I'm Invaded

curiouscurious
edited October 2005 in Spyware & Virus Removal
Hi, Can someone please help me? I am in the hurricane disaster area and was forced to use dial up for now. Well it seems the first time I dialed in my computers (all four are networked) were "blasted" with infection. Its causing a major problem for our business. I have ran Adaware and Spybot on this computer and I am also including my HJT log. I am so greatful for all of you guys. This forum is just wonderful. Thanks and God Bless.


PS - Other than the usual weirdness you get when infected, I keep getting ads from something called Messenger Service that looks like its from Microsoft, but I'm not sure. It keeps wanting me to go to different web sites for repairs, so I figured it is part of the infection. Also, once in a while the comp goes to a blue screen telling me windows has shut down because a serious error has been detected. Please advise. Thanks again and God Bless You.


Logfile of HijackThis v1.99.1
Scan saved at 10:04:33 PM, on 9/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\essspk.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Turbosurf\PxUi.exe
C:\Program Files\Turbosurf\PxClient.exe
C:\Program Files\InetGet\Adperform180safull.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\HiJackThis.exe\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eastex.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Eastex Net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6198
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = clinic.mcafee.com; bin.mcafee.com; download.mcafee.com;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ProxyConn Browser Helper Object - {7D9E713D-0388-4384-BDD8-2A42EB1C4F04} - C:\Program Files\Turbosurf\PrxcnBrsrCtrl.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe -b
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [PxClient.exe] "C:\Program Files\Turbosurf\PxUi.exe" /Automation
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\InetGet\Adperform180safull.exe
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe" -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000136.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000136.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 4.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.eastex.net
O15 - Trusted Zone: *.alamode.com
O15 - Trusted Zone: *.appraiserxsites.com
O16 - DPF: {24075344-C216-4EDF-B001-D2147ACC9883} (alaWeb.clsSolutionCenter) - file://Z:\WIN2000\CONTENT\cabs\alaWeb.CAB
O16 - DPF: {AED6797A-D608-11D4-89D2-00105AA3C57F} (alaGrid.TechDocSearch) - file://Z:\WIN2000\CONTENT\cabs\alaGrid.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{65E03904-813F-49C6-B299-96D1DC1D3DC9}: NameServer = 204.96.17.141 204.96.16.141
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard, Ltd. - C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuardUpdate.exe
O23 - Service: BullGuard Main (BGMainSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
O23 - Service: BullGuard File Monitoring (BsFileSpy) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
O23 - Service: BullGuard Firewall (BsFirewall) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
O23 - Service: BullGuard Email Monitoring (BsMailProxy) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

THANK YOU!!!!
«1

Comments

  • lemonlimelemonlime Canada Member
    edited October 2005
    The messenger service can be a real disturbance on 'open' internet connections. It is safe to disable the messenger service, as the average home/small office user does not require it for anything.

    You can get some instructions on how to disable it here

    Also, these entries are likely a source of some advertising, and it should be safe to remove them:

    O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\InetGet\Adperform180safull.exe
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000136.exe
    O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000136.exe
    O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe


    Also, do these web sites look familiar to you? I.e. a place you have visisted or frequent? alamode.com, appraiserxsites.com, www.eastex.net?

    If not, you can remove the following entries as well:

    O15 - Trusted Zone: *.alamode.com
    O15 - Trusted Zone: *.appraiserxsites.com
    O14 - IERESET.INF: START_PAGE_URL=http://www.eastex.net
    O16 - DPF: {24075344-C216-4EDF-B001-D2147ACC9883} (alaWeb.clsSolutionCenter) - file://Z:\WIN2000\CONTENT\cabs\alaWeb.CAB
    O16 - DPF: {AED6797A-D608-11D4-89D2-00105AA3C57F} (alaGrid.TechDocSearch) - file://Z:\WIN2000\CONTENT\cabs\alaGrid.CAB


    Also, do you have an anti-virus application? I'd recommend a full system scan. You can use Panda's active scan online here: http://www.pandasoftware.com/products/activescan.htm

    Once you have those removed, and have done a scan, reboot, and post an updated HJT log for us.. :thumbsup:

    Best Regards,
    Mike
  • mmonninmmonnin Centreville, VA
    edited October 2005
    Quarantine those files that lemonlime said to remove. Go the the specified folder and rename the file extensions like it is shown here.

    http://www.short-media.com/forum/showpost.php?p=173532&postcount=5
  • curiouscurious
    edited October 2005
    I have done everything requested (but I had already removed the files rather than quarantined them - maybe it will be ok). The alamode, appraiserxsites and eastex entries are all sites we have to frequent with our business so I didn't do anything to them. I ran the Panda check - it showed 9 spywares and 1 virus - I have purchased their product to remove them, but the username and password they have issued me is not good - can't reach anyone - so i'll have to contact them on monday (i can't even send them an email without the right username and password - seems weird to me).

    Here is a new HJT log. Thank you so much for your help!!! God Bless You.


    Logfile of HijackThis v1.99.1
    Scan saved at 1:31:34 PM, on 10/1/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuardUpdate.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\essspk.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Turbosurf\PxUi.exe
    C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Turbosurf\PxClient.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HiJackThis.exe\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eastex.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Eastex Net
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6198
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = clinic.mcafee.com; bin.mcafee.com; download.mcafee.com;<local>
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ProxyConn Browser Helper Object - {7D9E713D-0388-4384-BDD8-2A42EB1C4F04} - C:\Program Files\Turbosurf\PrxcnBrsrCtrl.dll
    O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe -b
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKLM\..\Run: [PxClient.exe] "C:\Program Files\Turbosurf\PxUi.exe" /Automation
    O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe" -boot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 4.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.eastex.net
    O15 - Trusted Zone: *.alamode.com
    O15 - Trusted Zone: *.appraiserxsites.com
    O16 - DPF: {24075344-C216-4EDF-B001-D2147ACC9883} (alaWeb.clsSolutionCenter) - file://Z:\WIN2000\CONTENT\cabs\alaWeb.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {AED6797A-D608-11D4-89D2-00105AA3C57F} (alaGrid.TechDocSearch) - file://Z:\WIN2000\CONTENT\cabs\alaGrid.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard, Ltd. - C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuardUpdate.exe
    O23 - Service: BullGuard Main (BGMainSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: BullGuard File Monitoring (BsFileSpy) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: BullGuard Firewall (BsFirewall) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: BullGuard Email Monitoring (BsMailProxy) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • curiouscurious
    edited October 2005
    Here is the Panda ActiveScan Log in case you need it

    Incident Status Location

    Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
    Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\services.exe
    Adware:adware/wupd No disinfected C:\WINDOWS\SYSTEM32\ide21201.vxd
    Adware:adware/surfaccuracy No disinfected C:\PROGRAM FILES\SurfAccuracy
    Adware:adware/block-checker No disinfected Windows Registry
    Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
    Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\cwebpage.dll
    Adware:Adware/WUpd No disinfected C:\Program Files\InetGet\Adperform180safull.exe
    Adware:Adware/SurfAccuracy No disinfected C:\Program Files\SurfAccuracy\SAccU.exe
  • curiouscurious
    edited October 2005
    HI - just checking :p
  • lemonlimelemonlime Canada Member
    edited October 2005
    Hi curious,

    Your log looks better, but we are not done yet. Based on panda's results, I believe the following entry should be removed as well (but not yet, please wait):

    O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll

    I want to see if there is any way we can gracefully remove any of these applications, before removing entries, or deleting files. Once we have done that, we'll re-scan, and manually delete anything left over.

    Could you post a list of everything in your Add/Remove programs list? You can easily do that by using HijackThis. Simply click Config --> Misc Tools --> Uninstall Manager --> Save list

    Copy and paste the results in a post here.

    Hopefully you'll get a hold of Panda on Monday, that's odd about the password..
  • curiouscurious
    edited October 2005
    OK - this is everything in Add/Remove log. Thanks and God Bless


    Ad-Aware SE Personal
    Adobe Acrobat 5.0
    AIM Toolbar
    AOL Instant Messenger
    BullGuard 5.0
    DeLorme Street Atlas USA 2005
    DeLorme Street Atlas USA 2005 Data
    Eastex Net Turbo Surf (Uninstall)
    HijackThis 1.99.1
    hp LaserJet 4200 Uninstaller
    hp officejet 7100 series - 4
    HP Photo Printing Software
    HP Share-to-Web
    Lernout & Hauspie TruVoice American English TTS Engine
    Lighthouse 32
    LiveReg (Symantec Corporation)
    Microsoft .NET Framework 1.1
    Microsoft Office XP Media Content
    Microsoft Office XP Professional with FrontPage
    Microsoft Speech Recognition Engine 4.0 (English)
    Microsoft Text-to-Speech Engine 4.0 (English)
    Microsoft Works 2000
    NVIDIA Windows 2000/XP Display Drivers
    Panda ActiveScan
    PDF-XChange 3.0
    QuickBooks 99
    Spybot - Search & Destroy 1.4
    Street Atlas USA 2003
    Street Atlas USA 2003 Data
    Surf Accuracy
    Symantec pcAnywhere
    TIGER_CTSI
    Uninstall Creative Modem Blaster
    Viewpoint Media Player
    XSite Order Manager
  • lemonlimelemonlime Canada Member
    edited October 2005
    Hi curious,

    'Surf Accuracy' can be 'uninstalled' via. the Add/Remove Programs option in the Windows control pannel. Be cautious while following the uninstaller, they often have trick questions to prevent you from uninstalling the application.

    Once done there, I would 'fix' this item from HJT:

    O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll

    Once finished, could you run another panda active scan (post log results) as well as another updated HJT log?
  • curiouscurious
    edited October 2005
    Hi Lemonlime and Thank you so much for all your help. I have done all you requested. Below are my logs:

    HJT LOG
    Logfile of HijackThis v1.99.1
    Scan saved at 11:03:10 AM, on 10/2/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuardUpdate.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\essspk.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Turbosurf\PxUi.exe
    C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Turbosurf\PxClient.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\HiJackThis.exe\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eastex.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Eastex Net
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6198
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = clinic.mcafee.com; bin.mcafee.com; download.mcafee.com;<local>
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ProxyConn Browser Helper Object - {7D9E713D-0388-4384-BDD8-2A42EB1C4F04} - C:\Program Files\Turbosurf\PrxcnBrsrCtrl.dll
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe -b
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKLM\..\Run: [PxClient.exe] "C:\Program Files\Turbosurf\PxUi.exe" /Automation
    O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe" -boot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 4.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.eastex.net
    O15 - Trusted Zone: *.alamode.com
    O15 - Trusted Zone: *.appraiserxsites.com
    O15 - Trusted Zone: http://acs.pandasoftware.com
    O15 - Trusted Zone: http://activescan.pandasoftware.com
    O15 - Trusted Zone: http://www.pandasoftware.com
    O15 - Trusted Zone: http://www.pandasoftware.es
    O16 - DPF: {24075344-C216-4EDF-B001-D2147ACC9883} (alaWeb.clsSolutionCenter) - file://Z:\WIN2000\CONTENT\cabs\alaWeb.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {AED6797A-D608-11D4-89D2-00105AA3C57F} (alaGrid.TechDocSearch) - file://Z:\WIN2000\CONTENT\cabs\alaGrid.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard, Ltd. - C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuardUpdate.exe
    O23 - Service: BullGuard Main (BGMainSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: BullGuard File Monitoring (BsFileSpy) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: BullGuard Firewall (BsFirewall) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: BullGuard Email Monitoring (BsMailProxy) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


    NEW PANDA LOG


    Incident Status Location Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\services.exe
    Adware:adware/block-checker No disinfected Windows Registry Adware:Adware/SurfAccuracy No disinfected C:\Documents and Settings\Janet Pickett\Local Settings\Temp\uninstall.exe
    Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
    Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\cwebpage.dll
    Adware:Adware/WUpd No disinfected C:\Program Files\InetGet\Adperform180safull.exe

    THANKS AGAIN FOR YOUR HELP
  • lemonlimelemonlime Canada Member
    edited October 2005
    Great, your HJT log looks much better. It does not appear that any of those malicious applications/files will launch at startup any more, however they are still present on your machine and need to be removed.

    One of the most graceful ways to do this would be to simply download, install and run Ad-Aware. It will likely discover many, if not all of the remaining nasties sitting idle on your hard drive. Simply allow it to remove anything it finds. You can find some information on adaware here: http://www.short-media.com/forum/showpost.php?p=146151&postcount=1

    Adaware should remediate any non-viral, ad-related files, and may very well take care of those files that Panda found. You mentioned that you purchased panda, and it is a great product that I'm sure you'll use later, so it is certainly not a waste :)

    Optionally, you can quarantine those panda listed files manually using the process mmoninn listed above. I'd wait to see how ad-aware fairs first.

    Moving forward, I'd also look into getting 'Service Pack 2' for Windows XP. It will help to keep your computer more secure. You can get more information from Microsoft here:

    http://www.microsoft.com/windowsxp/sp2/default.mspx

    Has your pop-ups and other advertising garbage stopped now?
    curious wrote:
    THANKS AGAIN FOR YOUR HELP

    My pleasure! :D .. Hopefully we'll get rid of this garbage for good on your machine :thumbsup:
  • curiouscurious
    edited October 2005
    Hi Lemonlime - Thanks again. The machine seems to be much better - no popups today so far. Before I posted this thread I had already ran Adaware and Spybot along with Bullguard several times. Adaware deleted more than 10,000 items. But I will take your advise and run it again. After I have ran Adaware and Panda I will post updated logs. Can't run them until after business hours today. Thanks again - you are great!!!!

    PS - What cocktail of antivirus/spyware do you recommend? I have Adaware, Spybot, Bullguard and once they get it straightened out I will have Panda. Should I include any others?

    Thanks and God Bless
  • curiouscurious
    edited October 2005
    Oh wow, you are not going to believe what Panda has put me through. First, I did not receive the login info. Than when I got it - it does not work. I call their tech support and explain what happens on their website - the guy very quickly says he will email me instructions - when I get the instructions they are exactly what I just told the guy does not work. He said he could not talk to me on the phone and started to hang up - I insisted he help me - He said he was emailing me info - I ask him if it was what we already did and he insisted it was not. When I got the email it was the same thing again. Needless to say I am trying now to get a refund. Just thought you guys would want to know about this. ;) PS - I will forward new logs tonight Thanks again.
  • TroganTrogan London, UK
    edited October 2005
    Hi,

    Sorry to hear about your trouble with Panda - very frustrating :(

    On a brighter note, there are several apps that you should have to help keep you clean. Most of them you already have but here is a list.

    Spyware/Adware:
    Ad-Aware SE 1.6
    SpyBot Search & Destroy 1.4
    SpywareBlaster 3.4
    SpywareShooter

    Anti-Virus
    I recommend AVG Free Edition. Alot of people use AVG, including myself and it works very well. It also doesn't slow down your computer like most AV apps.

    Remember you should have only one Anti-Virus app on one computer and always keep everything updated on a regular basis

    Hope that helps :)
  • curiouscurious
    edited October 2005
    Hi Everyone - thanks for your help. Here is a new HJT log. I did run the free version of Panda again but it froze up and wouldn't finish. After two tries I gave up. It did however find 7 spyware and 2 suspicious files before it froze. Adaware is not finding these files - it comes up clean. What suggestions do you have? Thanks and God Bless You. PS - I currently use Bullguard antivirus - should I replace it with something better - because Bullguard is not finding any of this stuff.

    Logfile of HijackThis v1.99.1
    Scan saved at 5:59:45 PM, on 10/3/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuardUpdate.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\essspk.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Turbosurf\PxUi.exe
    C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
    C:\Program Files\Turbosurf\PxClient.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\System32\hpoipm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\HiJackThis.exe\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eastex.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Eastex Net
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6198
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = clinic.mcafee.com; bin.mcafee.com; download.mcafee.com;<local>
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ProxyConn Browser Helper Object - {7D9E713D-0388-4384-BDD8-2A42EB1C4F04} - C:\Program Files\Turbosurf\PrxcnBrsrCtrl.dll
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe -b
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKLM\..\Run: [PxClient.exe] "C:\Program Files\Turbosurf\PxUi.exe" /Automation
    O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe" -boot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 4.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.eastex.net
    O15 - Trusted Zone: *.alamode.com
    O15 - Trusted Zone: *.appraiserxsites.com
    O15 - Trusted Zone: http://acs.pandasoftware.com
    O15 - Trusted Zone: http://activescan.pandasoftware.com
    O15 - Trusted Zone: http://www.pandasoftware.com
    O15 - Trusted Zone: http://www.pandasoftware.es
    O16 - DPF: {24075344-C216-4EDF-B001-D2147ACC9883} (alaWeb.clsSolutionCenter) - file://Z:\WIN2000\CONTENT\cabs\alaWeb.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {AED6797A-D608-11D4-89D2-00105AA3C57F} (alaGrid.TechDocSearch) - file://Z:\WIN2000\CONTENT\cabs\alaGrid.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard, Ltd. - C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuardUpdate.exe
    O23 - Service: BullGuard Main (BGMainSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: BullGuard File Monitoring (BsFileSpy) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: BullGuard Firewall (BsFirewall) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: BullGuard Email Monitoring (BsMailProxy) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • TroganTrogan London, UK
    edited October 2005
    Your running an old version of IE. Please go to www.windowsupdate.microsoft.com and click 'Express' to download the latest version of IE.

    ==

    Get rid of the AIM toolbar with HJT
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp

    Get rid of the following entries with HJT:

    O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKLM\..\Run: [PxClient.exe] "C:\Program Files\Turbosurf\PxUi.exe" /Automation
    O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
    O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O14 - IERESET.INF: START_PAGE_URL=http://www.eastex.net
    O15 - Trusted Zone: *.alamode.com
    O15 - Trusted Zone: *.appraiserxsites.com
    O16 - DPF: {24075344-C216-4EDF-B001-D2147ACC9883} (alaWeb.clsSolutionCenter) - file://Z:\WIN2000\CONTENT\cabs\alaWeb.CAB
    O16 - DPF: {AED6797A-D608-11D4-89D2-00105AA3C57F} (alaGrid.TechDocSearch) - file://Z:\WIN2000\CONTENT\cabs\alaGrid.CAB
    O23 - Service: BullGuard Main (BGMainSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: BullGuard File Monitoring (BsFileSpy) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: BullGuard Firewall (BsFirewall) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: BullGuard Email Monitoring (BsMailProxy) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)

    Find and delete the highlighted folder:

    C:\Program Files\Turbosurf


    Post a new HJT log after :)
  • curiouscurious
    edited October 2005
    OH MY!! I'm really getting nervous. Please help me!!! This computer is really acting weird now. It won't establish an internet connection - I'm having to reply to this thread from the laptop which is on the same network. Below is the HJT log. I don't understand - I have ran Adaware and Ewido which both come up totally clean now, but I have absolutely no internet connection - yet email still works!!! What's going on. I really need to try to fix this tonight or we won't be able to work tomorrow!!

    I fixed the things you requested on HJT, but it would not let me delete the Turbosurf (said access denied to Pxlsp.dll file) Also, I cannot update the IE because I cannot get on the internet. Please help me!!!

    Thanks and God Bless You.


    Logfile of HijackThis v1.99.1
    Scan saved at 9:14:00 PM, on 10/3/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuardUpdate.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\essspk.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
    C:\PROGRA~1\AIM\aim.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
    C:\WINDOWS\System32\hpoipm07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
    C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
    C:\HiJackThis.exe\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.eastex.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Eastex Net
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6198
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = clinic.mcafee.com; bin.mcafee.com; download.mcafee.com;<local>
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ProxyConn Browser Helper Object - {7D9E713D-0388-4384-BDD8-2A42EB1C4F04} - C:\Program Files\Turbosurf\PrxcnBrsrCtrl.dll
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe -b
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe"
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BullGuard 5.0] "C:\Program Files\BullGuard Software\BullGuard 5.0\bullguard.exe" -boot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 4.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://acs.pandasoftware.com
    O15 - Trusted Zone: http://activescan.pandasoftware.com
    O15 - Trusted Zone: http://www.pandasoftware.com
    O15 - Trusted Zone: http://www.pandasoftware.es
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard, Ltd. - C:\Program Files\BullGuard Software\BullGuard 5.0\BullGuardUpdate.exe
    O23 - Service: BullGuard Main (BGMainSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: BullGuard File Monitoring (BsFileSpy) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: BullGuard Firewall (BsFirewall) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: BullGuard Email Monitoring (BsMailProxy) - Unknown owner - C:\WINDOWS\System32\svchost.exe" -k bg5 (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • curiouscurious
    edited October 2005
    OH - I forgot to tell you - This machine is really running extreeemmmly slowww now.
  • TroganTrogan London, UK
    edited October 2005
    Hi curious,

    Reinstall Bullguard on top of your current installation.


    Let me know how things are after .
  • curiouscurious
    edited October 2005
    Can't reinstall Bullguard because I can't get on internet. :confused::(

    Thank you so much for your help.
  • TroganTrogan London, UK
    edited October 2005
    Did bullguard come with a CD?

    Download Winsock and save it to your desktop. Double-click 'winsockxpfix' and run the programme.

    http://www.majorgeeks.com/download4372.html
  • curiouscurious
    edited October 2005
    Bullguard was purchased and downloaded online. :(

    I'm working on winsock - i'll post as soon as finished.

    Thank you so much!!!
  • curiouscurious
    edited October 2005
    Well, winsock did not help. Do you think something has changed some sort of settings in IE? I don't know what to think. Of course you know a whooollle lot more than me about it.

    Thanks :bawling:
  • TroganTrogan London, UK
    edited October 2005
    I forgot to mention. You are meant to close all open windows including IE. Do that and rerun winsock again.
  • curiouscurious
    edited October 2005
    Still did not help - actually i think I had all windows closed the first time - but I did it again anyway. Well if the fixing the registry keys did not fix it, does that mean it viral?
  • TroganTrogan London, UK
    edited October 2005
    Hmm...I'm not really to sure then :(

    I'l ask someone with much more knowledge than me to come and have a look for you. I'm sorry...
  • curiouscurious
    edited October 2005
    Please don't be sorry - you have really been trying hard to help me. Thank you so much and God Bless You.
    Janet :)
  • TroganTrogan London, UK
    edited October 2005
    Its 5am here in the UK. I need some sleep, have to wake up in 4 hours and i'm really tired.

    If you havn't recieved help, i'l make sure someone comes soon :)
  • curiouscurious
    edited October 2005
    Thank you
  • curiouscurious
    edited October 2005
    Seems like this problem started after I installed Spyware-Shooter. Could that have messed with settings in IE.
  • curiouscurious
    edited October 2005
    How do I remove Spyware-Shooter? Don't see it on my Add/Remove list in Control Panel. Thanks
This discussion has been closed.