Help with Collected.5.L

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

mattamattam

Thread Starter
Joined
Jul 18, 2005
Messages
25
I have Windows XP Professional (don't know about Service Packs installed) and AVG free anti-virus and are being plagued with virus found messages but can't getrid of them no matter what. I tried using your solution for XUINGA but i have none of the same processes as listed for him.

Hijack This has the following results for my system

Logfile of HijackThis v1.99.1
Scan saved at 6:59:00 PM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\xpjava.exe
C:\Documents and Settings\zed\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Microsoft Windows Game Updater] msgame32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Game Updater] msgame32.exe
O4 - HKLM\..\RunServices: [mouse] mouse.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Reboot.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DEDF20B-690F-4906-AB6C-A60B8B9E52D5}: NameServer = 203.194.27.57 203.194.56.150
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Could you please help me?
 
Joined
Feb 15, 2004
Messages
12,302
hi, welcome to TSG.


Also download the EliteBar (searchmiracle) Removal Tool (must be run in safe
mode)

http://www.simplytech.it/ETRemover/
http://www.softpedia.com/get/Intern...r-Remover.shtml



Download DelDomains.inf from here:

http://www.mvps.org/winhelp2002/DelDomains.inf

Rightclick DelDomains.inf and choose install.



Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php


* Download the trial version of Ewido Security Suite here


http://www.ewido.net/en/

* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.



download ccleaner

http://www.ccleaner.com/


* Install CCleaner
* Launch CCleaner and look in the upper right corner and click on the "Options" button.
* Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
* Click OK
* Do not run CCleaner yet. You will run it later in safe mode.



go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the
immunize button.

reboot again


With CWshredder close all browsers and programmes and select the FIX button.



Go here and download Microsoft Antispyware Beta. First in the top menu click
File then Check for updates to download the definitons updates.

After updating look in the right side of the main window under "Run Quick
Scan Now" and click Spyware scan options. In that window put a tick by Run a
full system scan and then put a check by all three options below that then
click Run Scan now.

When the scan is finished, let it fix anything that it finds (have it
quarantine the items that have that option rather than delete just in case.
It is a beta program and there may be false positives)

Restart your computer.


All tools can be downloaded at the link below and found on that page!

. Microsoft® Windows AntiSpyware
. SpyBot search and destroy
. AdAware SE



http://www.majorgeeks.com/downloads31.html




have hijack this fix these entries. close all browsers and programmes before
clicking FIX.



R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Windows Game Updater] msgame32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Game Updater] msgame32.exe
O4 - HKLM\..\RunServices: [mouse] mouse.exe
ot.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.



C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
C:\WINDOWS\System32\xpjava.exe



boot to safe mode find and delete these files and folders if there?



How to boot to safe mode

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam


How to show hidden files in Windows

http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=


Because XP will not always show you hidden files and folders by default,
Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden
files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View
tab and make sure that "Show hidden files and folders" is checked. Also
uncheck "Hide protected operating system files" and "Hide extensions for
known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


msgame32.exe
mouse.exe




* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop



Now run ccleaner.



post another log and the ewido log
 

mattamattam

Thread Starter
Joined
Jul 18, 2005
Messages
25
Thanks I have gotton rid of that damn virus but couldn't run AdAware SE Personal 1.6 because C:\WINDOWS\SYSTEM32\AUTOEXEC.NT is inappropriate for running MS-DOS programs. As I have a premade computer I don't have the XP installation disks. Also in the solution a CWshredder is mentioned but no source for it mentioned. Is that just a typo?

Here is the new Hijack This log.

Logfile of HijackThis v1.99.1
Scan saved at 5:55:47 PM, on 7/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\zed\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

and the ewido one

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:50:03 PM, 7/20/2005
+ Report-Checksum: D1851B29

+ Scan result:

HKU\.DEFAULT\Software\sais -> Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-18\Software\sais -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Reboot.exe -> Trojan.Reboot : Cleaned with backup
:mozilla.29:C:\Documents and Settings\zed\Application Data\Mozilla\Firefox\Profiles\k6vi8hs8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.88:C:\Documents and Settings\zed\Application Data\Mozilla\Firefox\Profiles\k6vi8hs8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.89:C:\Documents and Settings\zed\Application Data\Mozilla\Firefox\Profiles\k6vi8hs8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.90:C:\Documents and Settings\zed\Application Data\Mozilla\Firefox\Profiles\k6vi8hs8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.91:C:\Documents and Settings\zed\Application Data\Mozilla\Firefox\Profiles\k6vi8hs8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.103:C:\Documents and Settings\zed\Application Data\Mozilla\Firefox\Profiles\k6vi8hs8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.104:C:\Documents and Settings\zed\Application Data\Mozilla\Firefox\Profiles\k6vi8hs8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.105:C:\Documents and Settings\zed\Application Data\Mozilla\Firefox\Profiles\k6vi8hs8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.106:C:\Documents and Settings\zed\Application Data\Mozilla\Firefox\Profiles\k6vi8hs8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.107:C:\Documents and Settings\zed\Application Data\Mozilla\Firefox\Profiles\k6vi8hs8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.108:C:\Documents and Settings\zed\Application Data\Mozilla\Firefox\Profiles\k6vi8hs8.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.110:C:\Documents and Settings\zed\Application Data\Mozilla\Firefox\Profiles\k6vi8hs8.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.125:C:\Documents and Settings\zed\Application Data\Mozilla\Firefox\Profiles\k6vi8hs8.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.126:C:\Documents and Settings\zed\Application Data\Mozilla\Firefox\Profiles\k6vi8hs8.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.131:C:\Documents and Settings\zed\Application Data\Mozilla\Firefox\Profiles\k6vi8hs8.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\zed\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\zed\Cookies\[email protected][2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\zed\Local Settings\Temp\uninstall.exe -> Spyware.EliteBar : Cleaned with backup
C:\Documents and Settings\zed\msdirectx.sys -> Trojan.Rootkit.h : Cleaned with backup
C:\RECYCLER\S-1-5-21-1229272821-602162358-839522115-1003\Dc21.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\RECYCLER\S-1-5-21-1229272821-602162358-839522115-1003\Dc22.exe -> Adware.Saha : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\[email protected][2].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\49OBG987\cmctl[1].dll -> Spyware.AdMir : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\49OBG987\sidefind13[1].dll -> Spyware.SideFind : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\U32PSXMT\sfbho13[1].dll -> Spyware.SideFind : Cleaned with backup


::Report End
 
Joined
Feb 15, 2004
Messages
12,302
try this for the adaware error.



http://www.visualtour.com/downloads/


No, I never put in the link, it wasn't meant to be there for this infection! But here it is if you need it!

. CWShredder

http://www.soft32.com/download_19014.html



have hijack this fix these entries. close all browsers and programmes before
clicking FIX.


R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe



Now reboot to safe mode find and delete these files and folders if there?



How to boot to safe mode

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam




Because XP will not always show you hidden files and folders by default,
Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden
files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View
tab and make sure that "Show hidden files and folders" is checked. Also
uncheck "Hide protected operating system files" and "Hide extensions for
known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


xpjava.exe




Run ActiveScan online virus scan here

http://www.pandasoftware.com/activescan/

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!


post another log and the active scan log
 

mattamattam

Thread Starter
Joined
Jul 18, 2005
Messages
25
Thank you. I assume that you meant to download XP FIX.EXE at visualtour.com/downloads but now i get multiple messages about the NTVDM CPU encountering illegal instruction. Which files did you want me to delete in safe mode?

With the Active Scan Results I didn't delete the infected files as with the adware i don't know where they are and with the files in the windows folder i didn't delete them in case I deleted something important except the ones in Temp internet files

Hijack This log is below

Logfile of HijackThis v1.99.1
Scan saved at 5:22:22 PM, on 7/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Shareaza\Shareaza.exe
C:\Documents and Settings\zed\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DEDF20B-690F-4906-AB6C-A60B8B9E52D5}: NameServer = 203.194.27.57 203.194.56.150
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

and the Active Scan


Incident Status Location

Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Adware:adware/elitebar No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\USER AGENT\POST PLATFORM\IEBAR
Virus:W32/SdBot.EGQ.worm Disinfected C:\!Submit\xpjava.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\49OBG987\webservice[2].htm
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QJE18FKP\dating[1].bmp
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QJE18FKP\stubinstaller5041[1].ex_
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\QJE18FKP\webservice[1].htm
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\U32PSXMT\drugs[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\U32PSXMT\fav[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ULYVE1I9\casino[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ULYVE1I9\virus[1].bmp
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\o
Virus:Application/Restart No disinfected C:\WINDOWS\system32\Tools\Restart.exe
 
Joined
Feb 15, 2004
Messages
12,302
your log is clean.

How's your computer running any better?


uninstall adaware and reinstlal it, see if that helps.


go here and empty out this folder.


C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.


C:\WINDOWS\system32\o
C:\WINDOWS\system32\Tools\Restart.exe
 

mattamattam

Thread Starter
Joined
Jul 18, 2005
Messages
25
Thanks for your help but Collected has popped up again, what should I do?
Here is a HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 4:21:24 PM, on 7/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\xpjava.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\zed\Desktop\New Folder\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DEDF20B-690F-4906-AB6C-A60B8B9E52D5}: NameServer = 203.194.27.57 203.194.56.150
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top