ambercromby Posted June 7, 2007 ID:5091 Share Posted June 7, 2007 I am working on a computer that keeps getting the AVSystemcare popup. I haven't found much but this thread. Is there anything I can get for you that might help?Here is a link I grabbed from one of the popups:http://avsystemcare.com/data/installer.php...0020044510f0703Here is the HiJackThis info:Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 4:43:54 PM, on 6/7/2007Platform: Windows 2000 SP4 (WinNT 5.00.2195)Boot mode: NormalRunning processes:C:\WINNT\System32\smss.exeC:\WINNT\SYSTEM32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeC:\WINNT\System32\svchost.exeC:\WINNT\System32\nvsvc32.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINNT\system32\stisvc.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\Program Files\ASUS\Probe\AsusProb.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeC:\PROGRA~1\Webshots\webshots.scrC:\Program Files\HP\hpcoretech\comp\hptskmgr.exeC:\Program Files\HP\Digital Imaging\bin\hpqgalry.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exeC:\Program Files\Java\jre1.5.0_06\bin\jucheck.exeC:\WINNT\System32\svchost.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Documents and Settings\The Pouillons\Desktop\HiJackThis_v2.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winnt\blank.htmR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winnt\blank.htmR3 - URLSearchHook: (no name) - {40B666C0-8958-AD87-5D94-F74A34D9F6E6} - (no file)R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {40B666C0-8958-AD87-5D94-F74A34D9F6E6} - (no file)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dllO4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Policies\Explorer\Run: [ltwob] C:\WINNT\system32\formatsys.exeO4 - HKLM\..\Policies\Explorer\Run: [serpe] C:\WINNT\system32\serbw.exeO4 - HKLM\..\Policies\Explorer\Run: [avnort] C:\WINNT\msmbw.exeO4 - HKCU\..\Policies\Explorer\Run: [ltwob] C:\WINNT\system32\formatsys.exeO4 - HKCU\..\Policies\Explorer\Run: [serpe] C:\WINNT\system32\serbw.exeO4 - HKCU\..\Policies\Explorer\Run: [avnort] C:\WINNT\msmbw.exeO4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')O4 - Startup: PowerReg Scheduler.exeO4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXEO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLLO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://us2-scripts.dlv4.com/binaries/egacc...ss4_1071_em.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cabO16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocxO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab' rel="external nofollow">http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab'>http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cabO16 - DPF: {AA59202C-5E41-48FC-AF7D-324F5FD6A9F1} - http://us2-scripts.dlv4.com/binaries/egacc..._1070_em_XP.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cabO16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cabO16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cabO16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326O20 - AppInit_DLLs: C:\WINNT\system32\wuauboot.dllO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dllO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe--End of file - 9460 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted June 8, 2007 ID:5094 Share Posted June 8, 2007 Hi and welcome to Malwarebytes. What have you done so far? You don't have any Anti Virus program at all. This is your main problem. You have the Zango Tool bar for one thing and you need to get rid of it. Look in Add/Remove programs for Zango or 180 solutions. Uninstall all instances. You need to move HJT to a folder you create on your C drive. C:\HJT this is where all backups will go should you need them. Get this up date, and run a full system scan remove everything it finds and save the log and post it in this thread please. Also get the Anti Virus program from this same site and update it and run a full system scan. The anti virus is free, the anti-spy/adware will run for 30 days with full functionability. Once you have ran both scans reboot and post a new HJT log in this thread. Link to post Share on other sites More sharing options...
ambercromby Posted June 8, 2007 Author ID:5111 Share Posted June 8, 2007 So far what I have done is scanned the computer with Panda Active Scan Pro with all options on. The computer locked up and I wasn't able to see the log as to what wasn't clean and was just going to install McAfee for the final scan. I was working on getting McAfee installed when I notice the popups and decided to get it cleaned before continuing forward with the install.I then ran the HJT to post the results to this list.I did find Zango and uninstalled it, but still have popups. (I realize Zango is a different issue, but nothing wrong with wishful thinking)I'm rescanning with Panda (5 spyware found thus far), and will run another HJT and the Grisoft one you mentioned and will post the results when I have them.I'm not sure what you want me to move to the root of C:? A copy of the installed HJT?Thanks Link to post Share on other sites More sharing options...
JeanInMontana Posted June 8, 2007 ID:5112 Share Posted June 8, 2007 Yes move the installed program HiJack This! to a folder of it's own. Zango is separate, yes, you have several things going on. We will address one at a time. Next goal get a antivirus scan. You might have to do it in safe mode, but it is going to get rid of the worm you have because it is an old infection and all current AV's will remove it I'm sure. We will have a fix for the AVSystemcare soon.So just to be clear, run AV scan and AVG antispyware. Then reboot and post a new log after you have moved HJT to it's own folder on C. Any questions please ask. Communication is key to fixing "stuff". Link to post Share on other sites More sharing options...
ambercromby Posted June 8, 2007 Author ID:5136 Share Posted June 8, 2007 Here are the latest results. I installed the AVG Free, but didn't see where I could save the scan results, but like Panda, didn't find any virusesActivescan_Pro.txtActivescan_Pro.txt Link to post Share on other sites More sharing options...
ambercromby Posted June 8, 2007 Author ID:5138 Share Posted June 8, 2007 And this. (didn't notice the failed upload)Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 1:08:37 PM, on 6/8/2007Platform: Windows 2000 SP4 (WinNT 5.00.2195)Boot mode: NormalRunning processes:C:\WINNT\System32\smss.exeC:\WINNT\SYSTEM32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeC:\WINNT\System32\svchost.exeC:\WINNT\System32\nvsvc32.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINNT\system32\stisvc.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\Program Files\ASUS\Probe\AsusProb.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\HP\hpcoretech\comp\hptskmgr.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeC:\PROGRA~1\Webshots\webshots.scrC:\Program Files\HP\Digital Imaging\bin\hpqgalry.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exeC:\Program Files\Java\jre1.5.0_06\bin\jucheck.exeC:\WINNT\System32\svchost.exeC:\HJT\HiJackThis_v2.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winnt\blank.htmR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winnt\blank.htmR3 - URLSearchHook: (no name) - {40B666C0-8958-AD87-5D94-F74A34D9F6E6} - (no file)R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {40B666C0-8958-AD87-5D94-F74A34D9F6E6} - (no file)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dllO4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Policies\Explorer\Run: [ltwob] C:\WINNT\system32\formatsys.exeO4 - HKLM\..\Policies\Explorer\Run: [serpe] C:\WINNT\system32\serbw.exeO4 - HKLM\..\Policies\Explorer\Run: [avnort] C:\WINNT\msmbw.exeO4 - HKCU\..\Policies\Explorer\Run: [ltwob] C:\WINNT\system32\formatsys.exeO4 - HKCU\..\Policies\Explorer\Run: [serpe] C:\WINNT\system32\serbw.exeO4 - HKCU\..\Policies\Explorer\Run: [avnort] C:\WINNT\msmbw.exeO4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')O4 - Startup: PowerReg Scheduler.exeO4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXEO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLLO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://us2-scripts.dlv4.com/binaries/egacc...ss4_1071_em.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cabO16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocxO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab' rel="external nofollow">http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab'>http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cabO16 - DPF: {AA59202C-5E41-48FC-AF7D-324F5FD6A9F1} - http://us2-scripts.dlv4.com/binaries/egacc..._1070_em_XP.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cabO16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cabO16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cabO16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326O20 - AppInit_DLLs: C:\WINNT\system32\wuauboot.dllO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dllO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe--End of file - 10036 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted June 8, 2007 ID:5140 Share Posted June 8, 2007 The log from Panda was not complete for some reason but that's ok.Please go here http://www.symantec.com/security_response/...-030710-2610-99 Printout the instructions for the tool and use it then post a new log. Also post just like you did copy and paste it not as an attachment. It is much easier to compare logs when they are all in the thread. Did you run the AVG AntiSpyware? Link to post Share on other sites More sharing options...
ambercromby Posted June 8, 2007 Author ID:5142 Share Posted June 8, 2007 I thought I was missing one.---------------------------------------------------------AVG Anti-Spyware - Scan Report--------------------------------------------------------- + Created at: 11:22:22 AM 6/8/2007 + Scan result: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Instant Access -> Dialer.Generic : No action taken.C:\WINNT\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : No action taken.C:\Documents and Settings\The Pouillons\Cookies\the pouillons@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : No action taken.C:\Documents and Settings\The Pouillons\Cookies\the pouillons@login.tracking101[2].txt -> TrackingCookie.Tracking101 : No action taken.C:\Documents and Settings\The Pouillons\Cookies\the pouillons@m.webtrends[2].txt -> TrackingCookie.Webtrends : No action taken.C:\WINNT\system32\wapisu.exe -> Trojan.Small : No action taken.::Report end Link to post Share on other sites More sharing options...
ambercromby Posted June 8, 2007 Author ID:5143 Share Posted June 8, 2007 Here is the result from SymantecSymantec W32.serflog Removal Tool 1.1.2s32.serflog has not been found on your computer.Didn't re-run HJT as nothing has changed from the last scan. Link to post Share on other sites More sharing options...
ambercromby Posted June 8, 2007 Author ID:5153 Share Posted June 8, 2007 Latest info.Uninstalled Instant Access, which required a download to install.Ran SB S&DInstalled Panda AV 2007 full version and scanned.Rebooted and ran HJT again. All results posted below (had to attach SB as it was too long)Panda Antivirus + Firewall 2007 incident reportEVENT DATE RESULTS ADDITIONAL INFORMATION --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Scan completed 06/08/07 15:36:30 Scan: All My Computer Tracking program detected: Application/InternetGameBox 06/08/07 15:31:19 Notified Location: C:\WINNT\system32\temp\NSIS_Install_I... Spyware detected: Cookie/Com.com 06/08/07 14:58:54 Eliminated Location: C:\Documents and Settings\The Pouillons\Cookies\the pouillons@com[1].txt Scan started 06/08/07 14:58:16 Scan: All My Computer Update 06/08/07 14:57:59 OK Threat signatures Update 06/08/07 14:57:48 OK New threat signatures: 31905 Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 3:54:39 PM, on 6/8/2007Platform: Windows 2000 SP4 (WinNT 5.00.2195)Boot mode: NormalRunning processes:C:\WINNT\System32\smss.exeC:\WINNT\SYSTEM32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exeC:\WINNT\system32\svchost.exeC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv50.exeC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXEC:\WINNT\system32\spoolsv.exeC:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeC:\WINNT\System32\svchost.exeC:\WINNT\System32\nvsvc32.exeC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exeC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exeC:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exec:\program files\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXEC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINNT\system32\stisvc.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\Program Files\ASUS\Probe\AsusProb.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXEC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\PROGRA~1\Webshots\webshots.scrC:\Program Files\HP\hpcoretech\comp\hptskmgr.exeC:\Program Files\HP\Digital Imaging\bin\hpqgalry.exeC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\WebProxy.exeC:\HJT\HiJackThis_v2.exeC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\avciman.exeC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\psimreal.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winnt\blank.htmR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winnt\blank.htmR3 - URLSearchHook: (no name) - {40B666C0-8958-AD87-5D94-F74A34D9F6E6} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {40B666C0-8958-AD87-5D94-F74A34D9F6E6} - (no file)O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dllO4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /sO4 - HKLM\..\Run: [ppfw] "C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\Firewall\PPFW.exe" PPFW.exe /cmd:allowpandarules /mod:7 /prod:titanium /dest:"C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\Firewall" /flg:2 /ver:6.01.00O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Policies\Explorer\Run: [ltwob] C:\WINNT\system32\formatsys.exeO4 - HKLM\..\Policies\Explorer\Run: [serpe] C:\WINNT\system32\serbw.exeO4 - HKLM\..\Policies\Explorer\Run: [avnort] C:\WINNT\msmbw.exeO4 - HKCU\..\Policies\Explorer\Run: [ltwob] C:\WINNT\system32\formatsys.exeO4 - HKCU\..\Policies\Explorer\Run: [serpe] C:\WINNT\system32\serbw.exeO4 - HKCU\..\Policies\Explorer\Run: [avnort] C:\WINNT\msmbw.exeO4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')O4 - Startup: PowerReg Scheduler.exeO4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXEO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLLO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://us2-scripts.dlv4.com/binaries/egacc...ss4_1071_em.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cabO16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocxO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab' rel="external nofollow">http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab'>http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cabO16 - DPF: {AA59202C-5E41-48FC-AF7D-324F5FD6A9F1} - http://us2-scripts.dlv4.com/binaries/egacc..._1070_em_XP.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cabO16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cabO16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cabO16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326O20 - AppInit_DLLs: C:\WINNT\system32\wuauboot.dllO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dllO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exeO23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exeO23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exeO23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exeO23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv50.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exeO23 - Service: Panda Host Service (PSHost) - Unknown owner - c:\program files\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXEO23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe--End of file - 11262 bytesSpybotSD.Report.txtSpybotSD.Report.txt Link to post Share on other sites More sharing options...
JeanInMontana Posted June 9, 2007 ID:5165 Share Posted June 9, 2007 OK I can't stress enough that you follow instructions and only take actions when and if instructed. Do not install new programs during the fix. You do have serflog and it is evident by several lines in your log. There were infections found by the AVG Spyware scanner but no actions were taken. Please follow these instructions exactly. Take your time and be accurate.The following explains how to remove items from your computer that are malware. These items must be fixed.Please set your system to show all files; Windows 2000 * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. Please be sure to do this for this fix. * Click Yes to confirm. * Click OK.Close all programs leaving only Hijack This! running. Place a check against each of the following, making sure you get them all and not any others by mistake:R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winnt\blank.htmR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\winnt\blank.htmO2 - BHO: (no name) - {40B666C0-8958-AD87-5D94-F74A34D9F6E6} - (no file)O4 - HKLM\..\Policies\Explorer\Run: [ltwob] C:\WINNT\system32\formatsys.exeO4 - HKLM\..\Policies\Explorer\Run: [serpe] C:\WINNT\system32\serbw.exeO4 - HKLM\..\Policies\Explorer\Run: [avnort] C:\WINNT\msmbw.exeO4 - HKCU\..\Policies\Explorer\Run: [ltwob] C:\WINNT\system32\formatsys.exeO4 - HKCU\..\Policies\Explorer\Run: [serpe] C:\WINNT\system32\serbw.exeO4 - HKCU\..\Policies\Explorer\Run: [avnort] C:\WINNT\msmbw.exeO4 - Startup: PowerReg Scheduler.exeO16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cabO20 - AppInit_DLLs: C:\WINNT\system32\wuauboot.dllClick on Fix Checked when finished and exit HijackThis.Reboot into Safe Mode: please see here if you are not sure how to do this.Using Windows Explorer, locate the following files/folders, and delete them:c:\winnt\blank.htmC:\WINNT\system32\formatsys.exeC:\WINNT\system32\serbw.exeC:\WINNT\msmbw.exeO16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cabC:\WINNT\system32\wuauboot.dllExit Explorer, and reboot as normal afterwards.If you were unable to find any of the files then please follow these additional instructions:Download Pocket Killbox and unzip it; save it to your Desktop.Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.Let the system reboot.Post back a fresh HijackThis log and we will take another look.Note this also: http://www.malwarebytes.org/ Link to post Share on other sites More sharing options...
ambercromby Posted June 11, 2007 Author ID:5254 Share Posted June 11, 2007 I had HJT deal with said problems. None of the list files could be found by me or KillBox. Not sure how to delete O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://cdn.drivecleaner.com/installdrivecleanerstart.cab, but I search for installdrivecleanerstart.cab and could not find it either.Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 9:25:11 AM, on 6/11/2007Platform: Windows 2000 SP4 (WinNT 5.00.2195)Boot mode: NormalRunning processes:C:\WINNT\System32\smss.exeC:\WINNT\SYSTEM32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exeC:\WINNT\system32\svchost.exeC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv50.exeC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXEC:\WINNT\system32\spoolsv.exeC:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeC:\WINNT\System32\svchost.exeC:\WINNT\System32\nvsvc32.exeC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exeC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exeC:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exec:\program files\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXEC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINNT\system32\stisvc.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\Program Files\ASUS\Probe\AsusProb.exeC:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\PROGRA~1\Webshots\webshots.scrC:\Program Files\HP\hpcoretech\comp\hptskmgr.exeC:\Program Files\HP\Digital Imaging\bin\hpqgalry.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exeC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\psimreal.exeC:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\avciman.exeC:\HJT\HiJackThis_v2.exeR3 - URLSearchHook: (no name) - {40B666C0-8958-AD87-5D94-F74A34D9F6E6} - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dllO3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dllO4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /sO4 - HKLM\..\Run: [ppfw] "C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\Firewall\PPFW.exe" PPFW.exe /cmd:allowpandarules /mod:7 /prod:titanium /dest:"C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\Firewall" /flg:2 /ver:6.01.00O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXEO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.htmlO8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.htmlO8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.htmlO8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLLO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {201B9B37-848F-40BD-90EA-7B8F0AA89D6A} - http://us2-scripts.dlv4.com/binaries/egacc...ss4_1071_em.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocxO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab' rel="external nofollow">http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab'>http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cabO16 - DPF: {AA59202C-5E41-48FC-AF7D-324F5FD6A9F1} - http://us2-scripts.dlv4.com/binaries/egacc..._1070_em_XP.cabO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cabO16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cabO16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cabO16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dllO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exeO23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exeO23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exeO23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exeO23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv50.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exeO23 - Service: Panda Host Service (PSHost) - Unknown owner - c:\program files\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXEO23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe--End of file - 10044 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted June 11, 2007 ID:5256 Share Posted June 11, 2007 The log looks good. Are you still having symptoms? Link to post Share on other sites More sharing options...
ambercromby Posted June 11, 2007 Author ID:5257 Share Posted June 11, 2007 Problem seems to be solved. Thanks so much. Link to post Share on other sites More sharing options...
JeanInMontana Posted June 11, 2007 ID:5259 Share Posted June 11, 2007 Your welcome, but there are still a few things to do. Just to clean up run HJT again and put a check next to this item.R3 - URLSearchHook: (no name) - {40B666C0-8958-AD87-5D94-F74A34D9F6E6} - (no file)You need to reset your System Restore points to flush any infected ones and then create a new clean restore point. To do that open the Help and Support Center and on the left you will see System Restore settings, click it and turn off System Restore. Then in the Help and Support Center under Undo changes to my computer ( or similar wording) choose the System Restore link and click on create a system restore point. Give it a name like the date and clean restore point or something similar.You might also want to run CC Cleaner to get rid of all the excess garbage files. It's free and will free up lots of wasted disk space.Now you need to uninstall your Adobe Acrobat Reader and install the latest one. You have one with known security flaws. You also need to install the latest Java for security reasons. Uninstall your old version via Add/Remove programs and delete the program file. Then go here and get the correct download for your system. Make sure it is the offline version and install it.You should also consider adding a layer of prevention for your system with some great freeware that will help prevent future infections. SpywareBlaster from Javacool, WinPatrol from BillPStudios also be sure to immunize with Spybot Search and Destroy and enable the IE protection feature.Tomorrow go to the Windows Update site and get the latest updates for your system. Link to post Share on other sites More sharing options...
theBentos Posted June 12, 2007 ID:5290 Share Posted June 12, 2007 Hi, I have been trying to remove popups from a friend's PC. I have ran Ad Aware, SpyBot and AVG scans which seems to have got rid of most of the problems. however I am still getting an AVSystemCare.com popup which i can't seem to remove. I have already performed some searches on this piece of malware, and haven't found much info on removing it. Anyone have any advice on the best way of getting rid of this popup??Thanks. Link to post Share on other sites More sharing options...
JeanInMontana Posted June 12, 2007 ID:5297 Share Posted June 12, 2007 Hi, I have been trying to remove popups from a friend's PC. I have ran Ad Aware, SpyBot and AVG scans which seems to have got rid of most of the problems. however I am still getting an AVSystemCare.com popup which i can't seem to remove. I have already performed some searches on this piece of malware, and haven't found much info on removing it. Anyone have any advice on the best way of getting rid of this popup??Thanks.Hi and welcome to Malwarebytes. Please start your own topic and we will help you. You will get the full attention for your problem that way. This topic only pertains to the problems for this user, yours circumstances are probably not the same. Link to post Share on other sites More sharing options...
Recommended Posts