Ok I was infected first with the WMF virus/spyware. I got that cleaned up with your help and shortly after it was gone, I got attacked AGAIN [within 2 hrs] by SpyAxe. I KNOW how it happened. ZA sent a warning box with "winlogon.exe" allow/deny? I allowed but only for that time. [I thought it was from MS because it said repeat try]. That was enough!!

Anyway, I went back through everything I had done earlier [on the 1st of the year]. It took Ewido 2 hrs and 15 minueste to scan my pc. I couldn't get AdWare to work at all. It kept freezing. AVG also froze when I tried to update it. Long story short, I finally got it cleaned up [or so I thought] @ 0230 on the second.

I ran Ewido again, was finally able to update AVG and AdAware. AdAware found 100 critial attacks! SpyBot found several too. I just ran AVG because when I got up thei AM It showed that I had a virus! :mad: I healed it and emptied the vault. I recently downloaded the new windows update and rebooted per directions.

When everything came back up AVG was black, so I tried to update only to be told that I had the newest version. So decided to mamually scan my PC. I had this one:

Trogan Horse Downloader.Generic.OKS AVG deleted it.

I am going to run AdAware and Spy-bot again while I wait for your help. In the meantime here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:48:47 PM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\abelhadigital.com\HostsMan\hm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\PROGRA~1\YAHOO!\PARENT~1\ypc.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Pyrenean\eDexter\eDexter.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://yahoo.sbc.com/dsl[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://yahoo.sbc.com/dsl[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://yahoo.sbc.com/dsl[/url]
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp358F.tmp (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostsMan] C:\Program Files\abelhadigital.com\HostsMan\hm.exe -s
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [YPC] C:\PROGRA~1\YAHOO!\PARENT~1\ypc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - Startup: eDexter.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'ypclsp.dll' missing
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url]http://housecall-beta.trendmicro.com/housecall/xscan60.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab[/url]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109002217328[/url]
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - [url]http://www.nick.com/common/groove/gx/GrooveAX27.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - [url]http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab[/url]
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - [url]http://community.webshots.com/html/WSPhotoUploader.CAB[/url]
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - [url]http://www.sibelius.com/download/software/win/ActiveXPlugin.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab[/url]
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - [url]http://download.toontown.com/sv1.0.15.22/ttinst.cab[/url]
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - [url]http://messenger.zone.msn.com/binary/WoF.cab31267.cab[/url]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [url]http://www.popcap.com/games/popcaploader_v6.cab[/url]
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - [url]http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab[/url]
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - [url]http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326[/url]
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Thanks!!

This is the only thing showing in your log... Fix it and let us know if you are still having problems:

O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp358F.tmp (file missing)

I ran Ewido and this is the log of running processes:

---------------------------------------------------------
ewido anti-malware - Process report
---------------------------------------------------------

+ Created on: 9:09:09 PM, 1/5/2006
+ Report-Checksum: AC2767D6

0: System Process
4: System Process
324: C:\PROGRA~1\YAHOO!\browser\ycommon.exe
380: \SystemRoot\System32\smss.exe
416: C:\WINDOWS\System32\svchost.exe
436: \??\C:\WINDOWS\system32\csrss.exe
460: \??\C:\WINDOWS\system32\winlogon.exe
504: C:\WINDOWS\system32\services.exe
516: C:\WINDOWS\system32\lsass.exe
568: C:\WINDOWS\system32\wdfmgr.exe
664: C:\WINDOWS\system32\svchost.exe
708: C:\WINDOWS\system32\svchost.exe
756: C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
780: C:\WINDOWS\System32\svchost.exe
856: C:\WINDOWS\System32\svchost.exe
1168: C:\Program Files\ewido anti-malware\SecuritySuite.exe
1196: C:\WINDOWS\Explorer.EXE
1224: C:\WINDOWS\system32\spoolsv.exe
1308: C:\Program Files\Outlook Express\msimn.exe
1404: C:\Program Files\abelhadigital.com\HostsMan\hm.exe
1452: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
1460: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
1476: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
1484: C:\Program Files\iTunes\iTunesHelper.exe
1528: C:\Program Files\Browser Mouse\mouse32a.exe
1572: C:\PROGRA~1\YAHOO!\PARENT~1\ypc.exe
1580: C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
1592: C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
1600: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
1616: C:\Program Files\MSN Messenger\MsnMsgr.Exe
1628: C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
1684: C:\Program Files\Pyrenean\eDexter\eDexter.exe
1716: C:\PROGRA~1\Webshots\webshots.scr
1864: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
1876: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
1968: C:\Program Files\ewido anti-malware\ewidoctrl.exe
2020: C:\WINDOWS\system32\nvsvc32.exe
3016: C:\Program Files\iPod\bin\iPodService.exe
3312: C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
3548: C:\WINDOWS\System32\alg.exe


These two seem to be a problem:

436: \??\C:\WINDOWS\system32\csrss.exe
460: \??\C:\WINDOWS\system32\winlogon.exe

I know I allowed winlogon.exe and that gave me SpyAxe!

How do I get rid of these 2?

Also, after I posted I ran SpyBot and keep getting This:

VCODEC

Here are the things Ewido found on the scan after my post:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:13:17 PM, 1/5/2006
+ Report-Checksum: 99300B36

+ Scan result:

C:\WINDOWS\SYSTEM32\oleext.dll -> Trojan.Small.ev : Cleaned with backup
C:\WINDOWS\SYSTEM32\ld8E2A.tmp -> Downloader.Zlob.dk : Cleaned with backup
C:\Documents and Settings\Wagner\Cookies\wagner@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\System Volume Information\_restore{0BF8FF75-4E5F-49B8-B326-17684F5E2468}\RP346\A0022798.DLL -> Trojan.Small.ev : Cleaned with backup


::Report End

Every time I run Ewido, I seem to get these repeating even after it is cleaned.

One other thing. When I shut down or reboot I keep getting a "server busy" error I know that ZA is the cause. My question is what is the cure?

Thanks!

These two seem to be a problem:

436: \??\C:\WINDOWS\system32\csrss.exe
460: \??\C:\WINDOWS\system32\winlogon.exe
I am not familiar with the Ewido process log, but these are both in the right folder and should be the essential files used by Windows, so I would leave them alone... If they were bad, Ewido would have probably tried to clean them...

Try running the fix for Spyaxe and see if it picks up anything... Obviously, you can skip the parts that you have already done...

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Download smitRem.exe (http://noahdfear.geekstogo.com/click%20counter/click.php?id=1) and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Please download, install, and update the free version of Ewido Security Suite (http://www.ewido.net/en/download/):

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main Ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes, the status bar at the bottom will display "Update successful"
Exit Ewido. DO NOT run a scan yet.


If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
Ad-Aware SE Setup (http://rstones12.geekstogo.com/adawareSE_setup.htm)
Again, do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
Restart your computer
Just before Windows starts to load, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

Now open Ewido Security Suite[list]
Click on Scanner
Click on Complete System Scan and the scan will begin.
Select "Perform action on all infections"
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop
Close Ewido


Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.


Restart your computer in normal mode.

Run the Panda online virus scan at http://www.pandasoftware.com/products/activescan.htm

- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Ewido scan and the log from the smitRem tool, which will be located at C:\smitfiles.txt.
Let us know if any problems persist.

I can't get my pc to boot in safe mode. I reboot and tap F8 but it still loads in normal mode.

Is it possible that my KB isn't getting the signal through? It is wireless and runs on batteries.

Thanks!

My wireless keyboard has a terribly frustrating "F-Lock" key. It turns off by default, and I have to be quick to turn it back on before hitting the F8 key repeatedly.

You can also type "msconfig" in the Start|Run menu. The screen that pops up will have a "Startup" tab where you can enable safe boot. You machine will continue to boot in safe mode until you go back to this screen and turn it off.

Some keyboards that are connected through USB ports don't work properly until Windows is booted, so that could be the problem... A PS/2 keyboard could be used if that is the case, but going through msconfig is probably easier...

Ok. I got it in safe mode and here are my logs:


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 01/06/2006
The current time is: 15:20:53.68

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key

WinHound.com key present!



Running WinHound.com fix!



WinHound.com key was successfully removed! :)

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Winhound


~~~ Shortcuts ~~~



~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir


~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~

warnhp.html


~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 760 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

_____________________________________

Panda Scan


Incident Status Location

Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\SYSTEM32\paytime.exe
Adware:adware/secure32 Not disinfected C:\WINDOWS\secure32.html
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Wagner\Desktop\Anti Virus treatments\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Wagner\Desktop\Anti Virus treatments\smitRem\Process.exe
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Wagner\Cookies\wagner@go[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Wagner\Cookies\wagner@c.enhance[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Wagner\Cookies\wagner@toplist[1].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Wagner\Cookies\wagner@c.goclick[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Wagner\Cookies\wagner@xiti[1].txt ---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:04:31 PM, 1/6/2006
+ Report-Checksum: EF18E00F

+ Scan result:

No infected objects found.


::Report End


HJT scan to follow in new post.

Thanks!

Here is the HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:13:54 PM, on 1/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\abelhadigital.com\HostsMan\hm.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Browser Mouse\mouse32a.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\Pyrenean\eDexter\eDexter.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\YAHOO!\PARENT~1\ypc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostsMan] C:\Program Files\abelhadigital.com\HostsMan\hm.exe -s
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser Mouse\mouse32a.exe
O4 - HKLM\..\Run: [YPC] C:\PROGRA~1\YAHOO!\PARENT~1\ypc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - Startup: eDexter.lnk = C:\Program Files\Pyrenean\eDexter\eDexter.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'ypclsp.dll' missing
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url]http://housecall-beta.trendmicro.com/housecall/xscan60.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab[/url]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109002217328[/url]
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - [url]http://www.nick.com/common/groove/gx/GrooveAX27.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://acs.pandasoftware.com/activescan/as5free/asinst.cab[/url]
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - [url]http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab[/url]
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - [url]http://community.webshots.com/html/WSPhotoUploader.CAB[/url]
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - [url]http://www.sibelius.com/download/software/win/ActiveXPlugin.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab[/url]
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - [url]http://download.toontown.com/sv1.0.15.22/ttinst.cab[/url]
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - [url]http://messenger.zone.msn.com/binary/WoF.cab31267.cab[/url]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [url]http://www.popcap.com/games/popcaploader_v6.cab[/url]
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - [url]http://h20270.www2.hp.com/ediags/gmn/install/hpbasicdetection3.cab[/url]
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - [url]http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326[/url]
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

When I finally get back online after dealing with the "SERVER BUSY" error from ZA, AVG is grayed out and I got a quick red shield icon stating that AVG was shut down!! :mad: What would cause this?

One other thing, I did EXACTLY what you said to do in the order given. AdAware only found 1 critical; it was a cookie It also found 10 non critial things.

Thanks!!

Your HJT log still looks fine, but these are bad and need to be killed... Use KillBox to try to take them out:

C:\WINDOWS\SYSTEM32\paytime.exe
C:\WINDOWS\secure32.html

http://www.atribune.org/downloads/KillBox.exe

Then copy/paste this list into a Notepad file so that you can access it in Safe Mode... Boot to Safe Mode (tap F8 just before Windows starts loading and select Safe Mode)... Choose the "Delete on reboot" and "End Explorer Shell while Killing file" options... Copy/paste the entire list into the line for the file... It should be able to accept the whole list, but if it doesn't you will need to enter them one at a time... Do not click through to close it out and reboot until they have all been entered... Once they are all entered, click through to kill them...

Post back on how that went and if you are still having a problem...

I did what you said exactly how you said to do it. This is what I got:

PendingFileRenameOperations Registry Data has been removed by External Process!

Windows cannot find:

C:\WINDOWS\SYSTEM32\paytime.exe
C:\WINDOWS\secure32.html

Make sure you typed the name correctly and then try again . To search for a file, click the Start button and then click search.

So I did what it said and I found the file [paytime] I put it in manually. It said it was deleted. I had to put the other one in manually too. The program said they were deleted.

I just searched for it [paytime] and it is gone! :D So is the other one!


However, I think ZoneAlarm is causing a problem. When I boot up AVG is its normal colors. AFTER ZA logs on I get a red shield that says AVG is shut down and the icon is gray!

Right now the AVG icon is normal. I DO NOT like the fact that it shut down even for a minute. Any ideas?

Also any ideas on how to stop the SERVER BUSY error?

Thanks again!!

You can try uninstalling and reinstalling ZoneAlarm to see if that clears it up... In my experince, it is a bear to uninstall, but it may be the only way to fix it... While it is uninstalled, you could replace it with Kerio and speed up your system... :)

Otherwise, I am not sure what is going on... We will need some deeper scans if you still have problems after dealing with the firewall...

I got rid of ZA and installed Kerio. The problem is still there. AVG is grayed out. Also there are viruses listed in the vault. Do You want me to post them? One said that it was in system volume and that the backup file was infected.

I enabled AVG in Kerio; BUT AVG went gray BEFORE I installed KERIO! AVG is now back to normal!

I am getting just a little frustrated.

Thanks!!

I would vite with Budfered and get rid of Z/A. You can either use Kerio or you can still get Sygate from Simtel (http://www.simtel.com/product.php%5Bid%5D53687%5Bsekid%5D0%5BSiteID%5Dsi mtel.net)

I enabled AVG in Kerio; BUT AVG went gray BEFORE I installed KERIO! AVG is now back to normal!I am not sure what you mean here... You are running Kerio and AVG is back to normal?? You stopped Kerio and AVG started working again??

If either of them are working independently, it is unlikely that it is a malware issue since the malware that shuts this stuff down would shut it all down... You may need to remove and reinstall AVG...

Also, you can probably just clear the "vault" and reset System Restore to clear out the traces of malware that remain...

Sorry for the confusion. AFTER I deleted ZA and rebooted, AVG came up normal. I hadn't even stated to install Kerio yet, and I got the red shield stating that AVE was shut off! It seems to be happening after I reboot and then get online.

I am going to uninstall AVG and reinstall it and let you know!

Thanks!!

The problem seems to be fixed. AVG stayed normal. Kerio works great and I am happy!!

Thank you from the bottom of my heart.

One more question. When MS comes out with the patch, shoud I remove the temp one? If so how?

Thanks again!!

The patch is already out and the person who wrote the temp one suggested removing it, so I would do so... I think it just removes from Add/Remove Programs, but I haven't gotten around to it yet, so I am not sure...