Page 3 of 6 FirstFirst 123456 LastLast
Results 21 to 30 of 53

Thread: WIN32.AGENT.PZ Problem

  1. #21
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi E-literat,

    crap, its still there. no i dont think winbuyer is causing all the problems. i saw there website: looks harmless, iam surprised they wouldnt have a uninstaller in the add/remove programs folder though. we can come back to that later.

    we will use pocket killbox then do some stuff in safe mode again, you might want to copy/paste the safe mode stuff into notepad and save it to desktop.

    have you gotton killbox yet, if not you can get it here:

    http://www.downloads.subratam.org/KillBox.zip
    -----------------------------
    start killbox.exe

    Select the options: Replace on Reboot AND use dummy

    copy paste this line into the field Full Path of File to Delete

    C:\WINDOWS\system32\c00E4CE7.dat

    then click the button with a white X on red background

    When asked if you would like to Reboot, select >No.
    Once again, in Full Path of File to Delete, copy and paste the following:
    C:\WINDOWS\system32\ntos.exe

    Press the button with a red circle and a white X.
    When asked to Reboot, select >Yes this time

    your computer will reboot, during the reboot tap the f8 key so it starts in safe mode again.
    once in safe mode. please run superantispyware once. and do this also:

    using explorer(right click on start>explore) drill down to these >>> you want to delete whats >inside< the folder, not the folder itself<< delete what you can

    C:\Windows\Temp\ (at the top you can use: Edit>select all File>delete

    C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

    C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

    C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

    C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\

    reboot normally and post a new hjt log please

    shelf life
    How Can I Reduce My Risk?

  2. #22
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    Opened KillBox and followed directions on both files and click white X/ click yes on reboot/ message appeared saying: (Pending file rename operations registry data has been Removed by External Process (I click/O.K). program would not reboot. I don't know if this is related, but earlier I did a search on ntos.exe and this file was said th be in quarantine (ntos.exe.bac_a02680/in folder C:\Document and Settings\Compac_Owner\housecall6.6\Quaratine)..
    How should I proceed?

  3. #23
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi,

    must be in quarantine from the online scans you did. bring up task manager by clicking ctrl-alt-del at same time. under the processes tab see if these are listed:
    ntos.exe
    c00E4CE7.dat
    ---------------------
    do a online scan here:(unless this is the one you had problem with, cant remember)save and post report please.
    http://www.pandasoftware.com/products/activescan?
    ----------------------
    also do this:
    go to start>run and type in regedit then click ok
    windows registry will open up.
    work your way down by clicking the (+) signs:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[c00E4CE7.dat]

    click on the folders on the left under the notify key
    on the right see if you find the .dat file on the right side
    if so:
    click on the folder and at top click File>export
    in the file name box call it reg.txt
    in the save as type change to:"text file" (.txt)
    save to desktop.
    please post the saved reg text in next reply.

    shelf life
    How Can I Reduce My Risk?

  4. #24
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    O.K self life,
    Opened KillBox and follow directions,but tried it with each file separatly and received same message (Pending file rename operations registry data has been Removed by External Process) (I click/O.K). program would not reboot. So I close that program and manually rebooted in safe mode/Followed those directions/C:\Windows\Temp\ (at the top you can use: Edit>select all File>delete ( I found these files and deleted)

    C:\Documents and Settings\-Your Profile-\Local Settings\Temporary Internet Files\ (will dump all your cached internet content including cookies)

    C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

    C:\Documents and Settings\-Any other users Profile-\Local Settings\Temporary Internet Files\

    C:\Documents and Settings\-Any other users Profile-\Local Settings\Temp\

    Local Settings found under only one user and no temp file in hat folder!

    Reboot in normal mode.

  5. #25
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    Hi shelf life,
    Did the above prior to your reply/attemptedto down load Panda but had a problem downloading (Avast said it had a virus, so I aborted scan). Went to registry and exported file HERE: Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00E4CE7
    Class Name: <NO CLASS>
    Last Write Time: 4/18/2007 - 8:31 PM
    Value 0
    Name: Asynchronous
    Type: REG_DWORD
    Data: 0x1

    Value 1
    Name: DllName
    Type: REG_SZ
    Data: C:\WINDOWS\system32\__c00E4CE7.dat

    Value 2
    Name: Impersonate
    Type: REG_DWORD
    Data: 0x0

    Value 3
    Name: Startup
    Type: REG_SZ
    Data: B

    Value 4
    Name: Logon

    Scan.exe results:
    Logfile of scan.exe v1.99.1
    Scan saved at 8:26:43 PM, on 4/22/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\RioMSC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    C:\Program Files\scan.exe\scan.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
    O2 - BHO: (no name) - {09dd3840-7edd-4855-afe0-ebbd50fc643a} - C:\WINDOWS\system32\mprcht.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
    O4 - HKLM\..\Run: [WinBuyer Compare & Save] C:\PROGRA~1\WinBuyer\Winbuyer.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
    O4 - HKCU\..\Run: [A00F802D89.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F802D89.exe
    O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1175731963546
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175731954187
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: mprcht - mprcht.dll (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: __c00E4CE7 - C:\WINDOWS\system32\__c00E4CE7.dat
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


    E-literat

  6. #26
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    Also these two :ntos.exe/ c00E4CE7.dat, where not listed in Windows Task Manager/ process tab..

  7. #27
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi,

    thanks for the info. theres no virus in the panda scan. its a false positive:
    see links:
    http://www.avast.com/eng/faq_panda.html

    a (old) work around here:
    http://www.dellcommunity.com/support...ssage.id=57210
    if you want to try the work around and do a scan go ahead.

    getting late here. i have to go to work in the morning and wont be back online for like 16-17 hrs. we can pick it back up then.

    shelf life
    How Can I Reduce My Risk?

  8. #28
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    Hello shelf life,
    Of course I'll work around anti-virus. Well did scan from Panda, results:

    Panda scan 00:01am cst 4/22/2007
    Incident Status Location

    Virus:trj/goldun.fz Disinfected Operating system
    Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\28\1061dd5c-600aca4e[Dvnny.class]
    Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\28\1061dd5c-600aca4e[Dex.class]
    Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\28\1061dd5c-600aca4e[Dix.class]
    Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\6.0\28\1061dd5c-600aca4e[Dux.class]
    Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-3766c267.zip[Dvnny.class]
    Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-3766c267.zip[Dex.class]
    Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-3766c267.zip[Dix.class]
    Virus:JS/Downloader.NOE Disinfected C:\Documents and Settings\Compaq_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms-counter.jar-5aecf5b2-3766c267.zip[Dux.class]
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix\Process.exe
    Virus:Trj/Shutdown.Z Disinfected C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix\restart.exe
    Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
    Also another scan.exe, results:
    Logfile of scan.exe v1.99.1
    Scan saved at 11:57:01 PM, on 4/22/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16414)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\RioMSC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\scan.exe\scan.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
    O2 - BHO: (no name) - {09dd3840-7edd-4855-afe0-ebbd50fc643a} - C:\WINDOWS\system32\mprcht.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise
    O4 - HKLM\..\Run: [WinBuyer Compare & Save] C:\PROGRA~1\WinBuyer\Winbuyer.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HELPAN~1\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe
    O4 - HKCU\..\Run: [A00F802D89.exe] C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\_A00F802D89.exe
    O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1175731963546
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1175731954187
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: mprcht - mprcht.dll (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: __c00E4CE7 - C:\WINDOWS\system32\__c00E4CE7.dat
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


    Darn! I just realize I did the Panda scan in normal mode.??..

    Thanks,
    E-literat

  9. #29
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,066

    Default

    hi E-literat,

    ok thanks for the info

    another download to get: avenger
    Download and unzip Avenger (by swandog46) to your desktop:

    http://swandog46.geekstogo.com/avenger.zip

    Start up Avenger.
    Check the 'Input script manually' button.
    Click the Magnifying Glass icon.
    In the box that opens, copy, and paste the following:(including file to delete: line)

    File to delete:
    C:\WINDOWS\system32\wsnpoem
    C:\WINDOWS\system32\wsnpoem\audio.dll
    C:\WINDOWS\system32\wsnpoem\video.dll
    C:\WINDOWS\system32\ntos.exe
    C:\WINDOWS\system32\__c00E4CE7.dat


    Then click on 'Done'.
    Click the Traffic Light icon to start the script.
    Then press OK at the prompts to reboot your PC.

    After the reboot,

    Open hijackthis, scan and place a check mark next to the following if they remain:

    O20 - Winlogon Notify: __c00E4CE7 - C:\WINDOWS\system32\__c00E4CE7.dat
    O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
    --------------------------------------------
    Avenger will output a .txt file which you can find at C:\Avenger\.txt.
    please post the avenger text in next reply along with a new hjt log.

    shelf life
    How Can I Reduce My Risk?

  10. #30
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    Hello shelf life,
    downloaded Avenger/followed direction (copy and paste file)/click DONE/click signal lights/prompted to click Yes for Avenger to execute command/error mess.: error selected file does not appear to be a valid script./click O.K,another error mess: press O.K to log error and continue or cancel to abort./click O.K,error mess: error code:0..
    Didn't know what to do next?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •