My son got on my computer and got it reinfected. avg has found downloader.small, downloader.agent.pn, win32/bube, and agent.ae.
enclosed is the log file from hjt:
Logfile of HijackThis v1.99.1
Scan saved at 6:32:54 PM, on 12/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\Common Files\AOL\1134364634\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1134364634\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1134364634\ee\AOLServiceHost.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\AntiSpyWare\hijackthis.exe
C:\WINNT\system32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Hello and welcome to the forum. AVG is a good freeware program and I just do not see this stuff you are describing. When you get information like this you need to write down the path of the items located as well as the exact names. I am going to suggest this process to see what HJT might not be able to see and make sure nothing is hiding we need to deal with. If this sounds good to you, proceed like this:

1) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp and please do not run it until I ask you to.

2) Download, update, configure and run these two programs: http://tomcoyote.org/aawsb.php
The newest version of Ad-aware is 1.06 and Spybot 1.04. Even if you have these programs, use the link to get the newest version, update and configure them as in the link. Run Spybot first, reboot then run Ad-aware. Both programs back up what they remove so delete anything the programs say should be removed.

3) Ewido scan:
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)

Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

4) Run these two free online scans, save the results to post for me and have them remove anything they locate.
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.kaspersky.com/virusscanner

5) Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do. Then restart the computer and post a new HJT log, the Ewido scan results, the results from the online scans in this same thread along with any feedback you have.

I understand we are a few days from Christmas and computers have to take a back seat to the family. I do suggest since we are unsure of what the issues might be at this point, that you stay offline as much as possible.

Thanks...pskelley
Safer Networking Forums

we did all the scans you asked us but when we pulled up ewido we got a run time error and could not get it to work!! the online scans trendmicro and kaspersky said that there was no threats avg found six problems:

1)C:\Documents and Settings\All Users\Application Data\Spybot-Search & Destroy\recovery\msload.exe... Virus Downloader.Small

2)C:\Documents and Settings\Wayne\Desktop\requested-files[2005-06-07_17_26].cab:\c:\Program Files\Common Files\FreeProd1\mc-58-12-0000093.exe...Trojan horse Downloader.Agent.PN


3)C:\Documents and Settings\Wayne\Desktop\requested-files[2005-06-07_17_26].cab:\C:\WINNT\System32\svhost.exe...Virus identified Win32\Bube


4)C:\Documents and Settings\Wayne\Desktop\requested-files[2005-06-07
_17_26].cab:\C:\winnt\system32\cmmqqq.exe...Trojan horse Agent.AE


5)C:\Documents and Settings\Wayne\Desktop\requested-files[2005-06-07_17_26].cab...Trojan horse Downloader.Agent.PN


6)C:\WINNT\mstasks1.exe...Virus found Downloader.Small

ccleaner log
IE Temporary Internet Files (187 files) 1.33MB
Cookie:wayne@movies.yahoo.com/(&H100001) 96 bytes
Cookie:wayne@www.yahoo.com/(&H100001) 83 bytes
Cookie:wayne@yahoo.com/(&H100001) 168 bytes
C:\Documents and Settings\wayne\Local Settings\History\History.IE5\desktop.ini 113 bytes
C:\WINNT\setupapi.log 1.34KB
C:\Documents and Settings\wayne\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol 300 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Resident.log 128 bytes


hjt log
Logfile of HijackThis v1.99.1
Scan saved at 7:14:04 PM, on 12/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\AntiSpyWare\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

OK and thanks for posting this information. When dealing with error messages, there are many and I must have the error message before I can tell you why ewido did not run. It does run on Win2000. Please post the exact "word for word" error message, it is fairly important we run it and it would probably have removed the items you posted.

Let me know how the computer if performing, any issues you are still dealing with and please post only the logs I ask for. If I need any other logs I will request them, thanks.

Logfile of HijackThis v1.99.1 Scan saved at 7:14:04 PM, on 12/27/2005
There is no malware evident in this hjt log. Please look at the R1 items in the log that look like this: http://www.yahoo.com I would like to know if you use these. If not they can be removed, let me know.

In case we can't get ewido running let's try to remove these manually since there are only six.

If you get messages from windows about not being able to delete them, you will have to use safe mode:
http://www.bleepingcomputer.com/forums/tutorial61.html

You will need to show hidden files and folders, make sure you choose the instructions for your Operating System. You will probably not see the files unless you do.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

1) C:\Documents and Settings\All Users\Application Data\Spybot-Search & Destroy\recovery\msload.exe... Virus Downloader.Small
Open Spybot > Click on the Recovery button > check or highlite each item then click on purge selected items. > OK or apply then close Spybot.

2) C:\Documents and Settings\Wayne\Desktop\requested-files[2005-06-07_17_26].cab:\c:\Program Files\Common Files\FreeProd1\mc-58-12-0000093.exe...Trojan horse Downloader.Agent.PN
I would delete the FreeProd1 folder, that is where the trojan is showing. CastleCops says this about FreeProd:
http://www.castlecops.com/tk14377-Freeprod_Toolbar.html I don't see it on the computer, must be an old leftover.

3) C:\Documents and Settings\Wayne\Desktop\requested-files[2005-06-07_17_26].cab:\C:\WINNT\System32\svhost.exe...Virus identified Win32\Bube
Look at the spelling: svhost.exe. I would also check here: C:\WINNT\System32\svhost.exe to be sure. The legitimate file will have a c like this: svchost.exe so be careful.

4) C:\Documents and Settings\Wayne\Desktop\requested-files[2005-06-07
_17_26].cab:\C:\winnt\system32\cmmqqq.exe...Trojan horse Agent.AE
Remove the file from C:\Docs and Settings and also check in the C:\winnt\system32\cmmqqq.exe Delete the file in red, there is no other file that looks like that.

5) C:\Documents and Settings\Wayne\Desktop\requested-files[2005-06-07_17_26].cab...Trojan horse Downloader.Agent.PN
You did not include the pathway of this item. I suggest you look carefully to see if anything valid is in the "requested-files" folder then delete everything in it.

6) C:\WINNT\mstasks1.exe...Virus found Downloader.Small <<< delete the file in red.

Once this is complete, empty the recycle bin and restart the computer, then run AVG again to see if it comes up clean. Then post a) the error message you get when you try to run ewido. b) how the computer is running c) the results of the scan by AVG. d) the information about the Yahoo clutter I requested.

Thanks...Phil

clst11, still with us?

ok the exact word for word is... Security Suite.exe -Unable to locate DLL

The dynamic link libary lang.dll could not be found in the specified path C:\Program Files\ewido

anti-malware;.;C:\WINNT\System32;C:\WINNT\System;C:\WINNT;C:\WINNT\
System32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Files\Quick Time\QT System\.

the computer is also running vary slow. there are no other problems that I know of



thanks..

Post a new HJT log and nothing else, we will start over.

Thanks...pskelley

Due to lack of a response this topic will be archived.
If you need it re-opened please pm me or one of the forum mods.

Re-Opened.

Since quite a bit of time has passed since we started this repair, and things change quickly, let's start with a new HJT log and as much information about your problem as you can give me. I am especially interested in any error message you are receiving "word for word". I will respond as soon as possible after you post this information.

Thanks...Phil
Safer Networking Forums

Due to lack of a response this topic will be closed and archived.