1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Help with malware and files not executing after a while

Discussion in 'Virus & Other Malware Removal' started by ktg35envy, Jul 11, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. ktg35envy

    ktg35envy Thread Starter

    Joined:
    Apr 24, 2005
    Messages:
    67
    Hi,

    can you help me with my problem? i cant even restore back to when i believe the problem arised, the system restore function does not let me. essentially what is happening is i installed edonkey and downloaded some stuff from themexp.org for use with style xp. next thing i know i got newdotnet and overnet causing all sorts of problems. i did a bunch of scans that you recommend but still problems. the worst thing is that when i log on i can execute any program or file no problem. but if i dont execute a certain program or file like lets say firefox for like 1/2 hour after i log on, it wont work. its like there is a time limit or something before things go downhill. here is my highjackthis log. please help.:confused:

    Logfile of HijackThis v1.99.1
    Scan saved at 4:24:02 PM, on 2006-07-11
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Common Files\Virtual Token\vtserver.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\UltraVNC\WinVNC.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\grh501.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\PROGRA~1\RCrawler\RCrawler.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Documents and Settings\kgarach\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.accoona.com/search_assis...ce=wdz1&utm_medium=bund&utm_campaign=wdz0605a
    R3 - Default URLSearchHook is missing
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: IEGrabObj Class - {abc563b0-b745-11d3-a337-00104be2b1cb} - C:\WINDOWS\IEGrab.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [aaTrueAccess] grh501.exe
    O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 3.0\\RegistryController.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100
    O8 - Extra context menu item: Use as &Display Picture - C:\Program Files\IEDP2\IEDP.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122406567432
    O16 - DPF: {A7B17C34-D894-11D3-AE37-0050DA39FE5C} (WebClientInstall Class) - http://diweb.grhosp.com/magicweb/bin/WebClientInstall.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grhosp.com
    O17 - HKLM\Software\..\Telephony: DomainName = grhosp.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grhosp.com
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g414896.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: psfus - C:\Program Files\IBM fingerprint software\psfus.dll
    O20 - Winlogon Notify: winecx32 - C:\WINDOWS\SYSTEM32\winecx32.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Go to the link below and download the trial version of SpySweeper:

    SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
     
  3. ktg35envy

    ktg35envy Thread Starter

    Joined:
    Apr 24, 2005
    Messages:
    67
    here are my highjackthis logfile and spy sweeper savelog. i have to tell you that there were 2 or 3 trojans after the first sweep. but spysweeper said that it needed to reboot in order to remove some of the threats. i did so and i got a warning from that a known file was trying to access the internet and i should run spy sweeper again. so i did and i got the same 2 trojans. they are trojan-downloader-2pursuit and trojan agent winlogonhook. so i ran it again and rebooted as it asked. i redid my log files and here they are. i hope they are gone. but i will say that i am periodically getting notifications from spysweeper that the spyware communications blocker has block a file from trying to connect to the internet. also, i have not noticed any executable files or quicklaunch buttons not working tonight. but that may be because i am not at work using their network.

    Logfile of HijackThis v1.99.1
    Scan saved at 9:08:18 PM, on 2006-07-11
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Common Files\Virtual Token\vtserver.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\UltraVNC\WinVNC.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\grh501.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\RCrawler\RCrawler.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\kgarach\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: IEGrabObj Class - {abc563b0-b745-11d3-a337-00104be2b1cb} - C:\WINDOWS\IEGrab.dll
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [aaTrueAccess] grh501.exe
    O4 - HKLM\..\Run: [ControlCenter] "C:\Program Files\IBM fingerprint software\ctlcntr.exe" /startup
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 3.0\\RegistryController.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [Registry Crawler] C:\PROGRA~1\RCrawler\RCrawler.exe -TRAYONLY
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100
    O8 - Extra context menu item: Use as &Display Picture - C:\Program Files\IEDP2\IEDP.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122406567432
    O16 - DPF: {A7B17C34-D894-11D3-AE37-0050DA39FE5C} (WebClientInstall Class) - http://diweb.grhosp.com/magicweb/bin/WebClientInstall.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = grhosp.com
    O17 - HKLM\Software\..\Telephony: DomainName = grhosp.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = grhosp.com
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: psfus - C:\Program Files\IBM fingerprint software\psfus.dll
    O20 - Winlogon Notify: winecx32 - C:\WINDOWS\SYSTEM32\winecx32.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Protector Suite Virtual Token (vtserver) - UPEK Inc. - C:\Program Files\Common Files\Virtual Token\vtserver.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)





    ********
    5:45 PM: | Start of Session, Tuesday, July 11, 2006 |
    5:45 PM: Spy Sweeper started
    5:45 PM: Sweep initiated using definitions version 716
    5:45 PM: Found Trojan Horse: trojan-downloader-2pursuit
    5:45 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\cfgmngr32\ || dllname (ID = 1538933)
    5:45 PM: g414896.dll (ID = 1538933)
    5:45 PM: Starting Memory Sweep
    5:47 PM: Found Adware: system doctor 2006 fakealert
    5:47 PM: Detected running threat: C:\WINDOWS\Temp\win10.tmp.exe (ID = 319862)
    5:50 PM: Memory Sweep Complete, Elapsed Time: 00:04:27
    5:50 PM: Starting Registry Sweep
    5:50 PM: Found Adware: accoona toolbar
    5:50 PM: HKCR\asearchassist.adefaultsearch\ (5 subtraces) (ID = 520489)
    5:50 PM: HKCR\clsid\{944864a5-3916-46e2-96a9-a2e84f3f1208}\ (11 subtraces) (ID = 520510)
    5:50 PM: HKCR\typelib\{ea3956d2-ec38-41ab-b601-47aa281e4952}\ (9 subtraces) (ID = 520538)
    5:50 PM: HKLM\software\classes\asearchassist.adefaultsearch\ (5 subtraces) (ID = 520749)
    5:50 PM: HKLM\software\classes\asearchassist.adefaultsearch.1\ (3 subtraces) (ID = 520755)
    5:50 PM: Found Trojan Horse: trojan agent winlogonhook
    5:50 PM: HKLM\software\microsoft\mssmgr\ (14 subtraces) (ID = 937101)
    5:50 PM: HKCR\asearchassist.adefaultsearch.1\ (3 subtraces) (ID = 954985)
    5:50 PM: HKLM\software\classes\clsid\{944864a5-3916-46e2-96a9-a2e84f3f1208}\ (11 subtraces) (ID = 955049)
    5:50 PM: HKLM\software\classes\typelib\{ea3956d2-ec38-41ab-b601-47aa281e4952}\ (9 subtraces) (ID = 955503)
    5:50 PM: Found Adware: accona toolbar accoona.com hijack
    5:50 PM: HKLM\software\microsoft\internet explorer\search\ || searchassistant (ID = 956084)
    5:50 PM: Found Adware: easyerror
    5:50 PM: HKCR\clsid\{0b5f7fdf-0717-45bf-b49d-695f3168c7fe}\ (4 subtraces) (ID = 1149518)
    5:50 PM: HKLM\software\classes\clsid\{0b5f7fdf-0717-45bf-b49d-695f3168c7fe}\ (4 subtraces) (ID = 1149560)
    5:50 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\cfgmngr32\ (10 subtraces) (ID = 1252409)
    5:50 PM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {259ba022-2005-45e9-a965-10edb9c00605} (ID = 1538921)
    5:50 PM: HKU\S-1-5-21-1844237615-261903793-725345543-17908\software\microsoft\internet explorer\urlsearchhooks\{944864a5-3916-46e2-96a9-a2e84f3f1208}\ (1 subtraces) (ID = 955003)
    5:50 PM: Registry Sweep Complete, Elapsed Time:00:00:20
    5:50 PM: Starting Cookie Sweep
    5:50 PM: Found Spy Cookie: 80503492 cookie
    5:50 PM: [email protected][1].txt (ID = 2013)
    5:50 PM: Found Spy Cookie: about cookie
    5:50 PM: [email protected][1].txt (ID = 2037)
    5:50 PM: Found Spy Cookie: yieldmanager cookie
    5:50 PM: [email protected][1].txt (ID = 3751)
    5:50 PM: Found Spy Cookie: adprofile cookie
    5:50 PM: [email protected][2].txt (ID = 2084)
    5:50 PM: Found Spy Cookie: cd freaks cookie
    5:50 PM: [email protected][2].txt (ID = 2371)
    5:50 PM: Found Spy Cookie: atwola cookie
    5:50 PM: [email protected][1].txt (ID = 2255)
    5:50 PM: [email protected][1].txt (ID = 2038)
    5:50 PM: [email protected][1].txt (ID = 2370)
    5:50 PM: [email protected][1].txt (ID = 2371)
    5:50 PM: [email protected][2].txt (ID = 2038)
    5:50 PM: Found Spy Cookie: nextag cookie
    5:50 PM: [email protected][1].txt (ID = 5014)
    5:50 PM: [email protected][1].txt (ID = 2038)
    5:50 PM: Found Spy Cookie: adjuggler cookie
    5:50 PM: [email protected][1].txt (ID = 2071)
    5:50 PM: Found Spy Cookie: tacoda cookie
    5:50 PM: [email protected][1].txt (ID = 6444)
    5:50 PM: Cookie Sweep Complete, Elapsed Time: 00:00:05
    5:50 PM: Starting File Sweep
    5:51 PM: win10.tmp.exe (ID = 319862)
    6:24 PM: Warning: Unhandled Archive Type
    6:24 PM: Warning: Unhandled Archive Type
    6:24 PM: Warning: Unhandled Archive Type
    6:24 PM: Warning: Unhandled Archive Type
    6:24 PM: Warning: Unhandled Archive Type
    6:26 PM: File Sweep Complete, Elapsed Time: 00:35:16
    6:26 PM: Full Sweep has completed. Elapsed time 00:40:21
    6:26 PM: Traces Found: 122
    6:32 PM: Removal process initiated
    6:33 PM: Quarantining All Traces: trojan agent winlogonhook
    6:33 PM: Quarantining All Traces: trojan-downloader-2pursuit
    6:33 PM: trojan-downloader-2pursuit is in use. It will be removed on reboot.
    6:33 PM: g414896.dll is in use. It will be removed on reboot.
    6:33 PM: Quarantining All Traces: easyerror
    6:33 PM: Quarantining All Traces: accona toolbar accoona.com hijack
    6:33 PM: Quarantining All Traces: accoona toolbar
    6:33 PM: Quarantining All Traces: system doctor 2006 fakealert
    6:33 PM: system doctor 2006 fakealert is in use. It will be removed on reboot.
    6:33 PM: win10.tmp.exe is in use. It will be removed on reboot.
    6:33 PM: Quarantining All Traces: 80503492 cookie
    6:33 PM: Quarantining All Traces: about cookie
    6:33 PM: Quarantining All Traces: adjuggler cookie
    6:33 PM: Quarantining All Traces: adprofile cookie
    6:33 PM: Quarantining All Traces: atwola cookie
    6:33 PM: Quarantining All Traces: cd freaks cookie
    6:33 PM: Quarantining All Traces: nextag cookie
    6:33 PM: Quarantining All Traces: tacoda cookie
    6:33 PM: Quarantining All Traces: yieldmanager cookie
    6:34 PM: Removal process completed. Elapsed time 00:01:50
    ********
    5:40 PM: | Start of Session, Tuesday, July 11, 2006 |
    5:40 PM: Spy Sweeper started
    5:43 PM: Your spyware definitions have been updated.
    5:45 PM: | End of Session, Tuesday, July 11, 2006 |


    thanks for all your help.
     
  4. ktg35envy

    ktg35envy Thread Starter

    Joined:
    Apr 24, 2005
    Messages:
    67
    i ran another spysweep and the only thing that it detected was:

    trojan agent winlogonhook
    HKLM\software\microsoft\mssmgr\

    i clicked next to remove and it didnt ask me to reboot this time. i will another scan at work tomorrow to make sure it is gone.
     
  5. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You may want to print this or save it to notepad as we will go to safe mode.

    Fix these with HJT – mark them, close IE, click fix checked

    R3 - Default URLSearchHook is missing

    O2 - BHO: IEGrabObj Class - {abc563b0-b745-11d3-a337-00104be2b1cb} - C:\WINDOWS\IEGrab.dll

    O4 - HKLM\..\Run: [aaTrueAccess] grh501.exe

    O20 - Winlogon Notify: winecx32 - C:\WINDOWS\SYSTEM32\winecx32.dll


    DownLoad http://www.downloads.subratam.org/KillBox.zip

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by DELETE ON REBOOT. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\SYSTEM32\winecx32.dll
    C:\WINDOWS\IEGrab.dll
    C:\WINDOWS\SYSTEM32\grh501.exe

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  6. ktg35envy

    ktg35envy Thread Starter

    Joined:
    Apr 24, 2005
    Messages:
    67
    i have done the steps in the first part of your reply. i did not delete grh501.exe because it is associated with my hospitals software.

    the problem is i am unable to enter into safe mode because i do not have admin rights. this laptop is provided by my hospital but the dingbats :eek: in IS solution to every problem like this is to re-image the whole thing.

    is it possible to do these steps in normal mode? or can you suggest another way without going into safe mode?

    oh and by the way i ran another scan today at work and it found winlogonhook so i cleaned it and rebooted and ran yet another spysweep and winlogonhook is still there:

    trojan agent winlogonhook
    HKLM\software\microsoft\mssmgr\
     
  7. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Do it in normal mode, but make sure you reboot
     
  8. ktg35envy

    ktg35envy Thread Starter

    Joined:
    Apr 24, 2005
    Messages:
    67
    hello again,

    i tried in normal mode and rebooted and seemed to be gone. i did another sweep and the winlogonhook was still there. because my laptop is from my work i am unable to get into safe mode so i decided to try spyware doctor and see what the hype is all about. i heard it was pretty good. so did a scan and it found winlogonhook trojan and also the other one i thought spysweeper had removed winecx32 trojan or something. so i removed with spyware doctor and it seems to have disappeared. i reboot many times and surf net again and try spysweeper and spyware doctor. both come up negative on the trojan hunt.

    my quesion now to you is; do you think it is ok to have both spysweeper and spyware doctor? both are similar. i like the features of spysweeper better like that spy communication shield. that thing is awesome! but i like the fact that spyware doctor is pretty sensitive at detecting and effective at removing spywares/trojans. can these two play together well without affecting my download speeds or my system speed?

    so this is what i have done:

    i update and run spybot S&D frequently (did not install tea timer-is that a smart thing to do?).

    i update spyware blaster freqently.

    i have all spysweeper default setting going (execpt splash screen turned off)

    i have turned off onguard protection from spyware doctor and had opted to not have it run at start up. instead i will only use it when i feel the need to scan. i figured that having both running at "real-time" might slow me down and be unneccessary.

    i have lavasoft ad aware SE but i am thinking of removing it becasue it has not detected a thing since i have installed both spysweeper and spyware doctor.

    finally i have avast! as my antivirus and mcaffe as my firewall.

    i am also concerned that my download speeds from torrent sites will be affected. i have yet to test this after installing spywpeeper and spyware doctor. i have shut down the P2P shield on avast! though.

    what do you think of this protection set up? are there any conflicts that you are aware of?

    thanks for all this help
    KT
     
  9. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    As long as you do P2P you will get infected again no matter what protection you have
     
  10. ktg35envy

    ktg35envy Thread Starter

    Joined:
    Apr 24, 2005
    Messages:
    67
    wow. suggestion noted. do you have any other thoughts or suggestions on my set up?
     
  11. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
  12. ktg35envy

    ktg35envy Thread Starter

    Joined:
    Apr 24, 2005
    Messages:
    67
    and what would be the purpose of doing this? is it because spywares can hide in the system volume info folders (i think this folder has to do with restore points) or something?
     
  13. ktg35envy

    ktg35envy Thread Starter

    Joined:
    Apr 24, 2005
    Messages:
    67
    never mind. i get it. i never really thought of doing that before. do you recommend doing this regulary? or is it only if your system volume folders are infected?
     
  14. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    It is done to clear out infected points, otherwise you just leave it alone
     
  15. ktg35envy

    ktg35envy Thread Starter

    Joined:
    Apr 24, 2005
    Messages:
    67
    one last question. do you recommend keeping the the registry clean to optimize PC performance? sometimes i wonder what left over crap from past software, etc is holding my PC back. is there a good program out there for registry maintenance?

    KT
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/482365

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice