PDA

View Full Version : Not sure whats wrong...



micahr14
2007-03-05, 03:27
Not sure what's wrong with my system. I'm not able to access the toolbar menu on the Windows Taskbar and also not able to get to my folder options to change some things. Here is my latest HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 8:26:23 PM, on 3/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\BTN USER\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Micah's Internet Explorer
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programs\Java\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programs\Java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programs\Java\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{C614330E-9872-47CC-AE48-F1B2A1A3E7E6}: NameServer = 64.136.20.121 64.136.28.121
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: CDRecorder029 - {A3BC5E20-0235-1ABF-9CE1-00AA00512029} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Buzzsaw_Defragmentation - Unknown owner - C:\Program Files\MATCO\BuzzSawService.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


If you need any other logs let me know :)
Micahr14

pskelley
2007-03-06, 14:01
Welcome to the forum, if you stil need help and are not receiving it elsewhere, I will see what I can do. Please make sure you have followed these instructions.
"BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288

We will remove the junk I see, and see what happens, follow the instructions in the numbered order.

1) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

4) Disable the Service
Click Start > Run and type services.msc
Scroll down to Boonty Games and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

5) How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\a3dxq.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O21 - SSODL: CDRecorder029 - {A3BC5E20-0235-1ABF-9CE1-00AA00512029} - (no file)
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\a3dxq.dll <<< delete that file if there

C:\Program Files\Common Files\BOONTY Shared\ <<< delete that folder

8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log, add any comments you think will help.

Thanks

micahr14
2007-03-07, 02:25
Still not able to access my toolbars (especially the quick launch which I use all the time) also not able to access my folder options still. After following the directions you gave me pskelley (yes in order) :D If you need I can post an AdAware log and my spybot log. I also have run Ccleaner to clean up any temp files I might have. Here is the HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 7:16:49 PM, on 3/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Micah's Internet Explorer
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programs\Java\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Body curb tons clock] C:\Documents and Settings\All Users.WINDOWS\Application Data\holddefybodycurb\MemoFirst.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [Multi Plus] C:\DOCUME~1\BTNUSE~1\APPLIC~1\PARTBA~1\corn bash safe.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programs\Java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programs\Java\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O17 - HKLM\System\CCS\Services\Tcpip\..\{C614330E-9872-47CC-AE48-F1B2A1A3E7E6}: NameServer = 64.136.28.120 64.136.20.120
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: CDRecorder029 - {A3BC5E20-0235-1ABF-9CE1-00AA00512029} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Buzzsaw_Defragmentation - Unknown owner - C:\Program Files\MATCO\BuzzSawService.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe



The entries in bold are the entries that I'm not sure about.

Thanks for all the help you guys :) You guys are awesome.
Micah R.

pskelley
2007-03-07, 04:21
Thanks for following the instructions so far. Understand that you were in safe mode the first time you posted, and a load of the junk was not visable. You still have major infections. I appreciate your offer, but I want only what I ask for posted.

You have a LOP/C2 Media infection, read about it here:
Info: http://inetexplorer.mvps.org/data/lop.htm
http://www.superadblocker.com/P/PROGRAM%20BOOK.EXE-3755.html
http://forums.spybot.info/showthread.php?t=11358
http://research.sunbelt-software.com/threatdisplay.aspx?name=C2.Lop&threatid=8144

You also have this junk: O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
http://www.google.com/search?q=spoolsvv.exe&rls=com.microsoft:en-us:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7GGLG

Please follow the directions carefully and in the posted order.

1) It is hard to make changes with Ad-Watch running and at times it even has to be uninstalled, so this for now:
Ad-Aware Ad-Watch
Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both of those boxes

2) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

3) Please download NoLop to the Desktop from one of these links:
http://www.spywareedge.net/nolop/NoLop.exe
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16

Close any programs you have running since a reboot is required
Double click NoLop.exe to run it
Next, click the button labeled: Search and Destroy
<<your computer will now be scanned for infected files>> When the scan finishes, if infected, you are prompted to reboot
Click OK

Now click: REBOOT
A Message should popup from NoLop. If not, double click the program again and it will finish.
Please Post the contents of C:\NoLop.log along with a new HijackThis log

(hold those two logs until we finish)

4) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

5) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O4 - HKLM\..\Run: C:\Documents and Settings\All Users.WINDOWS\Application Data\holddefybodycurb\MemoFirst.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
http://www.castlecops.com/startuplist-4547.html <<< see the above optional item, leave it if you wish.
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKCU\..\Run: [Multi Plus] C:\DOCUME~1\BTNUSE~1\APPLIC~1\PARTBA~1\corn bash safe.exe
O21 - SSODL: CDRecorder029 - {A3BC5E20-0235-1ABF-9CE1-00AA00512029} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Documents and Settings\All Users.WINDOWS\Application Data\holddefybodycurb\ <<< delete that folder

C:\Program Files\WildTangent\ <<< delete that folder

C:\WINDOWS\system32\spoolsvv.exe <<< delete that file

C:\DOCUMENTS & SETTINGS~1\BTNUSE~1\APPLICATION DATA~1\PARTBA~1\ <<< delete that folder

8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the contents of C:\NoLop.log along with a new HijackThis log.

[B]Once that is posted, I would like your to run AVG Anti-Spyware (that you have onboard) use the instruction in the follow link. Make sure you delete or at least quarantine anything locates. Post the scan results as soon as you have them and tell me how the computer is running now.
http://forums.security-central.us/showthread.php?t=3165

Thanks

micahr14
2007-03-07, 14:04
AVG Antispyware is the 30 day trial version :\ I uninstalled it since I usually don't keep expired demos around. Any suggestions?
Mic

pskelley
2007-03-07, 14:12
Thanks for the feedback, complete all other instructions.

Let me say that this is optional, but AVG allows free updates and the scanner will work, just the realtime protection ends with the trial. I turn it off completely, then update and use it as a free stand alone scanner once a month or so to make sure my other malware programs are not missing junk.

Thanks

micahr14
2007-03-08, 14:02
OK here are the logs :D

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\BTN USER\Desktop
[3/7/2007]
[5:40:18 PM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\ABD8DA1590735255.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Msn6
C:\Documents and Settings\All Users\Application Data\Sandlot Games
C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users.windows\Application Data\Apple Computer
C:\Documents and Settings\All Users.windows\Application Data\Avg7
C:\Documents and Settings\All Users.windows\Application Data\Boonty
C:\Documents and Settings\All Users.windows\Application Data\Chasing Dogs Studios
C:\Documents and Settings\All Users.windows\Application Data\Google
C:\Documents and Settings\All Users.windows\Application Data\Google Updater
C:\Documents and Settings\All Users.windows\Application Data\Grisoft
C:\Documents and Settings\All Users.windows\Application Data\Holddefybodycurb
C:\Documents and Settings\All Users.windows\Application Data\Iopus-i-m
C:\Documents and Settings\All Users.windows\Application Data\Iwin
C:\Documents and Settings\All Users.windows\Application Data\Maintype -- EMPTY Directory
C:\Documents and Settings\All Users.windows\Application Data\Microsoft
C:\Documents and Settings\All Users.windows\Application Data\Mumbojumbo
C:\Documents and Settings\All Users.windows\Application Data\Playfirst
C:\Documents and Settings\All Users.windows\Application Data\Quicktime
C:\Documents and Settings\All Users.windows\Application Data\Sandlot Games
C:\Documents and Settings\All Users.windows\Application Data\Sectaskman
C:\Documents and Settings\All Users.windows\Application Data\Spintop Games
C:\Documents and Settings\All Users.windows\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users.windows\Application Data\Trymedia
C:\Documents and Settings\All Users.windows\Application Data\Whitecap (holiday Edition) -- EMPTY Directory
C:\Documents and Settings\All Users.windows\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users.windows\Application Data\Windows Live Toolbar
C:\Documents and Settings\All Users.windows\Application Data\{9d32d139-042f-4a88-9a6f-7ea2d5953d61}
C:\Documents and Settings\Btn User\Application Data\.bittorrent
C:\Documents and Settings\Btn User\Application Data\.gaim
C:\Documents and Settings\Btn User\Application Data\7wonders
C:\Documents and Settings\Btn User\Application Data\Ahead
C:\Documents and Settings\Btn User\Application Data\Aignes
C:\Documents and Settings\Btn User\Application Data\Apple Computer
C:\Documents and Settings\Btn User\Application Data\Arcsoft
C:\Documents and Settings\Btn User\Application Data\Avg7
C:\Documents and Settings\Btn User\Application Data\Chasing Dogs Studios
C:\Documents and Settings\Btn User\Application Data\Chessmaster Challenge
C:\Documents and Settings\Btn User\Application Data\Desktop Sidebar
C:\Documents and Settings\Btn User\Application Data\Geovid
C:\Documents and Settings\Btn User\Application Data\Google
C:\Documents and Settings\Btn User\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Btn User\Application Data\Hyperionics -- EMPTY Directory
C:\Documents and Settings\Btn User\Application Data\Identities
C:\Documents and Settings\Btn User\Application Data\Iwin
C:\Documents and Settings\Btn User\Application Data\Jetstart
C:\Documents and Settings\Btn User\Application Data\Klipfolio
C:\Documents and Settings\Btn User\Application Data\Lavasoft
C:\Documents and Settings\Btn User\Application Data\Leadertech
C:\Documents and Settings\Btn User\Application Data\Limewire
C:\Documents and Settings\Btn User\Application Data\Macromedia
C:\Documents and Settings\Btn User\Application Data\Microsoft
C:\Documents and Settings\Btn User\Application Data\Mozilla
C:\Documents and Settings\Btn User\Application Data\Nerovision -- EMPTY Directory
C:\Documents and Settings\Btn User\Application Data\Openoffice.org2
C:\Documents and Settings\Btn User\Application Data\Partbarbwma
C:\Documents and Settings\Btn User\Application Data\Playfirst
C:\Documents and Settings\Btn User\Application Data\Real
C:\Documents and Settings\Btn User\Application Data\Riotball -- EMPTY Directory
C:\Documents and Settings\Btn User\Application Data\Serence Klipfolio -- EMPTY Directory
C:\Documents and Settings\Btn User\Application Data\Seven Zip
C:\Documents and Settings\Btn User\Application Data\Slimbrowser
C:\Documents and Settings\Btn User\Application Data\Solsuite
C:\Documents and Settings\Btn User\Application Data\Sun
C:\Documents and Settings\Btn User\Application Data\Talkback
C:\Documents and Settings\Btn User\Application Data\Teamspeak2
C:\Documents and Settings\Btn User\Application Data\The Labyrinth Plus! Edition
C:\Documents and Settings\Btn User\Application Data\Thunderbird
C:\Documents and Settings\Btn User\Application Data\Truecrypt
C:\Documents and Settings\Btn User\Application Data\Ventrilo
C:\Documents and Settings\Btn User\Application Data\Vista Start Menu
C:\Documents and Settings\Btn User\Application Data\Webshots
C:\Documents and Settings\Btn User\Application Data\Winpatrol
C:\Documents and Settings\Btn User\Application Data\Xentient
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User.windows\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Localservice.nt Authority\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice.nt Authority\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice.nt Authority\Application Data\Microsoft
C:\Documents and Settings\Networkservice.nt Authority\Application Data\Xentient

Logfile of HijackThis v1.99.1
Scan saved at 8:24:34 PM, on 3/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Micah's Internet Explorer
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programs\Java\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Body curb tons clock] C:\Documents and Settings\All Users.WINDOWS\Application Data\holddefybodycurb\MemoFirst.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [Multi Plus] C:\DOCUME~1\BTNUSE~1\APPLIC~1\PARTBA~1\corn bash safe.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programs\Java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programs\Java\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: CDRecorder029 - {A3BC5E20-0235-1ABF-9CE1-00AA00512029} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Buzzsaw_Defragmentation - Unknown owner - C:\Program Files\MATCO\BuzzSawService.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:22:11 AM 3/8/2007

+ Scan result:



C:\WINDOWS\SYSTEM32:lzx32.sys -> Hijacker.Costrat.l : Cleaned.


::Report end

micahr14
2007-03-08, 14:21
Still not able to access those folder options that are grayed out and still not able to access the toolbar menu when I right click on the taskbar :\
Keep it up pskelley :)

pskelley
2007-03-08, 19:21
Unless I or the specific intructions specifies safe mode, normal mode can be used.

Thanks

micahr14
2007-03-08, 19:24
Ok, those logs were done in normal mode :D:
Mic

micahr14
2007-03-08, 19:30
I did get IE to stop starting up and whenever I tried to quit it (using the end processes) I would keep coming up with the CornBash thingy :D:

pskelley
2007-03-08, 19:55
Mic, you have quite a bit of the junk that should be gone still in this HJT log:

Logfile of HijackThis v1.99.1 Scan saved at 8:24:34 PM, on 3/7/2007

Are you positive you have not posted an old HJT log? Much of the junk is still in the log? When did you scan for the newest log?

I will post these instructions again, be very sure both of these programs are turned off. If the stuff is still in the log when you scan again, then uninstall Ad-Watch and run the proceedure again. Understand if one of the programs is NOT blocking the change then you may not be following the directions so be careful.

1) It is hard to make changes with Ad-Watch running and at times it even has to be uninstalled, so this for now:
Ad-Aware Ad-Watch
Right click on the Ad-Watch icon in the system tray.
At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both of those boxes

2) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

3) Be sure all files and folder are unhidden, you will not see the LOP folder unless this is done:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: C:\Documents and Settings\All Users.WINDOWS\Application Data\holddefybodycurb\MemoFirst.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKCU\..\Run: [Multi Plus] C:\DOCUME~1\BTNUSE~1\APPLIC~1\PARTBA~1\corn bash safe.exe
O21 - SSODL: CDRecorder029 - {A3BC5E20-0235-1ABF-9CE1-00AA00512029} - (no file)


Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\system32\spoolsvv.exe <<< delete that file
C:\Documents and Settings\All Users.WINDOWS\Application Data\holddefybodycurb\ <<< delete that folder

C:\DOCUMENTS & SETTINGS~1\BTNUSE~1\APPLIC~1\PARTBA~1\ <<< delete that folder

Restart the computer and post a new HJT log.

I would also like to take a look at a Blacklight scan, follow these directions and post the scan results along with that HJT log:
Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/index.shtml

Save it to its own folder in the [B]Desktop
Double-click blbeta.exe to run the program
Click : Scan
A list of all items found is created

The list is in the BlackLight folder on the Desktop, and named fsbl.xxxxxxx.log (xxxxxxx are numbers).

Please provide the log created by BlackLight in your next reply.

Thanks

pskelley
2007-03-08, 20:03
I did get IE to stop starting up and whenever I tried to quit it (using the end processes) I would keep coming up with the CornBash thingy This is because you have not removed it from the computer yet! It appears NoLop removed part of the problem but the rest must be removed manually, and it will do not good to tell me you can not find it. The junk is there, and you must find and remove it. If you have to use search companion to locate the junk.

Thanks

micahr14
2007-03-09, 13:45
IE fixed :) Working on getting the BLbeta log.

micahr14
2007-03-09, 23:01
03/09/07 07:08:05 [Info]: BlackLight Engine 1.0.55 initialized
03/09/07 07:08:05 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/09/07 07:08:05 [Note]: 7019 4
03/09/07 07:08:05 [Note]: 7005 0
03/09/07 07:08:11 [Note]: 7006 0
03/09/07 07:08:11 [Note]: 7011 1328
03/09/07 07:08:12 [Note]: 7026 0
03/09/07 07:08:13 [Note]: 7026 0
03/09/07 07:08:55 [Note]: FSRAW library version 1.7.1021
03/09/07 07:08:58 [Note]: 4000 5
03/09/07 07:08:59 [Note]: 4000 5
03/09/07 07:08:59 [Note]: 4000 5
03/09/07 07:09:00 [Note]: 4000 5
03/09/07 07:09:01 [Note]: 4000 5
03/09/07 07:09:02 [Note]: 4000 5
03/09/07 07:09:03 [Note]: 4000 5
03/09/07 07:09:04 [Note]: 4000 5
03/09/07 07:09:06 [Note]: 4000 5
03/09/07 07:09:09 [Note]: 4000 5
03/09/07 07:09:10 [Note]: 4000 5
03/09/07 07:09:11 [Note]: 4000 5
03/09/07 07:09:12 [Note]: 4000 5
03/09/07 07:09:13 [Note]: 4000 5
03/09/07 07:09:14 [Note]: 4000 5
03/09/07 07:09:14 [Note]: 4000 5
03/09/07 07:09:16 [Note]: 4000 5
03/09/07 07:09:17 [Note]: 4000 5
03/09/07 07:09:17 [Note]: 4000 5
03/09/07 07:09:18 [Note]: 4000 5
03/09/07 07:09:21 [Note]: 4000 5
03/09/07 07:09:22 [Note]: 4000 5
03/09/07 07:09:23 [Note]: 4000 5
03/09/07 07:09:24 [Note]: 4000 5
03/09/07 07:09:25 [Note]: 4000 5
03/09/07 07:09:25 [Note]: 4000 5
03/09/07 07:09:26 [Note]: 4000 5
03/09/07 07:09:27 [Note]: 4000 5
03/09/07 07:09:28 [Note]: 4000 5
03/09/07 07:09:29 [Note]: 4000 5
03/09/07 07:09:30 [Note]: 4000 5
03/09/07 07:09:31 [Note]: 4000 5
03/09/07 07:09:33 [Note]: 4000 5
03/09/07 07:09:35 [Note]: 4000 5
03/09/07 07:09:36 [Note]: 4000 5
03/09/07 07:09:37 [Note]: 4000 5
03/09/07 07:09:38 [Note]: 4000 5
03/09/07 07:09:39 [Note]: 4000 5
03/09/07 07:09:41 [Note]: 4000 5
03/09/07 07:09:42 [Note]: 4000 5
03/09/07 07:09:43 [Note]: 4000 5
03/09/07 07:09:44 [Note]: 4000 5
03/09/07 07:09:47 [Note]: 4000 5
03/09/07 07:09:50 [Note]: 4000 5
03/09/07 07:09:53 [Note]: 4000 5
03/09/07 07:09:56 [Note]: 4000 5
03/09/07 07:09:59 [Note]: 4000 5
03/09/07 07:10:01 [Note]: 4000 5
03/09/07 07:10:04 [Note]: 4000 5
03/09/07 07:10:07 [Note]: 4000 5
03/09/07 07:10:10 [Note]: 4000 5
03/09/07 07:10:13 [Note]: 4000 5
03/09/07 07:10:16 [Note]: 4000 5
03/09/07 07:10:19 [Note]: 4000 5
03/09/07 07:10:22 [Note]: 4000 5
03/09/07 07:10:25 [Note]: 4000 5
03/09/07 07:10:28 [Note]: 4000 5
03/09/07 07:10:31 [Note]: 4000 5
03/09/07 07:10:34 [Note]: 4000 5
03/09/07 07:10:37 [Note]: 4000 5
03/09/07 07:10:40 [Note]: 4000 5
03/09/07 07:10:43 [Note]: 4000 5
03/09/07 07:10:46 [Note]: 4000 5
03/09/07 07:10:49 [Note]: 4000 5
03/09/07 07:10:52 [Note]: 4000 5
03/09/07 07:10:56 [Note]: 4000 5
03/09/07 07:10:59 [Note]: 4000 5
03/09/07 07:11:02 [Note]: 4000 5
03/09/07 07:11:05 [Note]: 4000 5
03/09/07 07:11:08 [Note]: 4000 5
03/09/07 07:11:12 [Note]: 4000 5
03/09/07 07:11:15 [Note]: 4000 5
03/09/07 07:11:18 [Note]: 4000 5
03/09/07 07:11:21 [Note]: 4000 5
03/09/07 07:11:25 [Note]: 4000 5
03/09/07 07:11:28 [Note]: 4000 5
03/09/07 07:11:31 [Note]: 4000 5
03/09/07 07:11:34 [Note]: 4000 5
03/09/07 07:11:38 [Note]: 4000 5
03/09/07 07:11:42 [Note]: 4000 5
03/09/07 07:11:45 [Note]: 4000 5
03/09/07 07:11:49 [Note]: 4000 5
03/09/07 07:11:52 [Note]: 4000 5
03/09/07 07:11:55 [Note]: 4000 5
03/09/07 07:11:58 [Note]: 4000 5
03/09/07 07:12:01 [Note]: 4000 5
03/09/07 07:12:04 [Note]: 4000 5
03/09/07 07:12:07 [Note]: 4000 5
03/09/07 07:12:10 [Note]: 4000 5
03/09/07 07:12:14 [Note]: 4000 5
03/09/07 07:12:17 [Note]: 4000 5
03/09/07 07:12:21 [Note]: 4000 5
03/09/07 07:12:24 [Note]: 4000 5
03/09/07 07:12:27 [Note]: 4000 5
03/09/07 07:12:30 [Note]: 4000 5
03/09/07 07:12:33 [Note]: 4000 5
03/09/07 07:12:34 [Note]: 4000 5
03/09/07 07:12:35 [Note]: 4000 5
03/09/07 07:12:37 [Note]: 4000 5
03/09/07 07:12:38 [Note]: 4000 5
03/09/07 07:12:40 [Note]: 4000 5
03/09/07 07:12:41 [Note]: 4000 5
03/09/07 07:12:43 [Note]: 4000 5
03/09/07 07:12:46 [Note]: 4000 5
03/09/07 07:12:49 [Note]: 4000 5
03/09/07 07:12:52 [Note]: 4000 5
03/09/07 07:12:56 [Note]: 4000 5
03/09/07 07:13:00 [Note]: 4000 5
03/09/07 07:13:03 [Note]: 4000 5
03/09/07 07:13:06 [Note]: 4000 5
03/09/07 07:13:10 [Note]: 4000 5
03/09/07 07:13:13 [Note]: 4000 5
03/09/07 07:13:16 [Note]: 4000 5
03/09/07 07:13:19 [Note]: 4000 5
03/09/07 07:13:24 [Note]: 4000 5
03/09/07 07:13:27 [Note]: 4000 5
03/09/07 07:13:30 [Note]: 4000 5
03/09/07 07:13:34 [Note]: 4000 5
03/09/07 07:13:37 [Note]: 4000 5
03/09/07 07:13:40 [Note]: 4000 5
03/09/07 07:13:44 [Note]: 4000 5
03/09/07 07:13:47 [Note]: 4000 5
03/09/07 07:13:50 [Note]: 4000 5
03/09/07 07:13:53 [Note]: 4000 5
03/09/07 07:13:55 [Note]: 4000 5
03/09/07 07:13:58 [Note]: 4000 5
03/09/07 07:14:00 [Note]: 4000 5
03/09/07 07:14:03 [Note]: 4000 5
03/09/07 07:14:05 [Note]: 4000 5
03/09/07 07:14:08 [Note]: 4000 5
03/09/07 07:14:10 [Note]: 4000 5
03/09/07 07:14:13 [Note]: 4000 5
03/09/07 07:14:16 [Note]: 4000 5
03/09/07 07:14:19 [Note]: 4000 5
03/09/07 07:14:22 [Note]: 4000 5
03/09/07 07:14:23 [Note]: 4000 5
03/09/07 07:14:25 [Note]: 4000 5
03/09/07 07:14:26 [Note]: 4000 5
03/09/07 07:14:27 [Note]: 4000 5
03/09/07 07:14:29 [Note]: 4000 5
03/09/07 07:14:30 [Note]: 4000 5
03/09/07 07:14:31 [Note]: 4000 5
03/09/07 07:14:34 [Note]: 4000 5
03/09/07 07:14:36 [Note]: 4000 5
03/09/07 07:14:38 [Note]: 4000 5
03/09/07 07:14:39 [Note]: 4000 5
03/09/07 07:14:40 [Note]: 4000 5
03/09/07 07:14:42 [Note]: 4000 5
03/09/07 07:14:43 [Note]: 4000 5
03/09/07 07:14:45 [Note]: 4000 5
03/09/07 07:14:47 [Note]: 4000 5
03/09/07 07:14:50 [Note]: 4000 5
03/09/07 07:14:54 [Note]: 4000 5
03/09/07 07:14:57 [Note]: 4000 5
03/09/07 07:15:01 [Note]: 4000 5
03/09/07 07:15:05 [Note]: 4000 5
03/09/07 07:15:08 [Note]: 4000 5
03/09/07 07:15:13 [Note]: 4000 5
03/09/07 07:15:17 [Note]: 4000 5
03/09/07 07:15:20 [Note]: 4000 5
03/09/07 07:15:24 [Note]: 4000 5
03/09/07 07:15:28 [Note]: 4000 5
03/09/07 07:15:35 [Note]: 4000 5
03/09/07 07:15:36 [Note]: 4000 5
03/09/07 07:15:38 [Note]: 4000 5
03/09/07 07:15:39 [Note]: 4000 5
03/09/07 07:15:40 [Note]: 4000 5
03/09/07 07:15:42 [Note]: 4000 5
03/09/07 07:15:43 [Note]: 4000 5
03/09/07 07:15:45 [Note]: 4000 5
03/09/07 07:15:46 [Note]: 4000 5
03/09/07 07:15:47 [Note]: 4000 5
03/09/07 07:15:49 [Note]: 4000 5
03/09/07 07:15:51 [Note]: 4000 5
03/09/07 07:15:52 [Note]: 4000 5
03/09/07 07:15:54 [Note]: 4000 5
03/09/07 07:15:56 [Note]: 4000 5
03/09/07 07:15:59 [Note]: 4000 5
03/09/07 07:16:01 [Note]: 4000 5
03/09/07 07:16:05 [Note]: 4000 5
03/09/07 07:16:08 [Note]: 4000 5
03/09/07 07:16:10 [Note]: 4000 5
03/09/07 07:16:12 [Note]: 4000 5
03/09/07 07:16:16 [Note]: 4000 5
03/09/07 07:16:18 [Note]: 4000 5
03/09/07 07:16:21 [Note]: 4000 5
03/09/07 07:16:24 [Note]: 4000 5
03/09/07 07:16:25 [Note]: 4000 5
03/09/07 07:16:27 [Note]: 4000 5
03/09/07 07:16:29 [Note]: 4000 5
03/09/07 07:16:31 [Note]: 4000 5
03/09/07 07:16:34 [Note]: 4000 5
03/09/07 07:16:38 [Note]: 4000 5
03/09/07 07:16:40 [Note]: 4000 5
03/09/07 07:16:42 [Note]: 4000 5
03/09/07 07:16:44 [Note]: 4000 5
03/09/07 07:16:48 [Note]: 4000 5
03/09/07 07:16:51 [Note]: 4000 5
03/09/07 07:16:54 [Note]: 4000 5
03/09/07 07:16:58 [Note]: 4000 5
03/09/07 07:17:01 [Note]: 4000 5
03/09/07 07:17:05 [Note]: 4000 5
03/09/07 07:17:08 [Note]: 4000 5
03/09/07 07:17:12 [Note]: 4000 5
03/09/07 07:17:15 [Note]: 4000 5
03/09/07 07:17:18 [Note]: 4000 5
03/09/07 07:17:22 [Note]: 4000 5
03/09/07 07:17:25 [Note]: 4000 5
03/09/07 07:17:28 [Note]: 4000 5
03/09/07 07:17:29 [Note]: 4000 5
03/09/07 07:17:31 [Note]: 4000 5
03/09/07 07:17:34 [Note]: 4000 5
03/09/07 07:17:39 [Note]: 4000 5
03/09/07 07:17:41 [Note]: 4000 5
03/09/07 07:17:43 [Note]: 4000 5
03/09/07 07:17:45 [Note]: 4000 5
03/09/07 07:17:47 [Note]: 4000 5
03/09/07 07:17:49 [Note]: 4000 5
03/09/07 07:17:53 [Note]: 4000 5
03/09/07 07:17:56 [Note]: 4000 5
03/09/07 07:18:00 [Note]: 4000 5
03/09/07 07:18:02 [Note]: 4000 5
03/09/07 07:18:03 [Note]: 4000 5
03/09/07 07:18:05 [Note]: 4000 5
03/09/07 07:18:07 [Note]: 4000 5
03/09/07 07:18:10 [Note]: 4000 5
03/09/07 07:18:17 [Note]: 4000 5
03/09/07 07:18:24 [Note]: 4000 5
03/09/07 07:18:28 [Note]: 4000 5
03/09/07 07:18:52 [Note]: 4000 5
03/09/07 07:18:56 [Note]: 4000 5
03/09/07 07:18:59 [Note]: 4000 5
03/09/07 07:19:03 [Note]: 4000 5
03/09/07 07:19:07 [Note]: 4000 5
03/09/07 07:19:40 [Note]: 4000 5
03/09/07 07:19:59 [Note]: 4000 5
03/09/07 07:20:09 [Note]: 4000 5
03/09/07 07:20:27 [Note]: 4000 5
03/09/07 07:20:45 [Note]: 4000 5
03/09/07 07:21:04 [Note]: 4000 5
03/09/07 07:21:16 [Note]: 4000 5
03/09/07 07:21:28 [Note]: 4000 5
03/09/07 07:21:57 [Note]: 4000 5
03/09/07 07:22:19 [Note]: 4000 5
03/09/07 07:22:46 [Note]: 4000 5
03/09/07 07:23:14 [Note]: 4000 5
03/09/07 07:23:41 [Note]: 4000 5
03/09/07 07:24:05 [Note]: 4000 5
03/09/07 07:24:08 [Note]: 4000 5
03/09/07 07:24:12 [Note]: 4000 5
03/09/07 07:24:18 [Note]: 4020 5 0
03/09/07 07:24:18 [Note]: 4018 5 0
03/09/07 07:24:21 [Note]: 4020 5 0
03/09/07 07:24:21 [Note]: 4018 5 0
03/09/07 07:24:24 [Note]: 4020 5 0
03/09/07 07:24:24 [Note]: 4018 5 0
03/09/07 08:17:51 [Note]: 7007 0

HJT
Logfile of HijackThis v1.99.1
Scan saved at 7:01:10 AM, on 3/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Three Rings Design\Puzzle Pirates\java\bin\javaw.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Micah's Internet Explorer
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programs\Java\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher.exe"
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\Program Files\iMacros\imacros.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programs\Java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programs\Java\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

:D:
Mic

pskelley
2007-03-09, 23:34
Thanks for the information. Though the Blacklight is showing no infections, I have never seen a report quite like that. How is the computer running?

The HJT log appears to be clean of malware, if things are back to normal I would say you are good to go. Let's do this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

http://pcpitstop.com/spycheck/eula.asp <<< see this information, make sure everyone who users your computer reads it.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

micahr14
2007-03-10, 01:08
It still has the toolbar menu (the one where I right click the taskbar) grayed out. .. even after several reboots. I ran AVG Antispyware, AVG Antivirus and ADAware and they came out clean .. /e thinks bout a new installation of windows

Also still not able to access the folder options. Can see hidden files/folders now though. wasn't able to before. Some options are grayed out.

Mic

pskelley
2007-03-10, 02:27
Mic, these are probably setting that the malware that was on your computer changed, if you want to reinstall Windows to fix it, that is your option. Try to describe exactly what is happening.
Don't be afraid to ask google for help, like
can't access folder options
http://www.google.com/search?q=can%27t+access+folder+options&rls=com.microsoft:en-us:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7GGLG
I am running Windows XP Pro SP2 with IE7. If you describe what you are doing step by step I will try to duplicate it to see if I can spot why it is happening.

Have a look here: http://www.google.com/search?q=reset+taskbar+default+setting&rls=com.microsoft:en-us:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7GGLG and especially here:
http://www.kellys-korner-xp.com/xp_tweaks.htm

Keep me posted

micahr14
2007-03-11, 02:03
I'm clean and I found out a tool on kellys-korner to restore my folder options and taskbar menus :): :D: :bigthumb:
Thanks, mate.

Thanks for all the work you guys do and hopefully I will be joining you guys very soon. :D:
Mic

pskelley
2007-03-16, 22:44
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.