james7707
asked on
Win32: Trojan Removable?
Running XP-Pro, have Avast, MS Anti-Spyware. Delete this tmp file but reappears everytime I reboot.
Can this be removed?
The virus shows as: Win32:Trojano .3099[TRJ]
The file is C:\Temp\.5.tmp
Can this be removed?
The virus shows as: Win32:Trojano .3099[TRJ]
The file is C:\Temp\.5.tmp
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
NO DID NOT RUN EDWIDO... TRIED RPGGAMEGIRL SUGGESTION FIRST.
Download AboutBuster:
http://www.malwarebytes.org/AboutBuster.zip
Once downloaded, unzip it, and put the folder on your desktop. Then double-click on the AboutBuster icon to start the program.
Click Begin Removal.
Click Yes. This will shutdown all open Internet Explorer windows.
When the scan is done, click Ok.
COMPLETED.
You should also disable the bad service:"Remote Procedure Call (RPC) Helper"
Go to START > RUN > type in
services.msc - FILE NOT FOUND
Hit OK
In the next window, look on the right hand side for this service name:
Remote Procedure Call (RPC) Helper <-- make sure it has the word Helper in it
Double click on it and STOP the service -- If running.
In the drop down menu, change the startup type to "Disabled"
Post the link to a new Hijackthis log after.
Comment from rpggamergirl
Date: 12/31/2005 03:48PM PST
Comment
More bad entries here you need to include in the entries to fix:
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = about:blank
NOT FOUND
O2 - BHO: Class - {AE721233-0FEA-4847-4C92-F DF523518F5 6} - C:\WINDOWS\system32\appum. dll
DELETED
RAN AVAST - RESULTS NO INFECTED FILES FOUND IN MEMORY, SCAN C: NO INFECTED FILES.
WILL RUN COMPLETE SCAN TONIGHT, IF OK WILL AWARD 200 - WAR1 300 - RPGGAMEGIRL BY 1/2/06. AM VERY CAUTIOUS ABOUT DELETING THESE FILES:
C:\WINDOWS\crxf32.exe
C:\WINDOWS\system32\winib. exe
EVERYTHING SEEMS FINE AT THE MOMENT...WHO KNOWS HOW IT WILL BE IN 2006!
THANKS TO BOTH OF YOU AND HAPPY NEW YEAR!
HERE IS MY CURRENT LOG AFTER RUNNING HIJACK:
Logfile of HijackThis v1.99.1
Scan saved at 4:05:28 PM, on 12/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
d:\Programs\SonicWALL\Soni cWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ashDisp .exe
D:\Programs\ZoneAlarm\zlcl ient.exe
C:\WINDOWS\system32\LVCOMS X.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
d:\Programs\SonicWALL\Soni cWALL VPN Client\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\ZoneLa bs\vsmon.e xe
D:\Programs\Logitech\Video \LogiTray. exe
D:\Programs\ProSeries05\32 bit\TaskSc h.exe
D:\Programs\Logitech\iTouc h\iTouch.e xe
d:\Programs\Logitech\Mouse Ware\syste m\em_exec. exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\ BackWeb-88 76480.exe
C:\WINDOWS\system32\ctfmon .exe
D:\Programs\Adobe\Acrobat7 \Reader\re ader_sl.ex e
D:\Programs\Hewlett-Packar d\LaserJet 33xx\hppdirector.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe
D:\Programs\SonicWALL\Soni cWALL VPN Client\SafeCfg.exe
D:\Programs\Logitech\Video \FxSvr2.ex e
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hppapm l0.exe
C:\WINDOWS\system32\wuaucl t.exe
C:\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis. exe
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - D:\Programs\Adobe\Acrobat7 \ActiveX\A croIEHelpe r.dll
O2 - BHO: Class - {3DC7127D-0920-C07C-7029-1 A227A72D53 E} - C:\WINDOWS\system32\sysbg3 2.dll (file missing)
O2 - BHO: Class - {AE721233-0FEA-4847-4C92-F DF523518F5 6} - C:\WINDOWS\system32\appum. dll (file missing)
O2 - BHO: Class - {F5E4032F-B58E-1B79-B01F-2 2DB28518DF 7} - C:\WINDOWS\sdkjo.dll (file missing)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp .exe
O4 - HKLM\..\Run: [Zone Labs Client] d:\Programs\ZoneAlarm\zlcl ient.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] d:\Programs\Hewlett-Packar d\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] d:\Programs\Hewlett-Packar d\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMS X.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Programs\Logitech\Video \ISStart.e xe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Programs\Logitech\Video \LogiTray. exe
O4 - HKLM\..\Run: [ProTaskScheduler] D:\Programs\ProSeries05\32 bit\TaskSc h.exe
O4 - HKLM\..\Run: [zBrowser Launcher] d:\Programs\Logitech\iTouc h\iTouch.e xe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [579.tmp] C:\Temp\579.tmp.exe
O4 - HKLM\..\Run: [57A.tmp] C:\Temp\57A.tmp.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\Programs\Logitech\Video \ManifestE ngine.exe boot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\ BackWeb-88 76480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - Startup: Eagle Listener.lnk = D:\Programs\3apps\Catapult \3listen.e xe
O4 - Startup: Eagle Scheduler.lnk = D:\Programs\3apps\Catapult \Sched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Programs\Adobe\Acrobat7 \Reader\re ader_sl.ex e
O4 - Global Startup: HP LaserJet Director.lnk = D:\Programs\Hewlett-Packar d\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\ LDMConf.ex e
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe
O4 - Global Startup: SonicWALL VPN Client.lnk = D:\Programs\SonicWALL\Soni cWALL VPN Client\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Programs\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - D:\Programs\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-1 2A255F085E 1} - d:\Programs\PartyPoker\Par tyPoker.ex e
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-1 2A255F085E 1} - d:\Programs\PartyPoker\Par tyPoker.ex e
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-8 00749B94EE D} - d:\Programs\PartyPoker.net \partypoke rnet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-8 00749B94EE D} - d:\Programs\PartyPoker.net \partypoke rnet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134803696578
O16 - DPF: {7584C670-2274-4EFB-B00B-D 6AABA6D385 0} (Microsoft RDP Client Control (redist)) - https://ceder.us/Remote/msrdp.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\ Intuit Fuse Service.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - d:\Programs\SonicWALL\Soni cWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - d:\Programs\SonicWALL\Soni cWALL VPN Client\IreIKE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLa bs\vsmon.e xe
DO I STILL NEED TO DELETE ANY OF THESE EVEN THOUGH IT APPEARS TO BE WORKING?
Download AboutBuster:
http://www.malwarebytes.org/AboutBuster.zip
Once downloaded, unzip it, and put the folder on your desktop. Then double-click on the AboutBuster icon to start the program.
Click Begin Removal.
Click Yes. This will shutdown all open Internet Explorer windows.
When the scan is done, click Ok.
COMPLETED.
You should also disable the bad service:"Remote Procedure Call (RPC) Helper"
Go to START > RUN > type in
services.msc - FILE NOT FOUND
Hit OK
In the next window, look on the right hand side for this service name:
Remote Procedure Call (RPC) Helper <-- make sure it has the word Helper in it
Double click on it and STOP the service -- If running.
In the drop down menu, change the startup type to "Disabled"
Post the link to a new Hijackthis log after.
Comment from rpggamergirl
Date: 12/31/2005 03:48PM PST
Comment
More bad entries here you need to include in the entries to fix:
R1 - HKLM\Software\Microsoft\In
NOT FOUND
O2 - BHO: Class - {AE721233-0FEA-4847-4C92-F
DELETED
RAN AVAST - RESULTS NO INFECTED FILES FOUND IN MEMORY, SCAN C: NO INFECTED FILES.
WILL RUN COMPLETE SCAN TONIGHT, IF OK WILL AWARD 200 - WAR1 300 - RPGGAMEGIRL BY 1/2/06. AM VERY CAUTIOUS ABOUT DELETING THESE FILES:
C:\WINDOWS\crxf32.exe
C:\WINDOWS\system32\winib.
EVERYTHING SEEMS FINE AT THE MOMENT...WHO KNOWS HOW IT WILL BE IN 2006!
THANKS TO BOTH OF YOU AND HAPPY NEW YEAR!
HERE IS MY CURRENT LOG AFTER RUNNING HIJACK:
Logfile of HijackThis v1.99.1
Scan saved at 4:05:28 PM, on 12/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
d:\Programs\SonicWALL\Soni
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ashDisp
D:\Programs\ZoneAlarm\zlcl
C:\WINDOWS\system32\LVCOMS
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
d:\Programs\SonicWALL\Soni
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\ZoneLa
D:\Programs\Logitech\Video
D:\Programs\ProSeries05\32
D:\Programs\Logitech\iTouc
d:\Programs\Logitech\Mouse
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
C:\WINDOWS\system32\ctfmon
D:\Programs\Adobe\Acrobat7
D:\Programs\Hewlett-Packar
C:\Program Files\Common Files\Intuit\QuickBooks\QB
D:\Programs\SonicWALL\Soni
D:\Programs\Logitech\Video
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hppapm
C:\WINDOWS\system32\wuaucl
C:\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.
R1 - HKCU\Software\Microsoft\Wi
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Class - {3DC7127D-0920-C07C-7029-1
O2 - BHO: Class - {AE721233-0FEA-4847-4C92-F
O2 - BHO: Class - {F5E4032F-B58E-1B79-B01F-2
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp
O4 - HKLM\..\Run: [Zone Labs Client] d:\Programs\ZoneAlarm\zlcl
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] d:\Programs\Hewlett-Packar
O4 - HKLM\..\Run: [HP AutoIndexer] d:\Programs\Hewlett-Packar
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMS
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Programs\Logitech\Video
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Programs\Logitech\Video
O4 - HKLM\..\Run: [ProTaskScheduler] D:\Programs\ProSeries05\32
O4 - HKLM\..\Run: [zBrowser Launcher] d:\Programs\Logitech\iTouc
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [579.tmp] C:\Temp\579.tmp.exe
O4 - HKLM\..\Run: [57A.tmp] C:\Temp\57A.tmp.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\Programs\Logitech\Video
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Startup: Eagle Listener.lnk = D:\Programs\3apps\Catapult
O4 - Startup: Eagle Scheduler.lnk = D:\Programs\3apps\Catapult
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Programs\Adobe\Acrobat7
O4 - Global Startup: HP LaserJet Director.lnk = D:\Programs\Hewlett-Packar
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
O4 - Global Startup: SonicWALL VPN Client.lnk = D:\Programs\SonicWALL\Soni
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Programs\MICROS~2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-1
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-1
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-8
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-8
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {7584C670-2274-4EFB-B00B-D
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe"
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe"
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - d:\Programs\SonicWALL\Soni
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - d:\Programs\SonicWALL\Soni
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLa
DO I STILL NEED TO DELETE ANY OF THESE EVEN THOUGH IT APPEARS TO BE WORKING?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Your HijackThis log looks much cleaner. Did you try to remove the following files previously and they came back? NO..HAVE REMOVE THEM NOW AS INDICATED BELOW.
PartyPoker is not giving your popups or redirecting your page? You should get rid of PartyPoker.
O4 - HKLM\..\Run: [579.tmp] C:\Temp\579.tmp.exe
O4 - HKLM\..\Run: [57A.tmp] C:\Temp\57A.tmp.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-1 2A255F085E 1} - d:\Programs\PartyPoker\Par tyPoker.ex e
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-1 2A255F085E 1} - d:\Programs\PartyPoker\Par tyPoker.ex e
DELETED THE ABOVE FILES....WHY PARTYPOKER THIS IS MY PASTTIME...ANYWAY I CAN KEEP IT OR SHOULD I CONSIDER ANOTHER ONLINE POKER SITE?
Logfile of HijackThis v1.99.1
Scan saved at 5:06:02 PM, on 1/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
d:\Programs\SonicWALL\Soni cWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ashDisp .exe
D:\Programs\ZoneAlarm\zlcl ient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
d:\Programs\SonicWALL\Soni cWALL VPN Client\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\LVCOMS X.EXE
C:\WINDOWS\system32\ZoneLa bs\vsmon.e xe
D:\Programs\Logitech\Video \LogiTray. exe
D:\Programs\ProSeries05\32 bit\TaskSc h.exe
D:\Programs\Logitech\iTouc h\iTouch.e xe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\ BackWeb-88 76480.exe
C:\WINDOWS\system32\ctfmon .exe
d:\Programs\Logitech\Mouse Ware\syste m\em_exec. exe
D:\Programs\Adobe\Acrobat7 \Reader\re ader_sl.ex e
D:\Programs\Hewlett-Packar d\LaserJet 33xx\hppdirector.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe
D:\Programs\SonicWALL\Soni cWALL VPN Client\SafeCfg.exe
D:\Programs\Logitech\Video \FxSvr2.ex e
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hppapm l0.exe
C:\WINDOWS\system32\wuaucl t.exe
C:\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis. exe
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - D:\Programs\Adobe\Acrobat7 \ActiveX\A croIEHelpe r.dll
O2 - BHO: Class - {3DC7127D-0920-C07C-7029-1 A227A72D53 E} - C:\WINDOWS\system32\sysbg3 2.dll (file missing)
O2 - BHO: Class - {F5E4032F-B58E-1B79-B01F-2 2DB28518DF 7} - C:\WINDOWS\sdkjo.dll (file missing)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp .exe
O4 - HKLM\..\Run: [Zone Labs Client] d:\Programs\ZoneAlarm\zlcl ient.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] d:\Programs\Hewlett-Packar d\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] d:\Programs\Hewlett-Packar d\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMS X.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Programs\Logitech\Video \ISStart.e xe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Programs\Logitech\Video \LogiTray. exe
O4 - HKLM\..\Run: [ProTaskScheduler] D:\Programs\ProSeries05\32 bit\TaskSc h.exe
O4 - HKLM\..\Run: [zBrowser Launcher] d:\Programs\Logitech\iTouc h\iTouch.e xe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\Programs\Logitech\Video \ManifestE ngine.exe boot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\ BackWeb-88 76480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - Startup: Eagle Listener.lnk = D:\Programs\3apps\Catapult \3listen.e xe
O4 - Startup: Eagle Scheduler.lnk = D:\Programs\3apps\Catapult \Sched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Programs\Adobe\Acrobat7 \Reader\re ader_sl.ex e
O4 - Global Startup: HP LaserJet Director.lnk = D:\Programs\Hewlett-Packar d\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\ LDMConf.ex e
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe
O4 - Global Startup: SonicWALL VPN Client.lnk = D:\Programs\SonicWALL\Soni cWALL VPN Client\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Programs\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - D:\Programs\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-8 00749B94EE D} - d:\Programs\PartyPoker.net \partypoke rnet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-8 00749B94EE D} - d:\Programs\PartyPoker.net \partypoke rnet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134803696578
O16 - DPF: {7584C670-2274-4EFB-B00B-D 6AABA6D385 0} (Microsoft RDP Client Control (redist)) - https://ceder.us/Remote/msrdp.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\ Intuit Fuse Service.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - d:\Programs\SonicWALL\Soni cWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - d:\Programs\SonicWALL\Soni cWALL VPN Client\IreIKE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLa bs\vsmon.e xe
C:\Temp <-- you need to empty this folder, delete everything in it but not the folder itself. OK DONE EXCEPT FOR THESE CANNOT BE DELETED:
Temporary Internet Files Folder
Iadhide4.dll
Or use CleanUp to clean your temp files. RAN THIS PROGRAM.
Download CleanUp
http://www.stevengould.org/software/cleanup/download.html
Now run the "CleanUp" program:
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp
These files below are bad and belong to Home Search assistant: About Buster, CoolWebshredder or Ewido should have gotten rid of them.
C:\WINDOWS\crxf32.exe - GONE
C:\WINDOWS\system32\winib. exe - GONE
HSA is sometimes hard to remove and they come back, if they do we'll provide a very detailed steps if that happens, IE and windows explorer mustn't be open once you start cleaning them up.
THANKS TO BOTH OF YOU..ANYTHING ELSE I NEED TO DO...SEEMS TO BE WORKING FINE!
PartyPoker is not giving your popups or redirecting your page? You should get rid of PartyPoker.
O4 - HKLM\..\Run: [579.tmp] C:\Temp\579.tmp.exe
O4 - HKLM\..\Run: [57A.tmp] C:\Temp\57A.tmp.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-1
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-1
DELETED THE ABOVE FILES....WHY PARTYPOKER THIS IS MY PASTTIME...ANYWAY I CAN KEEP IT OR SHOULD I CONSIDER ANOTHER ONLINE POKER SITE?
Logfile of HijackThis v1.99.1
Scan saved at 5:06:02 PM, on 1/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
d:\Programs\SonicWALL\Soni
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ashDisp
D:\Programs\ZoneAlarm\zlcl
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
d:\Programs\SonicWALL\Soni
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\LVCOMS
C:\WINDOWS\system32\ZoneLa
D:\Programs\Logitech\Video
D:\Programs\ProSeries05\32
D:\Programs\Logitech\iTouc
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
C:\WINDOWS\system32\ctfmon
d:\Programs\Logitech\Mouse
D:\Programs\Adobe\Acrobat7
D:\Programs\Hewlett-Packar
C:\Program Files\Common Files\Intuit\QuickBooks\QB
D:\Programs\SonicWALL\Soni
D:\Programs\Logitech\Video
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hppapm
C:\WINDOWS\system32\wuaucl
C:\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.
R1 - HKCU\Software\Microsoft\Wi
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Class - {3DC7127D-0920-C07C-7029-1
O2 - BHO: Class - {F5E4032F-B58E-1B79-B01F-2
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp
O4 - HKLM\..\Run: [Zone Labs Client] d:\Programs\ZoneAlarm\zlcl
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] d:\Programs\Hewlett-Packar
O4 - HKLM\..\Run: [HP AutoIndexer] d:\Programs\Hewlett-Packar
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMS
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Programs\Logitech\Video
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Programs\Logitech\Video
O4 - HKLM\..\Run: [ProTaskScheduler] D:\Programs\ProSeries05\32
O4 - HKLM\..\Run: [zBrowser Launcher] d:\Programs\Logitech\iTouc
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\Programs\Logitech\Video
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Startup: Eagle Listener.lnk = D:\Programs\3apps\Catapult
O4 - Startup: Eagle Scheduler.lnk = D:\Programs\3apps\Catapult
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Programs\Adobe\Acrobat7
O4 - Global Startup: HP LaserJet Director.lnk = D:\Programs\Hewlett-Packar
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
O4 - Global Startup: SonicWALL VPN Client.lnk = D:\Programs\SonicWALL\Soni
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Programs\MICROS~2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-8
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-8
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {7584C670-2274-4EFB-B00B-D
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe"
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe"
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - d:\Programs\SonicWALL\Soni
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - d:\Programs\SonicWALL\Soni
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLa
C:\Temp <-- you need to empty this folder, delete everything in it but not the folder itself. OK DONE EXCEPT FOR THESE CANNOT BE DELETED:
Temporary Internet Files Folder
Iadhide4.dll
Or use CleanUp to clean your temp files. RAN THIS PROGRAM.
Download CleanUp
http://www.stevengould.org/software/cleanup/download.html
Now run the "CleanUp" program:
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp
These files below are bad and belong to Home Search assistant: About Buster, CoolWebshredder or Ewido should have gotten rid of them.
C:\WINDOWS\crxf32.exe - GONE
C:\WINDOWS\system32\winib.
HSA is sometimes hard to remove and they come back, if they do we'll provide a very detailed steps if that happens, IE and windows explorer mustn't be open once you start cleaning them up.
THANKS TO BOTH OF YOU..ANYTHING ELSE I NEED TO DO...SEEMS TO BE WORKING FINE!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
James,
We have not heard from you in awhile. Did any comment help you solve your problem? Do you have any more questions? If an Expert helped you, please accept his/her answer above with an excellent or good grade.
Thanks, war1
We have not heard from you in awhile. Did any comment help you solve your problem? Do you have any more questions? If an Expert helped you, please accept his/her answer above with an excellent or good grade.
Thanks, war1
ASKER
You can fix these entries, these are just registry clutters now.
O2 - BHO: Class - {3DC7127D-0920-C07C-7029-1 A227A72D53 E} - C:\WINDOWS\system32\sysbg3 2.dll (file missing)
O2 - BHO: Class - {F5E4032F-B58E-1B79-B01F-2 2DB28518DF 7} - C:\WINDOWS\sdkjo.dll (file missing)
DONE.
>>OK DONE EXCEPT FOR THESE CANNOT BE DELETED:
Temporary Internet Files Folder
Iadhide4.dll<<
What's the exact path to that file? c:\TEMP
Maybe it needs to be stripped of all attributes before it can be deleted. TRIED THIS NO CHANGE.
Or.
Instead of deleting the file, disable it by removing all permissions.
Right click on the file and select Properties > Security > Advanced.
Uncheck "Inherent from parent" and remove other permissions. TRIED THIS NC
If you are using XP Home, you need to access the Security tab from Safe Mode.
If using XP Pro and security tab is not available, go to any folder and select Tools > Folder Options > View. Uncheck "Use simple file sharing". TRIED THIS NC,
FOR IFFF FILE - STATES IT IS SYSTEM FILE CANNOT BE REMOVED.
FOR IDA..FILE - STATES ACCESS IS DENIED.
IF NO OTHER OPTION, JUST LEAVE IT SINCE EVERYTHING APPEARS TO BE WORKING CURRENTLY!
THANKS.
O2 - BHO: Class - {3DC7127D-0920-C07C-7029-1
O2 - BHO: Class - {F5E4032F-B58E-1B79-B01F-2
DONE.
>>OK DONE EXCEPT FOR THESE CANNOT BE DELETED:
Temporary Internet Files Folder
Iadhide4.dll<<
What's the exact path to that file? c:\TEMP
Maybe it needs to be stripped of all attributes before it can be deleted. TRIED THIS NO CHANGE.
Or.
Instead of deleting the file, disable it by removing all permissions.
Right click on the file and select Properties > Security > Advanced.
Uncheck "Inherent from parent" and remove other permissions. TRIED THIS NC
If you are using XP Home, you need to access the Security tab from Safe Mode.
If using XP Pro and security tab is not available, go to any folder and select Tools > Folder Options > View. Uncheck "Use simple file sharing". TRIED THIS NC,
FOR IFFF FILE - STATES IT IS SYSTEM FILE CANNOT BE REMOVED.
FOR IDA..FILE - STATES ACCESS IS DENIED.
IF NO OTHER OPTION, JUST LEAVE IT SINCE EVERYTHING APPEARS TO BE WORKING CURRENTLY!
THANKS.
James, is your computer running without adware issue?
ASKER
Not sure what you mean...I believe so.....if your asking am I running an adware program the answer is no.
James, I am asking if you have any more adware issue? Looks like the comptuer is clean.
ASKER
Here is my latest scan:
Logfile of HijackThis v1.99.1
Scan saved at 5:47:38 PM, on 1/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
d:\Programs\SonicWALL\Soni cWALL VPN Client\IreIKE.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
d:\Programs\SonicWALL\Soni cWALL VPN Client\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\ZoneLa bs\vsmon.e xe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ashDisp .exe
D:\Programs\ZoneAlarm\zlcl ient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\LVCOMS X.EXE
D:\Programs\Logitech\Video \LogiTray. exe
D:\Programs\Logitech\iTouc h\iTouch.e xe
d:\Programs\Logitech\Mouse Ware\syste m\em_exec. exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\ BackWeb-88 76480.exe
C:\WINDOWS\system32\ctfmon .exe
D:\Programs\Logitech\Video \FxSvr2.ex e
D:\Programs\Hewlett-Packar d\LaserJet 33xx\hppdirector.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe
D:\Programs\SonicWALL\Soni cWALL VPN Client\SafeCfg.exe
D:\Programs\ProSeries05\32 bit\tasksc h.exe
C:\WINDOWS\system32\hppapm l0.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis. exe
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - D:\Programs\Adobe\Acrobat7 \ActiveX\A croIEHelpe r.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp .exe
O4 - HKLM\..\Run: [Zone Labs Client] d:\Programs\ZoneAlarm\zlcl ient.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] d:\Programs\Hewlett-Packar d\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] d:\Programs\Hewlett-Packar d\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMS X.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Programs\Logitech\Video \ISStart.e xe
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Programs\Logitech\Video \LogiTray. exe
O4 - HKLM\..\Run: [ProTaskScheduler] D:\Programs\ProSeries05\32 bit\TaskSc h.exe
O4 - HKLM\..\Run: [zBrowser Launcher] d:\Programs\Logitech\iTouc h\iTouch.e xe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\Programs\Logitech\Video \ManifestE ngine.exe boot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\ BackWeb-88 76480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - Startup: Eagle Listener.lnk = D:\Programs\3apps\Catapult \3listen.e xe
O4 - Startup: Eagle Scheduler.lnk = D:\Programs\3apps\Catapult \Sched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Programs\Adobe\Acrobat7 \Reader\re ader_sl.ex e
O4 - Global Startup: HP LaserJet Director.lnk = D:\Programs\Hewlett-Packar d\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\ LDMConf.ex e
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe
O4 - Global Startup: SonicWALL VPN Client.lnk = D:\Programs\SonicWALL\Soni cWALL VPN Client\SafeCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Programs\MICROS~2 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - D:\Programs\MICROS~2\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-8 00749B94EE D} - d:\Programs\PartyPoker.net \partypoke rnet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-8 00749B94EE D} - d:\Programs\PartyPoker.net \partypoke rnet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-D C1FA91D2FC 3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134803696578
O16 - DPF: {7584C670-2274-4EFB-B00B-D 6AABA6D385 0} (Microsoft RDP Client Control (redist)) - https://ceder.us/Remote/msrdp.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\ Intuit Fuse Service.exe
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - d:\Programs\SonicWALL\Soni cWALL VPN Client\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - d:\Programs\SonicWALL\Soni cWALL VPN Client\IreIKE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLa bs\vsmon.e xe
Look clean to you? I would say so but your the expert. As for any other issues ran avast no errors. So if you give the ok...will award the points.
Logfile of HijackThis v1.99.1
Scan saved at 5:47:38 PM, on 1/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
d:\Programs\SonicWALL\Soni
C:\WINDOWS\system32\spools
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
d:\Programs\SonicWALL\Soni
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\ZoneLa
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Avast4\ashDisp
D:\Programs\ZoneAlarm\zlcl
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\LVCOMS
D:\Programs\Logitech\Video
D:\Programs\Logitech\iTouc
d:\Programs\Logitech\Mouse
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
C:\WINDOWS\system32\ctfmon
D:\Programs\Logitech\Video
D:\Programs\Hewlett-Packar
C:\Program Files\Common Files\Intuit\QuickBooks\QB
D:\Programs\SonicWALL\Soni
D:\Programs\ProSeries05\32
C:\WINDOWS\system32\hppapm
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.
R1 - HKCU\Software\Microsoft\Wi
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp
O4 - HKLM\..\Run: [Zone Labs Client] d:\Programs\ZoneAlarm\zlcl
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] d:\Programs\Hewlett-Packar
O4 - HKLM\..\Run: [HP AutoIndexer] d:\Programs\Hewlett-Packar
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMS
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Programs\Logitech\Video
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Programs\Logitech\Video
O4 - HKLM\..\Run: [ProTaskScheduler] D:\Programs\ProSeries05\32
O4 - HKLM\..\Run: [zBrowser Launcher] d:\Programs\Logitech\iTouc
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\Programs\Logitech\Video
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Startup: Eagle Listener.lnk = D:\Programs\3apps\Catapult
O4 - Startup: Eagle Scheduler.lnk = D:\Programs\3apps\Catapult
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Programs\Adobe\Acrobat7
O4 - Global Startup: HP LaserJet Director.lnk = D:\Programs\Hewlett-Packar
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
O4 - Global Startup: SonicWALL VPN Client.lnk = D:\Programs\SonicWALL\Soni
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Programs\MICROS~2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-8
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-8
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {7584C670-2274-4EFB-B00B-D
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe"
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe"
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - d:\Programs\SonicWALL\Soni
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - d:\Programs\SonicWALL\Soni
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLa
Look clean to you? I would say so but your the expert. As for any other issues ran avast no errors. So if you give the ok...will award the points.
James, here is analyzed log
http://hijackthis.de/logfiles/956b75b56315d9c92f06883ed63a9381.html
It looks clean. :-)
http://hijackthis.de/logfiles/956b75b56315d9c92f06883ed63a9381.html
It looks clean. :-)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No malware in your log.
You can fix this entry though.
R3 - Default URLSearchHook is missing
DONE
If you use IE most of the time you should check about SpywareBlaster. It Protects you against activex based malware from installing into your system. It is not a resource hog because it protects you without it running in the background.
IE is my only browser and I have SpyWareBlaster installed.
http://www.javacoolsoftware.com/spywareblaster.html
DONE
THANKS TO BOTH OF YOUR FOR ALL YOUR HELP!!!!!!!!!!!!
You can fix this entry though.
R3 - Default URLSearchHook is missing
DONE
If you use IE most of the time you should check about SpywareBlaster. It Protects you against activex based malware from installing into your system. It is not a resource hog because it protects you without it running in the background.
IE is my only browser and I have SpyWareBlaster installed.
http://www.javacoolsoftware.com/spywareblaster.html
DONE
THANKS TO BOTH OF YOUR FOR ALL YOUR HELP!!!!!!!!!!!!
Hi James,
Did you mean to give all points to war1?
I was hoping you were happy with my help but obviously you weren't since you give all the points to war1 and none to me.
Good luck!
Did you mean to give all points to war1?
I was hoping you were happy with my help but obviously you weren't since you give all the points to war1 and none to me.
Good luck!
ASKER
NOOOOOOOOOOOOOOOO! MY INTENTION WAS TO SPLIT 50/50, AND I THOUGHT I ENTERED IT THAT WAY........CAN THIS BE FIXED!
James, to change the grading, you need to post a note to the Community Support page with a link to this question. The Community Support page link is in the upper right corner of this page.
ASKER
done.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
DL Hijack and
here are the results:
http://www.hijackthis.de/index.php#anl
and Log file:
Logfile of HijackThis v1.99.1
Scan saved at 1:24:16 PM, on 12/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Common Files\STOPzilla!\SZServer.
d:\Programs\SonicWALL\Soni
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
C:\PROGRA~1\Avast4\ashDisp
D:\Programs\ZoneAlarm\zlcl
C:\WINDOWS\system32\LVCOMS
D:\Programs\Logitech\Video
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Programs\ProSeries05\32
C:\WINDOWS\crxf32.exe
D:\Programs\Logitech\iTouc
C:\WINDOWS\system32\winib.
C:\Temp\57A.tmp.exe
C:\Temp\579.tmp.exe
D:\Programs\STOPzilla!\STO
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
d:\Programs\Logitech\Mouse
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
C:\WINDOWS\system32\ctfmon
d:\Programs\SonicWALL\Soni
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchos
C:\Program Files\Common Files\Intuit\QuickBooks\QB
D:\Programs\SonicWALL\Soni
C:\WINDOWS\system32\ZoneLa
D:\Programs\Logitech\Video
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
D:\Programs\Adobe\Acrobat7
C:\WINDOWS\system32\hppapm
C:\WINDOWS\system32\Macrom
C:\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Class - {3DC7127D-0920-C07C-7029-1
O2 - BHO: Class - {AE721233-0FEA-4847-4C92-F
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-0
O2 - BHO: Class - {F5E4032F-B58E-1B79-B01F-2
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp
O4 - HKLM\..\Run: [Zone Labs Client] d:\Programs\ZoneAlarm\zlcl
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] d:\Programs\Hewlett-Packar
O4 - HKLM\..\Run: [HP AutoIndexer] d:\Programs\Hewlett-Packar
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMS
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Programs\Logitech\Video
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Programs\Logitech\Video
O4 - HKLM\..\Run: [ProTaskScheduler] D:\Programs\ProSeries05\32
O4 - HKLM\..\Run: [zBrowser Launcher] d:\Programs\Logitech\iTouc
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [winib.exe] C:\WINDOWS\system32\winib.
O4 - HKLM\..\Run: [579.tmp] C:\Temp\579.tmp.exe
O4 - HKLM\..\Run: [57A.tmp] C:\Temp\57A.tmp.exe
O4 - HKLM\..\Run: [579.tmp.exe] C:\Temp\579.tmp.exe
O4 - HKLM\..\Run: [57A.tmp.exe] C:\Temp\57A.tmp.exe
O4 - HKLM\..\Run: [STOPzilla] D:\Programs\STOPzilla!\STO
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] D:\Programs\Logitech\Video
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - Startup: Eagle Listener.lnk = D:\Programs\3apps\Catapult
O4 - Startup: Eagle Scheduler.lnk = D:\Programs\3apps\Catapult
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Programs\Adobe\Acrobat7
O4 - Global Startup: HP LaserJet Director.lnk = D:\Programs\Hewlett-Packar
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
O4 - Global Startup: SonicWALL VPN Client.lnk = D:\Programs\SonicWALL\Soni
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Programs\MICROS~2
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-1
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-1
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-8
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-8
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {7584C670-2274-4EFB-B00B-D
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\crxf32.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe"
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe"
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - d:\Programs\SonicWALL\Soni
O23 - Service: SafeNet IKE Service (IREIKE) - SafeNet - d:\Programs\SonicWALL\Soni
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLa