Jump to content
Sign in to follow this  
califi

[Solved]Newxp Pro User Hjt Log

Recommended Posts

Hi there.

Been struggling with some problems for two days now, but as a pretty Intermediate home user, I'm now at a total loss!

 

First, my HJT logs taken two mins ago:

 

Logfile of HijackThis v1.99.0

Scan saved at 20:13:11, on 10/02/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\winService.exe

C:\WINDOWS\System32\filees.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\msbin32.exe

C:\WINDOWS\System32\dgstetab.exe

C:\WINDOWS\System32\gah95on6.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Spyware Doctor\swdoctor.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Optimizer\optimize.exe

C:\Program Files\BullsEye Network\bin\bargains.exe

C:\Documents and Settings\------\Desktop\HijackThis.exe

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O4 - HKLM\..\Run: [Microsoft Security] winService.exe

O4 - HKLM\..\Run: [NTFSS MICROSOFT SYSTEM] filees.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [regmgr32nt] msbin32.exe

O4 - HKLM\..\Run: [uF5f3ni] dgstetab.exe

O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\RunServices: [Microsoft Security] winService.exe

O4 - HKLM\..\RunServices: [NTFSS MICROSOFT SYSTEM] filees.exe

O4 - HKLM\..\RunServices: [regmgr32nt] msbin32.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [NTFSS MICROSOFT SYSTEM] filees.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [regmgr32nt] msbin32.exe

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - HKCU\..\RunServices: [regmgr32nt] msbin32.exe

O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

 

 

I did a PCStop virus scan and was recoded as having 2x trj/downloader -CPV

and i Gaobot.AMT viruses.

 

My antivirus Avast HE4 couldn't find them and although I tried googling/checking the forums and trying TrendMicro's Gaobot special cleaner, which came up clean, Could find nothing on them.

 

BUT, my Avast keeps alerting me to this:

 

"A Virus was found: Virus name: Win32:Trojano-803[trj]

File name: C:/temp/NCasePackage.exe. VPS Version: 0506-0. 08/02/2005.

Tried Delete/repair/move t chest and i get this:

"Windows cannot find 'C:/temp/NCasePackage.exe' Make sure you typed the name correctly, blah blah."And it is happening every couple of minutes.

 

checked all my folders and found this list of 'unknown/unsure apps:

 

asgd

installer

pedxz

pedz

pudjz

secure

secure2

wlax

a tempt folder with : Bargains.exe & cxtpls_loader_ff.exe. Removed several times but keep coming back.

 

 

Help-please???? all the backups I saved on cd's ready for after my format to XP Pr0 incl TWO complete folders of SITE/ ASSETS are refusing to load, as well as all my accumilated bookmarks and documents/treasured apps. :help: [my sites are still online but no idea if I can just import them back onto my Web author/HD.

 

Cali x

Edited by califi

Share this post


Link to post
Share on other sites

Hello Cali,

 

Please temporarily disable Spybot's Teatimer function by following the advice here: http://russelltexas.com/malware/teatimer.htm. This is because it may interfere with any changes we need to make. You can re-enable it when we're sure your log is clean.

 

Follow the tutorial here to download and configure Ad-Aware: http://www.bleepingcomputer.com/forums/ind...showtutorial=48. Do not run it yet, we'll do that a bit later.

 

Download and install: CCleaner from here. Once again, don't run it yet.

 

Make sure you have Set Windows to show Hidden Files & Folders.

 

You may want to print out the rest of these steps to refer to as you go as we'll be working offline.

 

Reboot into safe mode and follow these steps:

 

Restart HijackThis and put checks next to the following, close all browser windows (including this one) then click on 'Fix Checked':

 

O4 - HKLM\..\Run: [Microsoft Security] winService.exe

O4 - HKLM\..\Run: [NTFSS MICROSOFT SYSTEM] filees.exe

O4 - HKLM\..\Run: [regmgr32nt] msbin32.exe

O4 - HKLM\..\Run: [uF5f3ni] dgstetab.exe

O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe

O4 - HKLM\..\RunServices: [Microsoft Security] winService.exe

O4 - HKLM\..\RunServices: [NTFSS MICROSOFT SYSTEM] filees.exe

O4 - HKLM\..\RunServices: [regmgr32nt] msbin32.exe

O4 - HKCU\..\Run: [NTFSS MICROSOFT SYSTEM] filees.exe

O4 - HKCU\..\Run: [regmgr32nt] msbin32.exe

O4 - HKCU\..\RunServices: [regmgr32nt] msbin32.exe

 

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

 

Now navigate to and delete the following if present:

 

C:\WINDOWS\System32\winService.exe <-------- Delete this file.

C:\WINDOWS\System32\filees.exe <-------- Delete this file.

C:\WINDOWS\System32\msbin32.exe <-------- Delete this file.

C:\WINDOWS\System32\dgstetab.exe <-------- Delete this file.

C:\WINDOWS\System32\gah95on6.exe <-------- Delete this file.

C:\WINDOWS\zeta.exe <-------- Delete this file.

 

Run CCleaner then tick the following:

Posted Image

Then click Run Cleaner (bottom right) then, when it finishes scanning click Exit.

 

Now click on Start | Run and type in: %temp% then click OK. Delete everything in that folder.

 

Run CWShredder Click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.

 

Now run Ad-Aware. Let it fix anything it finds.

 

Reboot as normal then post a fresh HijackThis log and let us know how things are running.

Share this post


Link to post
Share on other sites

Hi Nirvana B):)

 

Apologies for taking so long to reply- my Avast av came up as infected in a scan and I had to remove it and dig out an old AVG + update...Also installed Trojan Hunter trial- made the mistake of installing SpyDoctor and paid dearly for it re: spyfeast of the century *thud* but removed it successfully.

 

Did as you suggested- Printer out of ink, so I hand-wrote it, and I think my hand muscle were protesting using different muscles from those used for typing, ;)

 

Anyhoo, my pc seems a lots faster now, and here are my new HJT logs:

 

Logfile of HijackThis v1.99.0

Scan saved at 16:15:00, on 11/02/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\ctfmon.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Sachiel\Desktop\HijackThis.exe

 

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

 

Does that look better? [fingers crossed]

 

Thank you so much for your help. Muchlyappreciated.

 

Cali xx :D

 

Oh [ps] My brother suggested that I install Service Pack 2. should I? thanks again in advance. Cx

Edited by califi

Share this post


Link to post
Share on other sites

Oh [ps] My brother suggested that I install Service Pack 2. should I?

Absolutely, although your log looks very short, can you post one after a reboot into normal mode please?

Share this post


Link to post
Share on other sites

Again, a delay...sorry about that. I was installing SP2 and the first attempt failed when my pc froze cmpletely mid-install.

 

Since it recovered and the SP2 was reinstalled [successfully, it said], I had a few probs with apps such as SiSoft Sandra Lite which wont work, saying it cannot find my data *thud*- plus an earlier check I made pre-SP2 said I was missing a process module [wmiprvs]. not sure what to do about that.

 

...added to my main CDWR Rom appearing and disappearing like the cheshire cat in my control panel/My Computer...usually when I go beyond virus checking the backup discs [i still cant get into since the format/changeover to XP Pro], and trying to open them

 

I honestly feel like chucking the pc away and doing without right now!

 

anyhoo, enough of that...here is my latest HJT log since I installed SP":

 

Logfile of HijackThis v1.99.0

Scan saved at 16:32:52, on 12/02/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\INCRED~1\bin\IMApp.exe

C:\WINDOWS\explorer.exe

C:\PROGRA~1\INCRED~1\bin\ImNotfy.exe

C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR1\RpcSandraSrv.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\------\Desktop\HijackThis.exe

 

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108158957280

O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotion...ctor/WebAAS.cab

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

 

Will be removing the anonymiser entry]

 

 

I do have stuff I monitored whilst installing, in my ignore list- would that be listed here too? was thinking that is why it may seem short...haven't, as said, touched HJT since I did the corrections you advised me on.

 

AVG/Spybot/Adaware/TH all say my pc is clear of anything rotten, so hopefully that is a good sign.

 

Thank you for all of your help, nirvana. Much appreciated.

 

Cali xx :D

Share this post


Link to post
Share on other sites

I think i am.... but not pc-aware enough to understand it exactly [pretty much self-taught and picking up stuff along the way]... when I try SiSoft Sandra, I get this message:

 

"SiSoft Sandra

The server has reported the following error: could not initialise database! Check database file, database server, or MDAC."

 

and the task icons were missing - although I could use most of the tools from the task bar above.

 

plus when I had my disc health check here, I got this error box:

 

"16-bit MS-Dos subsystem

C:\Windows\System32\pcp bios.exe

C:\" " \ " "\Autoexec.NT

 

the system file is not suitable for running MS-DOS and Microsoft Windows application. Choose 'close' to terminate the application [got a good scan result from PCPS btw]."

 

I did have a fault with a freeze halfway through when SP2 was first doing an install, but it seemed to recover once i went into SM and it sorted the hardware, then I fond a new update install for it in the task bar when i rebooted.

 

I also know the bios is old. here are the specs:

 

System man: PB

Sys type: X86-based pc

Proc: x86 Family 6 model 4 Stepping 2 Authentic AMD ~848Mhz [know its low, ack! saving the pennies]

Bios Version/date: American Megatrends inc A691P2130 07/06/2000

SMBIOS Version: 2.2

 

bit worried about flashing the bios after everything that's been happening though. Knowing my luck, it will implode or something. :rolleyes:

 

Should I run dr Watson/disc clean? or is it something I could correct manually?

 

The good news? I ran the scan from here again, and this time the system is virus free- which heralds a bl**dy YAY, lol!

 

so... should I get the hammer yet? ;)

 

Thanks again for taking the time to help out.

 

Cali xx :)

Share this post


Link to post
Share on other sites

"16-bit MS-Dos subsystem

C:\Windows\System32\pcp bios.exe

C:\" " \ " "\Autoexec.NT

 

the system file is not suitable for running MS-DOS and Microsoft Windows application. Choose 'close' to terminate the application

Download 16bit_fix.exe by from the link Here. When it is downloaded, double-click it to run it. It reinstalls the missing or corrupt XP system files command.com, autoexec.nt and config.nt which cause the error.

 

Then post another HijackThis log (with nothing in the ignore list) and let us know of any issues you are still having.

Share this post


Link to post
Share on other sites

Hi Nirvana :)

 

I couldn't figure out how to add the ignore list to the save, so have copied it below:

 

Logfile of HijackThis v1.99.0

Scan saved at 10:26:43, on 13/02/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\PROGRA~1\INCRED~1\bin\IMApp.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\INCRED~1\bin\ImNotfy.exe

C:\Documents and Settings\Sachiel\Desktop\HijackThis.exe

 

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [incrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1108158957280

O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab

 

ignore List:

 

04 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

04 - HKCU\..Run: [incredimail] C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

04 - Global Startup: Microsoft Office.Ink = C:\Program Files\Common Filess\Adobe\Calibration\Adobe Gamma Loader.exe

04 - Global Startup: Microsoft Office.Ink = C:\Program Files\Microsoft Office\Office\OSA9.EXE

08 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resource\WebMenuImg.htm

09 - Extra button: Messenger - {FB5F 1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

09 - Extra 'Tools' menuitem: Windows Messenger - {FB5F 1910-F110-11d2-BB9E-00C04F795683} -C:\Program Files\Messenger\msmsg.exe

016 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB

016 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -http://v5.windowsupdate.microsoft.com/v5consumer/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108158957280

016 - DPF: {EFAEF0E4-F004-4D57-9900-1C3FF18524C9} (AV Class) - http://222.pcpitstop.com/antivirus/PitPav.cab

 

Hopefully I haven't mistyped any of it, lol.

 

Thanks for the fix - I've applied it. :D

 

Cali xx

Share this post


Link to post
Share on other sites

Its much faster, which is faboo, lol...but I think I will have to open a thread in Viruses/Spyware now.

 

Just updated my Zonealarm and found several Bargain buddy additions in the program control [blocked them] plus some I'm not sure of at all.

 

I'll add them here, though I might be doing this in the wrong place [sorry!]

 

C:\windows\ahadp.exe

no version/product name

 

C:\windows\sys32\angelex.exe

no product name

version: 1.0.1.0

 

C:\windows\sys32\ap9n4qmo.exe

no product name

V: 4.0.0.2

 

I have left these with question marks so far.

 

blocked some adtools/family.

removed one- but not sure if i should have just blocked it, gah! hindsight is a bitca.

 

Got rid of one called Golden Retriever- but reckon this is how I lost that process module - wmiprvs.exe [i actually put all exe's the virus check picked up in a seperate folder in My Docs and zipped it- just in case]

 

I should have come here in the first place before trying to sort it out myself...that is prob why I got into such a mess in the first place. :blushing:

 

I mostly lurk here- been in and out for over a year or so now, lol. and the forum has been really helpful to me in the past.

 

And I just want to say a great big THANKYOU, Nirvana, for helping rescue my beloved pc. This time last week I was practically resigned to losing it.

 

Cali xx :mrwinky:

Share this post


Link to post
Share on other sites

Please download ServiceFilter.zip. This will reveal potential unauthorized running services in your system. Extract it to a new folder on your desktop. Double-click ServiceFilter.vbs. This script will create a text file named Post_This.txt in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

Share this post


Link to post
Share on other sites

wow! You reply so quickly! *hugs*

 

did as you instructed and here it is:

 

The script did not recognize the services listed below.

This does not mean that they are a problem.

 

########################################

 

ServiceFilter 1.1

by rand1038

 

Microsoft Windows XP Professional

Version: 5.1.2600 Service Pack 2

Feb 13, 2005 13:27:26

 

 

---> Begin Service Listing <---

 

Unknown Service # 1

Service Name: SandraDataSrv

Display Name: Sandra Data Service

Start Mode: Manual

Start Name: LocalSystem

Description: ...

Service Type: Own Process

Path: c:\program files\sisoftware\sisoftware sandra lite 2005.sr1\rpcdatasrv.exe

State: Stopped

Process ID: 0

Started: False

Exit Code: 1077

Accept Pause: False

Accept Stop: False

 

Unknown Service # 2

Service Name: SandraTheSrv

Display Name: Sandra Service

Start Mode: Manual

Start Name: LocalSystem

Description: ...

Service Type: Own Process

Path: c:\program files\sisoftware\sisoftware sandra lite 2005.sr1\rpcsandrasrv.exe

State: Stopped

Process ID: 0

Started: False

Exit Code: 1077

Accept Pause: False

Accept Stop: False

 

Unknown Service #3

Service Name: SwPrv

Display Name: MS Software Shadow Copy Provider

Start Mode: Manual

Start Name: LocalSystem

Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...

Service Type: Own Process

Path: c:\windows\system32\dllhost.exe /processid:{4a1e1245-ed48-45ff-8e50-078dc6778485}

State: Stopped

Process ID: 0

Started: False

Exit Code: 1077

Accept Pause: False

Accept Stop: False

 

---> End Service Listing <---

 

There are 84 Win32 services on this machine.

3 were unrecognized.

 

Script Execution Time: 9.144531 seconds.

 

 

Cali xx :D

Edited by califi

Share this post


Link to post
Share on other sites

These files need to be deleted:

 

C:\windows\ahadp.exe

C:\windows\system32\angelex.exe

C:\windows\system32\ap9n4qmo.exe

wmiprvs.exe <-------- Check the spelling on this one wmiprvse.exe (with an 'e' on the end) is valid.

 

Then scan with Ad-Aware again and have it fix anything it finds. Are you still having issues?

Share this post


Link to post
Share on other sites

Everything seems to be running rine, Nivana. :)

 

Weird thing though...those exe's only show up in ZoneAlarm- wth several others, but when I ran a search for them on my pc, they didn't show up at all! Same with the Bargain Buddy entries I blocked.

 

where do they hide? so weird.

 

 

the wmiprvse one shows up in a search, so I must have removed that other wmiprvs.exe insead. yay! Thanks for clearing that up for me. :D

Cali xx

Share this post


Link to post
Share on other sites

Does ZoneAlarm give you a warning that those files are trying to get access to the internet? What exactly is ZoneAlarm telling you? Is Ad-Aware finding anything?

Share this post


Link to post
Share on other sites

Sorry for the delay, Nirvana. Trying to rescue my site [still no joy *sigh*] 17 hours of importing and it bellyflopped.

 

okya... Zone alarm isn't sending out any warnings...found these files in Program Controls. Weird as that is the only sign I have that they are there.

 

AdAware picks up cache tracking each time I run it. That's it

 

I'v ran searches, but only ZA shows these files up.

 

Cali xx

Share this post


Link to post
Share on other sites

Cali, everything looks fine to me. If you're not having any issues you're good to go. If you are having issues, please specify....

Share this post


Link to post
Share on other sites

You're welcome :)

 

It's a good idea to Flush your System Restore after ridding yourself of malware:

 

1. On the Desktop, right-click My Computer.

2. Click Properties.

3. Click the System Restore tab.

4. Check Turn off System Restore.

5. Click Apply, and then click OK.

6. Restart the computer.

7. Follow steps 1 to 3 again, then uncheck Turn off System Restore tab.

 

When you are sure you are clean create a restore point.

 

To create a restore point:

 

Single-click Start and point to All Programs.

Mouse over Accessories, then System Tools, and select System Restore.

In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.

Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

 

 

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

 

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

 

More info and download is available at:

SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html

SpywareGuard: http://www.wilderssecurity.net/spywareguard.html

 

 

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

 

More info and download is available at:

IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm

 

 

Click here to make sure that you have the latest patches for Windows. Click here to get the latest version of Internet Explorer. It's very important to keep your system up to date to avoid unnecessary security risks.

 

You may also want to read Tony Klein's article on "How I got Infected in the First Place":

http://forums.net-integration.net/index.php?showtopic=3051

Share this post


Link to post
Share on other sites
Sign in to follow this  

×