1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Computer runs slow, internet is intermittent, IE seachbar highjacked.

Discussion in 'Virus & Other Malware Removal' started by MattSmith, Jun 23, 2007.

Thread Status:
Not open for further replies.
  1. MattSmith

    MattSmith Thread Starter

    Joined:
    Jun 23, 2007
    Messages:
    1
    I followed one of your threads and came to a point where you had avenger remove some files and I read the warning. ran Ran hijackthis after reboot. Please help!!! Thank you for trying to help me!!!
    I am not sure which files to delete in hijackthis log or the ProcessExployer Spybot runs cleanlly now.Here are my latest logs
    The AVG SPyware will reboot the computer, but I will continue to get adaware.coolwebsearch virus
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 9:32:57 PM 6/22/2007

    + Scan result:



    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{153707B5-D0ED-A171-CBB3-87B9E1296513} -> Adware.CoolWebSearch : No action taken.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A7656B1-818D-64B0-57D8-796789B55F4B} -> Adware.CoolWebSearch : No action taken.
    HKU\S-1-5-21-2000478354-1708537768-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{153707B5-D0ED-A171-CBB3-87B9E1296513} -> Adware.CoolWebSearch : No action taken.
    HKU\S-1-5-21-2000478354-1708537768-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A7656B1-818D-64B0-57D8-796789B55F4B} -> Adware.CoolWebSearch : No action taken.


    ::Report end

    Here is my latest

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 06/24/2007 at 06:20 PM

    Application Version : 3.8.1002

    Core Rules Database Version : 3260
    Trace Rules Database Version: 1253

    Scan type : Quick Scan
    Total Scan Time : 01:00:09

    Memory items scanned : 480
    Memory threats detected : 0
    Registry items scanned : 979
    Registry threats detected : 1
    File items scanned : 105464
    File threats detected : 4

    Adware.Vundo Variant
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{DC192567-65F9-4AB6-ADB7-E13575F81726}

    Adware.ClickSpring/Outer Info Network
    C:\Documents and Settings\xxx\Start Menu\Programs\Outerinfo\Terms.lnk
    C:\Documents and Settings\xxx\Start Menu\Programs\Outerinfo\Uninstall.lnk
    C:\Documents and Settings\xxx\Start Menu\Programs\Outerinfo

    Adware.eZula
    C:\WINDOWS\SYSTEM32\HASVPSLD.EXE

    Here is my latest
    Logfile of HijackThis v1.99.1
    Scan saved at 6:37:35 PM, on 6/24/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\niSvcLoc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\xerox\Pagis\Monitor.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.foxnews.com
    O2 - BHO: (no name) - {153707B5-D0ED-A171-CBB3-87B9E1296513} - (no file)
    O2 - BHO: (no name) - {4A7656B1-818D-64B0-57D8-796789B55F4B} - (no file)
    O2 - BHO: (no name) - {5B83899F-5D9B-2AAC-7C12-6F5344F9A02B} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [XeroxScannerDaemon] "C:\Program Files\Xerox\NWWia\XrxFTPLt.exe"
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O4 - Global Startup: Pagis Scheduler.lnk = C:\Program Files\xerox\Pagis\Monitor.exe
    O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
    O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute Lite Edition\vrie.dll
    O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\FreePoker\MANSION.exe (file missing)
    O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\FreePoker\MANSION.exe (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144175428187
    O16 - DPF: {C77FB8C0-8B6D-440E-AC26-2BD39E97E8F2} (SpdTCtl Class) - http://speedtest.adelphia.net/customerdiag/speedtest/SPEEDTESTACTIVEX.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
    O17 - HKLM\System\CCS\Services\Tcpip\..\{02400038-23EF-4274-8C62-1D850379FC74}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{510A834B-6ED6-4AE7-A22A-C62275FB6F29}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DB52E487-A950-4DAF-8120-B14A9EAF436F}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E9208D25-E2A6-4797-B135-93E8AEDE3A6A}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\..\{02400038-23EF-4274-8C62-1D850379FC74}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\..\{02400038-23EF-4274-8C62-1D850379FC74}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\epkbsrqh.exe (file missing)
    O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
    O23 - Service: NILM License manager - Macrovision Corporation - C:\Program Files\National Instruments\shared\License Manager\Bin\lmgrd.exe
    O23 - Service: NI Service Locator (niSvcLoc) - National Instruments - C:\WINDOWS\system32\niSvcLoc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Welcome to TSG!!

    Click Start - Run - and type in:

    services.msc

    Click OK.

    In the services window find:

    DomainService - Unknown owner

    Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK.
    Exit the Services utility.


    Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.



    Run HJT again and put a check in the following:

    O2 - BHO: (no name) - {153707B5-D0ED-A171-CBB3-87B9E1296513} - (no file)
    O2 - BHO: (no name) - {4A7656B1-818D-64B0-57D8-796789B55F4B} - (no file)
    O2 - BHO: (no name) - {5B83899F-5D9B-2AAC-7C12-6F5344F9A02B} - (no file)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{02400038-23EF-4274-8C62-1D850379FC74}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{510A834B-6ED6-4AE7-A22A-C62275FB6F29}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DB52E487-A950-4DAF-8120-B14A9EAF436F}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E9208D25-E2A6-4797-B135-93E8AEDE3A6A}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS2\Services\Tcpip\..\{02400038-23EF-4274-8C62-1D850379FC74}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CS3\Services\Tcpip\..\{02400038-23EF-4274-8C62-1D850379FC74}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 207.68.160.190 194.25.2.129 208.67.222.222
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\epkbsrqh.exe (file missing)

    Close all applications and browser windows before you click "fix checked".


    Restart the machine and post your hijackthis log again.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/587765

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice