1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

mgrs.exe-somebody please help me!

Discussion in 'Virus & Other Malware Removal' started by tluck1, Jul 17, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. tluck1

    tluck1 Thread Starter

    Joined:
    Jul 17, 2007
    Messages:
    8
    i'm losing everything on my computer! i've downloaded everything under the sun after i googled this disease and NOTHING is killing or even detecting this thing. PLEASE HELP!!!!

    hijack list below:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:10:52 AM, on 7/17/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\FBM Software\ZeroSpyware\FileDeleter.exe
    C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
    C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\mgrs.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\WINDOWS\regedit.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\Tara\LOCALS~1\Temp\monserver.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\DOCUME~1\Tara\LOCALS~1\Temp\serverserver.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: MSVPS System - {C87D64B5-DF92-4703-90CB-B465B6982941} - C:\WINDOWS\qnxplugin.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
    O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [smgr] mgrs.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [ZSScheduler] RunDll32.exe "C:\Program Files\FBM Software\ZeroSpyware\ZSScheduler.dll", runScheduler C:\Program Files\FBM Software\ZeroSpyware\
    O4 - Startup: .protected
    O4 - Global Startup: .protected
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
    O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
    O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O21 - SSODL: msddx - {BAC17D8D-03DF-495F-93A4-09CF28B24F3B} - C:\WINDOWS\msddx.dll
    O21 - SSODL: msqnx - {CDB96C1F-0CD0-4ACF-95EC-CB0D539A48D6} - C:\WINDOWS\msqnx.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: ZeroSpyware FileDeleter (FileDeleter) - FBMSoftware - C:\Program Files\FBM Software\ZeroSpyware\FileDeleter.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Welcome to TSG!!

    You have two anti-virus programs running, which will cause trouble. Uninstall one of them.

    Download ComboFix from Here or Here to your Desktop.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
  3. tluck1

    tluck1 Thread Starter

    Joined:
    Jul 17, 2007
    Messages:
    8
    ok. I deleted everything except super anti spy(a program I saw recommended to another user that has the mgrs.exe. what you see from the hijack reports are things that add/remove will NOT get rid of, for whatever reason. i'm getting ready to run this combofix and i'll put the results up. thanks!
     
  4. tluck1

    tluck1 Thread Starter

    Joined:
    Jul 17, 2007
    Messages:
    8
    "Tara" - 2007-07-17 19:49:44 - ComboFix 07-07-13.8 - Service Pack 2 NTFS


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\.protected
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\.protected
    C:\DOCUME~1\Tara\Desktop.\Error Cleaner.url
    C:\DOCUME~1\Tara\Desktop.\Privacy Protector.url
    C:\DOCUME~1\Tara\Desktop.\Spyware&Malware Protection.url
    C:\DOCUME~1\Tara\FAVORI~1.\Error Cleaner.url
    C:\DOCUME~1\Tara\FAVORI~1.\Privacy Protector.url
    C:\DOCUME~1\Tara\FAVORI~1.\Spyware&Malware Protection.url
    C:\DOCUME~1\Tara\STARTM~1\Programs\Startup.\.protected
    C:\Program Files\NewMediaCodec
    C:\WINDOWS\.protected
    C:\WINDOWS\dat.txt
    C:\WINDOWS\mgrs.exe
    C:\WINDOWS\msddx.dll
    C:\WINDOWS\msqnx.dll
    C:\WINDOWS\privacy_danger
    C:\WINDOWS\privacy_danger\images\capt.gif
    C:\WINDOWS\privacy_danger\images\danger.jpg
    C:\WINDOWS\privacy_danger\images\down.gif
    C:\WINDOWS\privacy_danger\images\spacer.gif
    C:\WINDOWS\privacy_danger\index.htm
    C:\WINDOWS\qnxplugin.dll
    C:\WINDOWS\rs.txt
    C:\WINDOWS\system32\drivers\etc\.protected


    ((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 )))))))))))))))))))))))))))))))


    2007-07-17 19:14 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-17 09:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
    2007-07-17 09:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-07-17 09:47 <DIR> d-------- C:\DOCUME~1\Tara\APPLIC~1\SUPERAntiSpyware.com
    2007-07-17 09:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-07-16 14:54 <DIR> d-------- C:\!KillBox
    2007-07-16 14:42 <DIR> d-------- C:\WINDOWS\system32\zsfiles
    2007-07-16 14:33 131,072 --a------ C:\WINDOWS\system32\datestamp.dll
    2007-07-16 14:12 <DIR> d-------- C:\WINDOWS\system32\ZeroSpyware
    2007-07-16 14:07 <DIR> d-------- C:\Program Files\FBM Software
    2007-07-16 14:03 58,368 --a------ C:\WINDOWS\Unwash6.exe
    2007-07-16 07:09 <DIR> d-------- C:\Program Files\Enigma Software Group
    2007-07-16 06:38 <DIR> d-------- C:\Program Files\Spyware Doctor
    2007-07-16 06:32 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2007-07-16 03:51 9,728 --a------ C:\WINDOWS\system32\syswin6000.exe
    2007-06-28 12:55 <DIR> d-------- C:\Program Files\iTunes
    2007-06-28 12:55 <DIR> d-------- C:\Program Files\iPod
    2007-06-19 14:07 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-17 00:12:30 -------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-07-16 14:25:33 -------- d-----w C:\DOCUME~1\Tara\APPLIC~1\Ahead
    2007-07-13 11:46:29 -------- d-----w C:\DOCUME~1\Tara\APPLIC~1\U3
    2007-07-06 14:12:18 -------- d-----w C:\Program Files\Winamp
    2007-06-18 00:22:15 -------- d-----w C:\DOCUME~1\Tara\APPLIC~1\AdobeUM
    2007-06-06 12:29:30 3,759 ----a-w C:\WINDOWS\mozver.dat
    2007-06-03 05:42:32 -------- d-----w C:\Program Files\Common Files\Real
    2007-06-03 05:42:02 -------- d-----w C:\DOCUME~1\Tara\APPLIC~1\Real
    2007-05-31 03:12:10 -------- d--h--w C:\DOCUME~1\Tara\APPLIC~1\Move Networks
    2007-05-29 09:34:05 -------- d-----w C:\DOCUME~1\Tara\APPLIC~1\Apple Computer
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
    2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2006-12-18 04:16 59032 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C87D64B5-DF92-4703-90CB-B465B6982941}]
    C:\WINDOWS\qnxplugin.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 18:40]
    "ATIModeChange"="Ati2mdxx.exe" [2004-04-01 22:16 C:\WINDOWS\system32\Ati2mdxx.exe]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-03-25 16:00]
    "Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 08:05]
    "eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 04:21]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 20:01]
    "Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 00:43]
    "LWBMOUSE"="C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE" [2001-11-08 20:47]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 11:40]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 08:32]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
    "ZSScheduler"="C:\Program Files\FBM Software\ZeroSpyware\ZSScheduler.dll, runScheduler C:\Program Files\FBM Software\ZeroSpyware\" []
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "NoDispAppearancePage"=0 (0x0)
    "NoColorChoice"=0 (0x0)
    "NoSizeChoice"=0 (0x0)
    "NoDispBackgroundPage"=0 (0x0)
    "NoDispScrSavPage"=0 (0x0)
    "NoDispCPL"=0 (0x0)
    "NoVisualStyleChoice"=0 (0x0)
    "NoDispSettingsPage"=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoActiveDesktopChanges"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSaveSettings"=0 (0x0)
    "NoThemesTab"=0 (0x0)

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    Source= file:///C:\WINDOWS\privacy_danger\index.htm
    FriendlyName= Privacy Protection

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    *Newly Created Service* - GTNDIS5

    Contents of the 'Scheduled Tasks' folder
    2007-06-28 22:39:05 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-17 19:52:52
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe??????????'????|?????? ???B???????????????B? ??????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-17 19:53:47
    C:\ComboFix-quarantined-files.txt ... 2007-07-17 19:53

    --- E O F ---
    hijack

    Logfile of HijackThis v1.99.1
    Scan saved at 7:55:38 PM, on 7/17/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\FBM Software\ZeroSpyware\FileDeleter.exe
    C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
    C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: MSVPS System - {C87D64B5-DF92-4703-90CB-B465B6982941} - C:\WINDOWS\qnxplugin.dll (file missing)
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin\Wireless Mouse Driver\MOUSE32A.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [ZSScheduler] RunDll32.exe "C:\Program Files\FBM Software\ZeroSpyware\ZSScheduler.dll", runScheduler C:\Program Files\FBM Software\ZeroSpyware\
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games &#8211; Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
    O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games &#8211; Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
    O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
    O23 - Service: ZeroSpyware FileDeleter (FileDeleter) - FBMSoftware - C:\Program Files\FBM Software\ZeroSpyware\FileDeleter.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)
     
  5. tluck1

    tluck1 Thread Starter

    Joined:
    Jul 17, 2007
    Messages:
    8
    this is the first error i get when trying to add/remove zerospyware

    >SetupDLL\SetupDLL.ccp(4420
    pAPP:ZeroSpyware
    PGUID:A6E676F9-A28C-4EF0-B138-002AB9A56A24
    $7.1.100.1248
    @Windows XP Service Pack 2 (2600) IE 6.0.2900.2180

    then i click ok and this comes up:
    setup has experienced an error.
    please do the following:
    close any running programs
    empty your temporary folder
    check your internet connection

    try to run setup again.

    i followed this and this does nothing! any suggestions? i'm waiting until all this is clear before i even think about degragging my pc. i appreciate all your help!
    ps
    i just recently(about an hour ago/hawaii time!) that two charges have been made on my bank account that i use on this computer. does this happen often? what can i supply them with to prove i had this hacker in my computer?
     
  6. tluck1

    tluck1 Thread Starter

    Joined:
    Jul 17, 2007
    Messages:
    8
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/17/2007 at 10:26 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3270
    Trace Rules Database Version: 1281

    Scan type : Complete Scan
    Total Scan Time : 01:13:40

    Memory items scanned : 381
    Memory threats detected : 0
    Registry items scanned : 5644
    Registry threats detected : 0
    File items scanned : 47374
    File threats detected : 27

    Adware.180solutions/Seekmo
    C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS\NPCLNTAX.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP180\A0016563.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP181\A0016578.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP181\A0016590.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP183\A0016673.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP184\A0016686.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP185\A0017686.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP186\A0017696.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP186\A0017697.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP213\A0019147.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP213\A0019148.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP213\A0019149.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP213\A0019151.DLL

    Desktop Hijacker.AboutYourPrivacy
    C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\CAPT.GIF.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\DANGER.JPG.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\IMAGES\DOWN.GIF.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\PRIVACY_DANGER\INDEX.HTM.VIR

    Adware.180solutions/ZangoSearch
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP202\A0018284.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP202\A0018285.EXE

    Adware.Zango Toolbar/Hb
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP213\A0019146.DLL

    Trojan.Downloader-NoName
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP234\A0022465.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP234\A0023551.EXE
    C:\WINDOWS\SYSTEM32\SYSWIN6000.EXE
    C:\WINDOWS\Prefetch\SYSWIN6000.EXE-098B01C8.pf

    Malware.Ultimate Defender
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP234\A0023520.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP234\A0023521.EXE

    Trojan.Net-MSV/VPS-G
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP238\A0023865.DLL
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You should change all of your passwords! As far as your bank, I can only suggest you show them the logs from your machine. I'm not sure if that will help or not.

    Run HJT again and put a check in the following:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: MSVPS System - {C87D64B5-DF92-4703-90CB-B465B6982941} - C:\WINDOWS\qnxplugin.dll (file missing)
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab

    Close all applications and browser windows before you click "fix checked".


    How is it running now? Any problems?
     
  8. tluck1

    tluck1 Thread Starter

    Joined:
    Jul 17, 2007
    Messages:
    8
    i fixed the hijack items you mentioned. i run super anti spyware and it is still finding adwares. i'll post the log as soon as it's done. i've also got software(limewire/which i never installed and that zerospyware/from when i had the virus) that i can't seem to get rid of(see above). what do i do?

    after looking at the next log, what virus/spyware program do you recommend so that i don't go through this again. i had been using avg for virus and spybot for spyware. any recommmendations?
     
  9. tluck1

    tluck1 Thread Starter

    Joined:
    Jul 17, 2007
    Messages:
    8
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/18/2007 at 11:15 AM

    Application Version : 3.9.1008

    Core Rules Database Version : 3270
    Trace Rules Database Version: 1281

    Scan type : Complete Scan
    Total Scan Time : 01:21:41

    Memory items scanned : 354
    Memory threats detected : 0
    Registry items scanned : 5640
    Registry threats detected : 0
    File items scanned : 47405
    File threats detected : 2

    Adware.180solutions/Seekmo
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP238\A0023903.DLL

    Trojan.Downloader-NoName
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{9D8C32EF-553A-4724-A2CE-9BA028325C7B}\RP238\A0023904.EXE
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    SUPERAntiSpyware is showing items in your system restore which you will flush when we are finished.

    Run HJT again and put a check in the following:

    O4 - HKCU\..\Run: [ZSScheduler] RunDll32.exe "C:\Program Files\FBM Software\ZeroSpyware\ZSScheduler.dll", runScheduler C:\Program Files\FBM Software\ZeroSpyware\

    Close all applications and browser windows before you click "fix checked".

    Restart in Safe Mode.
    • To boot up in Safe mode, continuously tap the F8 key while starting your computer.
    • You should see a black screen displaying the Windows Advanced Menu Options.
    • Using your keyboard's arrow keys, select Safe mode, then hit Enter.

    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders" Click "Apply" then "OK".

    Delete the folder where ZeroSpyware is located and delete limewire. I don't see that in your logs.

    Restart in normal mode and let me know how things are going.
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/596967

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice