see no active antivirus program running on this computer? If you need a free one, here are three to choose from, and I suggest AVG Anti-Virus 7.5 from Grisoft.
http://free.grisoft.com/freeweb.php/doc/2/
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/
If your issues are not resolved, and you wish me to look at them, please follow the above instructions and then post a new HJT log.
Thanks
MarnieLan
2007-01-31, 22:46
Hi again (second post, 1st one was here: http://forums.spybot.info/showthread.php?t=10896
For the sake of description, I'll be more detailed. Got infected around the holidays. Computer was completely non-functional. Purchased a 30-day subscription to PrevX1 at that time, which found a trojan that had infected most of my executable files (around 500 of them). I dont remember the name of it, but PrevX was the only company reportiong that they could clean it. It cleaned that infection, but things have never been the same again. Some current problems are:
*can't run in safe mode, becuase explorer.exe is using all system resources, so I can run anything.
*When I instruct windows to load normally (as oppossed to selective startup) the same thing happens sporadically (explorer.exe is hogging system resources).
*computer is running slow
*internet connection is slow/sporadic
I followed your instructions from the last post: Here is my progress:
updated windows
unistalled PrevX1 (it's most recent scans were clean)
unistalled spysweeper - i only had the scan version, it never removed anything but reported that I am infected with trojan-nuwar and trojan-relayer-alpiok
reinstalled Sophos anti-virus, its scan is clean
rebooted to normal start-up
updated Java to JRE 6
ran Kapesky online scanner. It reports infection with :
Hktl_prockill.A
Tspy_wren
tspy_small.dhr
pe_luder.A (170 occurences)
ran HJT in normal startup mode. Log follows.
Thanks for any and all help! (I really really dont want to reformat)
Logfile of HijackThis v1.99.1
Scan saved at 2:33:32 PM, on 1/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\tppaldr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\msiexec.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\WINDOWS\system32\MsiExec.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.unm.edu/~marni1/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 68.35.68.238
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PreloadApp] "c:\hp\drivers\printers\photosmart\hphprld.exe" c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: IEFilter - {49391531-C848-4791-95EA-98668923FF1A} - C:\WINDOWS\system32\IEFilter.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Unknown owner - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe (file missing)
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
MarnieLan
2007-02-01, 01:13
I know I have no firewall installed, this is a home network with a router.
Computer is behaving more normally (explorer no longer hogging resources).
I do NOT have a system restore point (restore has been turned off since this all began).
Hidden files and folders are set to be viewed.
Re-ran Kapersky this afternoon. It now reports:
Wednesday, January 31, 2007 5:08:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 31/01/2007
Kaspersky Anti-Virus database records: 249072
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
E:\
F:\
G:\
Scan Statistics
Total number of scanned objects 68770
Number of viruses found 4
Number of infected objects 178 / 0
Number of suspicious objects 0
Duration of the scan process 01:23:56
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\interchk.chk Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs\SAV.txt Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\IEFilter.dll.bac_a03176 Infected: Trojan-Spy.Win32.Small.ez skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007013120070201\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_cc8.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF15E8.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF15EE.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\I386\AUTOFMT.EXE Infected: Email-Worm.Win32.Mixor.a skipped
C:\I386\EXPAND.EXE Infected: Email-Worm.Win32.Mixor.a skipped
C:\I386\NTSD.EXE Infected: Email-Worm.Win32.Mixor.a skipped
C:\I386\REGEDIT.EXE Infected: Email-Worm.Win32.Mixor.a skipped
C:\I386\WINNT32.EXE Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Adobe\Photoshop 6.0\Required\Droplet Template.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\Photoshop Droplets\Aged Photo.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\Photoshop Droplets\Conditional Mode Change.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\Photoshop Droplets\Constrain to 300 pixels.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\Photoshop Droplets\Constrain to 64 pixels.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\Photoshop Droplets\Drop Shadow Frame.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\Photoshop Droplets\Make Button.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\Photoshop Droplets\Make Sepia Tone.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\Photoshop Droplets\Save As JPEG Medium.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\Photoshop Droplets\Save As Photoshop PDF.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\clokspl.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Microsoft Games\Age of Empires II\clokspl.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Microsoft Games\Age of Empires II\Data\closedpw.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Windows Media Connect 2\wmccds.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Windows Media Connect 2\WMCCFG.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Windows Media Player\wmdbexport.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Windows Media Player\wmpnetwk.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\Program Files\Windows Media Player\wmpshare.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\$MSI31Uninstall_KB893803$\msiexec.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\agentsvr.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\at.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\autofmt.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\cleanmgr.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\cmdl32.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\cmmon32.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\dfrgntfs.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\diantz.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\dvdupgrd.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\evntcmd.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\evntwin.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\fontview.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\ftp.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\fxsclnt.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\fxscover.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\icwconn1.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\ipconfig.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\ipv6.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\ipxroute.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\logon.scr Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\logonui.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\makecab.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\migload.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\migwiz_a.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\mmc.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\mobsync.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\mplay32.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\msconfig.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\mshta.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\mstinit.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\mstsc.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\narrator.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\net.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\netdde.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\nppagent.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\ntvdm.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\oobebaln.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\osk.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\packager.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\rcp.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\rdpclip.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\rdsaddin.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\regedit.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\rsh.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\rstrui.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\shrpubw.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\shutdown.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\sigverif.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\smi2smir.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\snmp.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\snmptrap.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\ssbezier.scr Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\taskmgr.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\tracert.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\ups.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\vssvc.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\wbemtest.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\wextract.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\wmiadap.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\wpabaln.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\wpnpinst.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtServicePackUninstall$\xcopy.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtUninstallKB828741$\spuninst\spuninst.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtUninstallKB834707-IE6-20040929.115007$\spuninst\spuninst.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtUninstallKB835732$\spuninst\spuninst.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtUninstallQ312370$\spuninst\spuninst.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtUninstallQ329170$\spuninst\spuninst.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtUninstallQ810577$\spuninst\spuninst.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\$NtUninstallQ810833$\spuninst\spuninst.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\I386\AUTOFMT.EXE Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\I386\EXPAND.EXE Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\I386\NTSD.EXE Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\I386\REGEDIT.EXE Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\I386\WINNT32.EXE Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\ServicePackFiles\i386\agentsvr.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\alg.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\autoconv.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\cleanmgr.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\cmdl32.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\conime.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\defrag.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\dfrgfat.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\dmadmin.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\eudcedit.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\explorer.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\fontview.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\fxscover.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\fxssvc.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\helpctr.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\ie4uinit.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\ipv6.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\irftp.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\lang\imscinst.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\logman.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\logon.scr Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\magnify.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\migload.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\migwiz.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\migwiz_a.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\mmc.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\mobsync.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\msconfig.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\mshta.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\msimn.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\msiregmv.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\mspaint.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\mstinit.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\net.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\netsetup.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\netstat.exe Infected: Email-Worm.Win32.Mixor.a skipped
scan results continue in next reply post
Thanks again for any advice!
MarnieLan
2007-02-01, 01:14
C:\WINDOWS\ServicePackFiles\i386\nslookup.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\ntvdm.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\packager.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\ping.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\rcimlby.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\rdsaddin.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\rexec.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\rsh.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\rundll32.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\scardsvr.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\scrnsave.scr Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\sdbinst.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\shrpubw.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\skeys.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\smlogsvc.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\spider.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\ssmarque.scr Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\ssmyst.scr Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\sysocmgr.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\tracert.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\tscupgrd.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\ups.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\vssvc.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\wab.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\wordpad.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\wpabaln.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\wuauclt1.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\ServicePackFiles\i386\xcopy.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D651E476-F7CE-4D37-BCAD-9E56D3FD1D1E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drmupgds.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\IEFilter.dll Infected: Trojan-Spy.Win32.Small.ez skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\se.exe Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\WINDOWS\system32\ss.exe Infected: Email-Worm.Win32.Glowa.n skipped
C:\WINDOWS\system32\vudjwcub.exe Infected: Trojan-Downloader.Win32.Small.dam skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\WudfHost.exe Infected: Email-Worm.Win32.Mixor.a skipped
C:\WINDOWS\Temp\MSI81b34.LOG Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\MiniNT\system32\cmd.exe Infected: Email-Worm.Win32.Mixor.a skipped
E:\MiniNT\system32\cmd2.exe Infected: Email-Worm.Win32.Mixor.a skipped
E:\MiniNT\system32\LABEL.EXE Infected: Email-Worm.Win32.Mixor.a skipped
Scan process completed.
pskelley
2007-02-02, 21:17
ran Kapesky online scanner. It reports infection with
I would like to see the results of that scan report, please post it. I am looking for the name and pathways of these items.
So you will understand, it's about the $$$, every antivirus programs calls the junk something different. That is why we need to know the actual name of the file involved and the location (pathway)
TrendMicro offers a solution for pe_luder.A You have an option of a automatic or a manual removal, take your choice:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE%5FLUDER%2EA&VSect=P
Trend Micro also says it removes: Hktl_prockill.A
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=HKTL%5FPROCKILL%2EA&VSect=P
Not much information about the other two.
I was wondering about the Proxy you are running:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 68.35.68.238
I am showing it as ComCast and Blacklisted??
http://whois.domaintools.com/68.35.68.238 <<< see here
This is scanning as a nasty: O21 - SSODL: IEFilter - {49391531-C848-4791-95EA-98668923FF1A} - C:\WINDOWS\system32\IEFilter.dll
http://www.sophos.com/virusinfo/analyses/trojsrchspya.html
http://www.bleepingcomputer.com/startups/IEFilter.dll-13215.html
Let's do this, hold the Kaspersky search until we see if we need it.
1) Follow the instructions to to run Trend Micro and remove anything it locates. If there is an option to save a scan report, I would sure like to see it.
Here is a tutorial for Using the Trend Micro System Cleaner if it helps:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=en-125991
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O21 - SSODL: IEFilter - {49391531-C848-4791-95EA-98668923FF1A} - C:\WINDOWS\system32\IEFilter.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\IEFilter.dll <<< delete that file
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the results of the Trend Micro scan and a new HJT log. Let me know how the computer is running at that point.
Thanks
MarnieLan
2007-02-02, 21:33
Hi PSKelley and thanks so much for your time and your reply. THe log for Kapersky is posted here:
http://forums.spybot.info/showthread.php?t=10957
Sorry for the multiple threads.
Also, in an attemtp to repair/prevent future problems, I ran the 'firewall leak tester' that was linked to in a sticky. Now I have no internet connectivity (this is from another machine). If you can help me with this first, I would be greatly appreciative! These two machines are on a home network with a router. Obviously this one is still working.
I am concerned about the 'blacklisted' IP? Does this mean my maching has been sending SPAM or using the internet in a naughty way behind my back?
pskelley
2007-02-02, 22:06
Also, in an attemtp to repair/prevent future problems, I ran the 'firewall leak tester' that was linked to in a sticky.
I have no idea what this is, not did I post instructions for it's use. Please give me a link to where you found it.
I am concerned about the 'blacklisted' IP? Does this mean my maching has been sending SPAM or using the internet in a naughty way behind my back?
I just looked again and now it is showing this: Blacklist Status: Clear
I know another ComCast user was complaining about that Blacklist status, so they may have figured it out.
I asked tashi again to combine all of your posts. Please use nothing but POST REPLY.
Please do not run any tools unless I request them. When we are done working together, you may do as you wish.
For starters I suggest you contact ComCast/your ISP and have them check your connectivity settings.
__________________________________________________
additional information:
Here is some information about this item: Email-Worm.Win32.Mixor.a it may well be called something else by Trend Micro and Trend may remove the item. It's nasty:
http://research.sunbelt-software.com/threatdisplay.aspx?name=Email-Worm.Win32.Mixor.a&threatid=90872
http://research.sunbelt-software.com/defdetails.aspx?prod=cs&name=446
http://www.symantec.com/enterprise/security_response/weblog/2006/12/rude_greeting_for_the_holiday.html
http://www.symantec.com/outbreak/happynewyear_worm.html
c:\Program Files\Sophos\Sophos Anti-Virus\
If we get to that point, the antivirus program you installed is supposed to remove Email-Worm.Win32.Mixor.a they are calling it
http://www.sophos.com/security/analyses/trojdrfa.html
instructions are in the link.
Thanks
Thanks
MarnieLan
2007-02-04, 17:35
Ok, here is my progress to date, and thanks again for your attention and help.
I resolved the connectivity issue, after running the 'worm door finder' which was linked to in the sticky 'so how did I get infected in the first place?' http://forums.spybot.info/showthread.php?t=279
11.) Finally, after following up on all these recommendations, why not run Jason Levine's Browser Security Tests
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.
1) Follow the instructions to to run Trend Micro and remove anything it locates. If there is an option to save a scan report, I would sure like to see it.
I ran Trend Micro's stand alone solution, but I had to run it in normal mode, as safe mode doesnt really work due to 'explorer.exe' hogging all system resources (cant navigage or open windows, etc..). I cannot attach a log - I was able to view it, but there is no option to print or save and copy/paste wont work. It found and cleaned multiple instances or PE_LUDER.A, TSPY_SMALL.DHR and TROJ_SPAMTOOL.AS.
I downloaded and saved the cleaner.
I reran HJT and asked it to fix the IEfiler.DLL.
I wasnt able to manually delete the file IEFilter.DLL ('access is denied').
Here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:35:15 AM, on 2/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\tppaldr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S3apphk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.unm.edu/~marni1/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 68.35.68.238:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PreloadApp] "c:\hp\drivers\printers\photosmart\hphprld.exe" c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: IEFilter - {559CCBB7-0C97-451B-BDBD-37BC97AE932C} - C:\WINDOWS\system32\IEFilter.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Unknown owner - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe (file missing)
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
The computer now appears to be running more slowly than ever!
Thanks.
pskelley
2007-02-04, 18:17
Thanks for the feedback, I am going to tell you now that this worm infected so many of your files that the only way to repair this may be to reinstall the operating system. Keep that option in mind as we proceed, you can look back at the scans to see the files that were infected. Once we have the system stabilized, we can try to replace the corrupted files from the Windows CD using System File Checker, but I am not sure if it will work...we will see.
The computer now appears to be running more slowly than ever!Please be more specific, is it booting up slow, is it opening pages slow, give me any details you think will help.
This item is a trojan: C:\WINDOWS\system32\IEFilter.dll
and it must go. let try this:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\system32\IEFilter.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O21 - SSODL: IEFilter - {49391531-C848-4791-95EA-98668923FF1A} - C:\WINDOWS\system32\IEFilter.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Follow the instructions in this link to download and run AVG Anti-Spyware. Make sure you delete or at least quarantine anything it locates, scan the scan report, I must see it.
http://forums.security-central.us/showthread.php?t=3165
Restart the computer and post the scan report from AVG Anti-Spyware and a new HJT log. Include any comment you think will help, especially error message word for word from the computer.
Once that information is posted, please look at this link for information about how to improve the computers overall performance.
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Thanks
Due to lack of a response, this topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.