Tech Support Forum banner
Cancel

Connection Issues:::My Hijack Log

Jump to Latest Follow
Status
Not open for further replies.
1 - 12 of 12 Posts
T

· Registered
Joined
·
23 Posts
Discussion Starter · #1 ·
Recently I've been having some connection issues, I can connect to the internet but I've been downloading or connecting really slow. I'm on dial up and I connect really low like half what I would on a 56k modem, which is exactly what I have. I have heard the higher bps you connect the faster connection you will have. Well I used to connect at like 45000bps or so but now I connect at like 21600 or sometimes even lower. I did all the tests that greyknight provided on his page, and I'm not sure if my modem is just going bad or possibly if the spyware I had on my computer was clogging it up. Please look at my hijack log when you get the chance and let me know if you see any problems, I will also post the other logs that you asked me on your page to post also. Thanks for you time :)

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:57:31 PM, on 9/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\COMMON~1\AOL\110420~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110420~1\EE\AOLServiceHost.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\epsonstylus_c8259cd\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104208615\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: ChatSpace Full Java Client 3.2.0.232 - http://66.179.32.140:8576/Java/cfs32232.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - http://xmlauthor.com/downloads/xmirage.exe
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://tech-a.mhi.aol.com/netagent/objects/custappx2.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton Internet Security Professional Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\NISUM.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe


End of KRC HijackThis Analyzer Log.
====================================================================


My Panda Active Scan:


Incident Status Location

Adware:Adware/Coupons No disinfected C:\HJT\backups\backup-20041024-171609-796.dll
Adware:Adware/QuickSearch No disinfected C:\Program Files\themexp\Themexp.org File\TBEZA127Q.exe
Spyware:Spyware/New.net No disinfected C:\Program Files\themexp\Themexp.org File\NNEZTA388.exe
Adware:adware/delfinmedia No disinfected C:\keys.ini
My Ewido Scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:03:29 PM, 9/6/2005
+ Report-Checksum: 44B780D8

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{77712A64-F30B-47C8-A363-CDA1CEC7DC1B} -> Spyware.AdvancedSearchbar : Cleaned with backup
HKLM\SOFTWARE\Dsi -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-329068152-1957994488-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FB986A68-EAE4-11D4-9BD1-0080C6F60B6A} -> Spyware.Coupon : Cleaned with backup
HKU\S-1-5-21-329068152-1957994488-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB986A68-EAE4-11D4-9BD1-0080C6F60B6A} -> Spyware.Coupon : Cleaned with backup
C:\HJT\backups\backup-20041024-171609-796.dll -> Spyware.Coupon : Cleaned with backup
C:\Program Files\themexp\Themexp.org File\TBEZA127Q.exe -> Spyware.Quick : Cleaned with backup
C:\Program Files\themexp\Themexp.org File\NNEZTA388.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP194\A0286518.dll -> Spyware.VirtuMonde : Cleaned with backup
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP194\A0286519.dll -> Spyware.VirtuMonde : Cleaned with backup
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP194\A0286520.dll -> Spyware.VirtuMonde : Cleaned with backup


::Report End
 
RavenMind

· Bearded Tech Monkey
Joined
·
1,058 Posts
#2 ·
Hi turbochill, and welcome to TSF.

Thank you for providing an Ewido & Panda scan. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back to address your problem A.S.A.P.

Please Subscribe to this thread, (Thread Tools->Subscribe to this Thread) so that you are notified when a reply has been made.

Please be patient with me during this time.

In the mean time I would like to see a fresh HJT log, without the analyzer, while in Normal Mode.

Thanks,

RavenMind
 
Save Share
RavenMind

· Bearded Tech Monkey
Joined
·
1,058 Posts
#3 ·
Hello, turbochill. Thank you for being patient while I reviewed your log!

Looks like I got back to you before you were able to post the fresh HJT log. That's okay, I'll have you post a fresh one at the end of this fix.

Important: Copy this page into Notepad & save it. You may also want to print out a copy of these instructions in case you lose your internet connection. Make sure to work through the fixes in the exact order they are presented. If there is anything that you don't understand, ask me about it before proceeding with the fixes. It is important to close all browsers (Internet Explorer, My Computer, etc.) or windows when you are running any scans, tools, or HJT.


Enable the viewing of hidden files/folders:
Go to My Computer > Tools > Folder Options > “View” tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible too.


Downloads:

CleanUp!
The Temp folders are a popular place for malware to hide out, plus installation programs tend to leave a lot of junk in there. Download and install CleanUp! to clean out your temps, but do not run it yet.

AdAware SE
If you haven’t already, please download and install AdAware SE. Make sure it's the newest version and check for any updates before running it. Go to this site to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say “Status System Clean”. Otherwise, you will have to click on the “Clean” button to remove the VX2 infection. Also make sure to Customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.


Reboot into Safe Mode. (Tap the F8 key until menu shows up.)

Microsoft AntiSpyware:
I see you are using Microsofts AntiSpyware program. Because of recent changes in the way this program now defines and detects spyware/adware it is no longer recommend as a spyware removal tool. Microsoft has downgraded several adware/spyware programs that it used to (and nearly all reputable scanners) detect and remove, and now lists them as “Ignore”

These are some of the adware/spyware programs that this program will NOT prompt you to remove. Claria, 180Solutions, WhenU, New.net, most WhenU apps, eZula.TopText, Gain/Gator, and Webhancer.

These are all known adware/spyware programs and hijackers. Basically this product can no longer be trusted, and we highly recommend you remove it!

For further reading click this link.


HiJackThis Entries:

Run a scan in HijackThis. Place a check mark next to the following entries if they still exist:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp <<< Leave this entry if you like the AIM Toolbar Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} –

Please make sure to close all open windows & browsers, then click Fix Checked.


File Deletions:
Delete the following FILES indicated in RED and FOLDERS indicated in BLUE, if they still exist:

C:\keys.ini

The following two entries may not appear, that's okay if you can't find them.
C:\Program Files\themexp\Themexp.org File\TBEZA127Q.exe
C:\Program Files\themexp\Themexp.org File\NNEZTA388.exe

Note: Please be very careful when downloading files ThemeXP.org. You had a trojan installed via one of their themes, which is not all that uncommon. One quick way of helping to ensure that the file is safe is to scan the file specifically with a good antivirus scanner upon download. (Before executing)

Run Cleanup!

Configure the program as follows:
  1. Click Options...
  2. Move the arrow down to Custom CleanUp!
  3. Put a check next to the following:
    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files
    • [X] Scan local drives for temporary files (Please uncheck this option)
    • Cleanup! All Users
  4. Click OK
  5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will delete all the files in your temp folders without making a backup!


Reboot into Normal Mode.


Online Scan:
Perform an online scan with Internet Explorer with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Standard
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Please post a fresh HJT log, as well as the results from your Kaspersky scan.

Thanks,

RavenMind
 
Save Share
T

· Registered
Joined
·
23 Posts
Discussion Starter · #4 · (Edited)
I am working on getting the results of the online virus scan test for you. I have a few other questions I searched for the keys.ini file and the themexp files and could not find them. I heard some bad things about themexp and went to uninstall it from my add/remove programs menu and everytime I try to it brings up a box with the file name install.log or something, I'm guessing from this file missing or something it refuses to let me uninstall the themexp.org file. I would like to delete all the themexp themes and files that I downloaded in the past, but am worried that I will somehow effect the themes or just important files that make my computer run. I will post the hijack log plus the online virus scan results in my next post. Oh yea, just another quick question not sure if it really matters but what is a better firewall program, Norton Internet Security or Zonealarm? Thanks for your time :)
 
T

· Registered
Joined
·
23 Posts
Discussion Starter · #5 ·
K, I'm posting a fresh hijack log and the results from the online virus scan, I forgot to turn off my Mcafee Virus thing thats provided with aol until I was 14% or so done with the scan.

Hijack Results:

Logfile of HijackThis v1.99.1
Scan saved at 2:45:57 AM, on 9/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\epsonstylus_c8259cd\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104208615\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 3.2.0.232 - http://66.179.32.140:8576/Java/cfs32232.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - http://xmlauthor.com/downloads/xmirage.exe
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://tech-a.mhi.aol.com/netagent/objects/custappx2.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton Internet Security Professional Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Online Virus Scan Results:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, September 08, 2005 05:07:26
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 8/09/2005
Kaspersky Anti-Virus database records: 139363
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 63561
Number of viruses found: 5
Number of infected objects: 26
Number of suspicious objects: 0
Duration of the scan process: 4067 sec

Infected Object Name - Virus Name
C:\WINDOWS\bwk.exe Infected: Trojan-Downloader.Win32.Lookme.m
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP194\A0285635.exe Infected: Trojan.Win32.KillFiles.fz
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290367.exe/data0009 Infected: Trojan-Downloader.Win32.Agent.ec
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290367.exe/data0012 Infected: Trojan-Downloader.Win32.Apropo.v
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290367.exe/data0013 Infected: Trojan.Win32.Qhost.ap
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290367.exe Infected: Trojan.Win32.Qhost.ap
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290368.exe/data0009 Infected: Trojan-Downloader.Win32.Agent.ec
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290368.exe/data0012 Infected: Trojan-Downloader.Win32.Apropo.v
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290368.exe/data0013 Infected: Trojan.Win32.Qhost.ap
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290368.exe Infected: Trojan.Win32.Qhost.ap
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290369.exe/data0009 Infected: Trojan-Downloader.Win32.Agent.ec
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290369.exe/data0012 Infected: Trojan-Downloader.Win32.Apropo.v
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290369.exe/data0013 Infected: Trojan.Win32.Qhost.ap
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290369.exe Infected: Trojan.Win32.Qhost.ap
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290370.exe/data0009 Infected: Trojan-Downloader.Win32.Agent.ec
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290370.exe/data0012 Infected: Trojan-Downloader.Win32.Apropo.v
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290370.exe/data0013 Infected: Trojan.Win32.Qhost.ap
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290370.exe Infected: Trojan.Win32.Qhost.ap
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290371.exe/data0009 Infected: Trojan-Downloader.Win32.Agent.ec
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290371.exe/data0012 Infected: Trojan-Downloader.Win32.Apropo.v
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290371.exe/data0013 Infected: Trojan.Win32.Qhost.ap
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290371.exe Infected: Trojan.Win32.Qhost.ap
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290372.exe/data0009 Infected: Trojan-Downloader.Win32.Agent.ec
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290372.exe/data0012 Infected: Trojan-Downloader.Win32.Apropo.v
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290372.exe/data0013 Infected: Trojan.Win32.Qhost.ap
C:\System Volume Information\_restore{689961AD-70BB-48D3-A94F-7E2E3A649E51}\RP195\A0290372.exe Infected: Trojan.Win32.Qhost.ap

Scan process completed.
 
RavenMind

· Bearded Tech Monkey
Joined
·
1,058 Posts
#6 ·
turbochill,

Your HJT log is now clean!

We have just a few more steps to go before we're finished.

In response to your questions:
turbochill said:
I searched for the keys.ini file and the themexp files and could not find them.
Click to expand...
It’s okay that you can’t find them. I suspect the ThemeXP files were deleted with Ewido, and keys.ini with AdAware. Either way they are not showing up in your HJT log and are no longer a threat.


turbochill said:
I heard some bad things about themexp and went to uninstall it from my add/remove programs menu and everytime I try to it brings up a box with the file name install.log or something, I'm guessing from this file missing or something it refuses to let me uninstall the themexp.org file. I would like to delete all the themexp themes and files that I downloaded in the past, but am worried that I will somehow effect the themes or just important files that make my computer run.
Click to expand...
Have you checked to see if the “themexp” folder is still present in the “C:\Program Files” directory? If so then try downloading MyUninstaller and running it. It should not affect any critical system files. My understanding of ThemeXP is that many of the themes were created by different users & submitted to their database. So if these themes are not removed by MyUninstaller, you may have to try tracking down their individual files. I am not aware of any easy way of doing this, just searching. Just remember the old adage: “If it aint broke, don’t fix it!” In other words, if it’s not causing your system any problems, don’t create one for yourself by randomly deleting files.

turbochill said:
what is a better firewall program, Norton Internet Security or Zonealarm?
Click to expand...
This is a tricky question to answer. It really depends on what falls into your definition of “better”.

Many people would argue that Norton does a better job of blocking unauthorized intrusions. However there are thousands, probably millions, of ZoneAlarm users that have never experienced a problem. I can not in good conscience recommend any Norton products to you. In my experience they are not worth the price. Norton is considered “bloatware” meaning that it’s a huge program that integrates itself into many different basic Windows functions, hogs your system resources, makes itself unreasonably visible & intrusive, and in many cases is impossible to get rid of without crashing your system. It’s even this boards policy not to deal with problems involving Norton, (although you may find an occasional compassionate tech willing to give it a go). Please see here

So it’s really up to you which program you use, but why take the risk involved with Norton when you can use a very good *free* product that doesn’t wreak havoc on your computer.



Now to finish your fix:

Download KillBox v2.0.0.175, and save it to Desktop.

Launch KillBox.exe & select the following options:
  • delete on Reboot
  • end Explorer shell while killing file
  • unregister dlll before deleting * if it's not grayed out
Highlight all the filenames below & then right-click & select Copy

C:\WINDOWS\bwk.exe

  • Go to the File menu, and choose Paste from Clipboard
  • Click the RED X button.
  • Click on the dropdown menu next to Full Path of File to Delete field.
  • Verify that the filenames you pasted are found there
  • Click Yes at the Delete on Reboot prompt.
  • Click Yes at the 'Pending Operations prompt'.
    • If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.


Flush System Restore Points

Most of the nasties that Kaspersky found appear to be hiding in your System Restore files. A simple flush of your System Restore points should take care of them:

Turn off System Restore:
  1. Right-click "My Computer"
  2. Click "Properties"
  3. Click the "System Restore" tab
  4. Check "Turn off System Restore" or "Turn off System Restore on all drives".
  5. Click "Apply"
    When turning off System Restore, the existing restore points will be deleted.
    • Click "Yes" to proceed
  6. Click "OK"

Reboot your System.

Turn on System Restore
  1. Right-click "My Computer"
  2. Click "Properties"
  3. Click the "System Restore" tab
  4. Un-Check "Turn off System Restore" or "Turn off System Restore on all drives".
  5. Click "Apply"
  6. Click "OK"
Note: It is very important to remember to turn system restore back on after reboot! If you do not, System Restore will remain deactivated & you will not have any previous points to restore back to should it become necessary to do so.

Re-Scan with Kasperskyhttp://www.kaspersky.com/service?chapter=161739400

Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Standard
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Please post the results of your Kaspersky Scan in your next response so we can verify everything is clean.
 
Save Share
T

· Registered
Joined
·
23 Posts
Discussion Starter · #7 ·
K, good news I did all the instructions that you told me too, and I remembered where I downloaded alot of the themexp files to and deleted most of them, I didn't delete one of them named luna as I'm not sure if this was a theme that came with XP when I installed it, but from what I remember it's not.

I'm still having some connection issues, but I'm not sure if it could be a possible problem that my modem maybe going bad, if its the wiring in our new house, or just some other reason. I'm trying to think back when we first moved here and I got my computer set up if I was downloading at the same speed at my old house at first or not, but I can't really recall.

I forgot to run the Hijackthis in normal mode before the last time you told me to so I thought I might just run a fresh log in normal mode just incase I had to run in normal mode in the first place.

The online virus scan came out clean this time around which is good :) I also uninstalled all the Norton stuff that I had on my computer as for Virus scan (deleted it in advance a few weeks back), Norton Internet Security, and also System works, you were right about Norton being a pain, as I had a hard time at first uninstalling Internet Security, all it would do is freeze on the uninstall window.

Thanks for your help man :) I'll have to figure out the connection issue it could just be a problem with aol or something. Here's the hijacklog in normal mode:

Logfile of HijackThis v1.99.1
Scan saved at 5:14:35 AM, on 9/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRA~1\COMMON~1\AOL\110420~1\EE\AOLHOS~1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\110420~1\EE\AOLServiceHost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\epsonstylus_c8259cd\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1104208615\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 3.2.0.232 - http://66.179.32.140:8576/Java/cfs32232.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {21F16767-8DA7-4113-BEB0-F161B313407F} (XMirage Control) - http://xmlauthor.com/downloads/xmirage.exe
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://tech-a.mhi.aol.com/netagent/objects/custappx2.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{34BD63AE-3458-4C0D-8627-4360398CDF08}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Thanks again :)
 
RavenMind

· Bearded Tech Monkey
Joined
·
1,058 Posts
#8 · (Edited)
Congratulations, your system is now clean!

I'm sorry to hear you're still having a poor connection speed, however it does not appear to be malware related. I will make some recommendations for optional removals that will improve overall system performance, and may help with download speed, but probably not by much. It sounds like the main issue you were having was the speed at which the modem connected initially. This is not something that is usually affected by malware (software), but is mainly a hardware issue. Specifically: modem, phone lines, host modems etc. Since this is not my area of expertise, you should seek help from a tech in the Hardware forum's Modems section, or possibly in Networking - Modems/Cable/DSL/Satellite.

In the mean time please read through my list of optional removals, complete the last steps of your fix, and read up on preventative measures:

Finish the Fix:
Just a few last recommended HJT entry removals:
Run a scan in HijackThis. Place a check mark next to the following entries if they still exist:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file) <<< Are you using styleXP? If not, check to remove.

Please make sure to close all open windows & browsers, then click Fix Checked.

Reset Hidden & System Files/Folders.
  1. Click "Start"
  2. Open "My Computer"
  3. Select the "Tools" menu and click "Folder Options"
  4. Select the "View" tab
  5. Deselect the "Show hidden files and folders" option
  6. Select the "Hide file extensions for known types" option
  7. Select the "Hide protected operating system files" option
  8. Click "Yes" to confirm
  9. Click "OK"

Clear Java Cache
  1. Click "Start" > "Settings" > "Control Panel"
  2. Click the "Java Plugin" icon
  3. Click the "Cache" tab
  4. Click the "Clear" button
  5. Click "OK" to confirm
Note: Please repeat this procedure for each "Java Plugin" button in your Control Panel

Follow the instructions outlined here to clear Sun's Java cache.


Flush System Restore Points

Turn off System Restore:
  1. Right-click "My Computer"
  2. Click "Properties"
  3. Click the "System Restore" tab
  4. Check "Turn off System Restore" or "Turn off System Restore on all drives".
  5. Click "Apply"
    When turning off System Restore, the existing restore points will be deleted.
    • Click "Yes" to proceed
  6. Click "OK"

Reboot your System.

Turn on System Restore
  1. Right-click "My Computer"
  2. Click "Properties"
  3. Click the "System Restore" tab
  4. Un-Check "Turn off System Restore" or "Turn off System Restore on all drives".
  5. Click "Apply"
  6. Click "OK"
Note: It is very important to remember to turn system restore back on after reboot! If you do not, System Restore will remain deactivated & you will not have any previous points to restore back to should it become necessary to do so.


Optional Removals & Adjustments

First off it looks like you have several different Antivirus programs listed in your HJT log. I'm sure some of these are just from your online scans, but it's important to know that you should only be running 1 active antivirus at a time. You have elements of AVG, Ewido, and McAffee starting up every time you boot. This can eat up system resources & cause your computer to run more slowly. If you are no longer using some of these programs then you should consider uninstalling them to free up memory.

Quicktime: This program is set to check the internet for updates & runs on startup. You can change those settings from within the program to free up system resources, and possibly bandwidth.

Java: Sun Java is also set to check for updates. You can change those settings from within Java to free up system resources, and possibly bandwidth. Remember to check for updates manually if you choose to do so.

Nero: This program is set to check the internet for updates & runs on startup. You can change those settings from within the program to free up system resources, and possibly bandwidth.

AOL Spyware Protection: I would advise against using AOL's spyware protection. Please read here, and here, and decide for yourself.


MicroSoft AntiSpyware
Because of recent changes in the way this program now defines and detects spyware/adware it is no longer recommend as a spyware removal tool. Microsoft as downgraded several adware/spyware programs that it used to detect and remove and now lists them simply as “Ignore”

These are some of the adware/spyware programs that this program will NOT prompt you to remove. Claria, 180Solutions, WhenU, New.net, most WhenU apps, eZula,TopText, Gain/Gator, and Webhancer. These are all known adware/spyware programs and hijackers. Basically this product can no longer be trusted!! I recommend you remove it.


Preventative Measures:

  1. Use an Alternative Browser. Most of the spyware/viruses/trojans out today target known flaws in I.E. Using an alternative browser closes most of those loopholes & you will find yourself getting far fewer (if any) infections. I'm a fan of FireFox for it's functionality, security, & low demand on system resources. Here are a few of the more popular alternative browsers:
  2. Secure Internet Explorer. If you choose to stay with Internet Explorer, your likelihood of reinfection is much higher. Therefore you should follow these steps to help make I.E. more secure.
    • Don't add sites to the "Trusted Zone". Ever.
    • Download IESpyAd. This will add over 4000 known bad websites to the Restricted Zones list & help prevent you from being redirected to them.
    • Download & install Javacool's SpywareBlaster. This program will help block the download of malicious Active-X controls, block tracking cookies, and add known bad websites to the Restricted Zones list.
  3. Obtain & use a good firewall. Firewalls are important in preventing direct attacks on your system as well as notifying you when you have malware trying to dial out. A few good free firewalls are:
  4. Obtain & use a good AntiVirus program. The best solution to keeping your system clean is to prevent it from becoming infected. Therefore everyone nowadays should have a real-time antivirus program. Unless you go with Ewido, I would suggest against purchasing an AV (especially Norton, which is a resource hog & is nearly impossible to get out of your system once "infected"). There are several good AVs available for download:
  5. Anti-Spyware Programs. You should consider downloading & using the following programs if you haven’t already. I have found for best results, a moderate internet user should use these at least once every two weeks.Important: Please visit this site to learn how to configure & use the preceding programs. And remember to check for updates often!
  6. Keep Windows Updated! Microsoft comes out with patches & security updates all the time. Please remember to visit this site often for updates, or better yet, configure your automatic update feature to do it for you.

If you have any further questions please feel free to ask, or post a new thread in the appropriate forum. Thanks for visiting TSF!

RavenMind

Note: Please respond to this post so that we can mark this thread as resolved.
 
Save Share
RavenMind

· Bearded Tech Monkey
Joined
·
1,058 Posts
#10 ·
Thank you for reading the Preventative Measures and letting me know about that link. Try this one.

Is everything running okay now?
 
Save Share
T

· Registered
Joined
·
23 Posts
Discussion Starter · #11 ·
K, I downloaded and installed the most recent IE-Spyad thing, still having some connection issues but it has sped up a bit, I'll have to figure those out, I'll visit that forum you posted about. Also I un-installed one of the two virus scanners that I had on my computer, I guess I just noticed how some virus scanners pick up what other virus scanners haven't, that Kapersky one was the only one that picked up that virus that I have had since 2003, which is very odd since I've used probably about 5 different other good virus scanners that never picked it up, I kept AVG over Mcafee. Thanks for your help man :)
 
RavenMind

· Bearded Tech Monkey
Joined
·
1,058 Posts
#12 ·
turbochill said:
I guess I just noticed how some virus scanners pick up what other virus scanners haven't
Click to expand...
I agree, there just isn't any one perfect scanner (virus or spyware) that get's it all. Luckilly we have many different free online scanners to turn to that will help "tighten the holes in the net", and why programs like AdAware & Spybot are usually run in conjunction with each other. :grin:

turbochill said:
I kept AVG over Mcafee.
Click to expand...
Sounds like a wise choice. :sayyes:


turbochill said:
Thanks for your help man :)
Click to expand...
You're very welcome! If you have no objections, I will go ahead have this thread marked as "Resolved".

Thanks for visiting the Security Forum at TSF!!

RavenMind
 
Save Share
1 - 12 of 12 Posts
Status
Not open for further replies.
About this Discussion
11 Replies
2 Participants
Last post:
RavenMind
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top