Compaq near death. With Hijack This Log.

[NoLuck@All]

I ran the first scan and it found a Trojan (Trojan.Win32.Autoit.b) along with 4 other adware. The Trojan was located in C:\Progam Files\Support.com\bin.alfix.exe Also, while I was doing that scan, PC-cillin located ANOTHER Trojan. The infected file was C:\Program Files\TREND MICR and the file name was Troj-IRCFlood.o

Ill post back later after I rid the adware and do the other scan.

I followed C:\Program Files\TREND MICR and it leads straight to PC-cillin. Im confused.

 

[Buzz1927]

So pc-cillin says itself is infected? Weird, we'll deal with that later, get the full filepaths of anything that can't be cleaned.

 

[NoLuck@All]

Im playing it safe, Ill post anything that I can find.

Troj-IRCFlooD.o C:\Program Files\Trend MICR
Adware.WinAD.de C:\Windows\Downloaded Program Files\MediaGatewayX.dll
Adware.WinAD.de C:\_Restore\Temp\A0371965
Adware.Relevance.c C:\_Restore\Temp\A0371966
Trojan.Win32.Autoit.b C:\_Restore\Temp\A0371967
Adware.BackWeb.a C:\Program Files\Kodak Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe

Ill edit this post later with more to post. I just wanted to get this up before this computer locks up again. I have 1 hour windows before its down for the count.

BTW, I have 6176 files in C:\_RESTORE\TEMP. Im pretty sure I should clean all that out, right?

 

[Buzz1927]

Yes, you can clean that out, it's in your system restore, easiest way would be to turn it off then back on. Also download Cleanup and run it.
http://www.stevengould.org/downloads/cleanup/CleanUp40.exe

 

[NoLuck@All]

I ran the Micro World scanner and it found a LOT of viruses and errors. 105 total viruses and 115 total errors. Most of the items in the log are labeled "Entry" or "Object". Only 4 "Files" are:

C:\WINDOWS\NSNuninstall5_48.exe It has been tagged as "not-a-virus:AdWare.Win32.NewDotNet". No action has been taken.

C:\WINDOWS\Desktop\Jeremy\My Documents\My Music\The Strokes - Is This It - 07 - Last Night(1).mp3 It has been tagged as "not a virus:AdWare.Win32.WebHancer.290" and no action has been taken.

C:\WINDOWS\TEMP\backups\backup-20051109-080519-528.dll It has been tagges as "not-a-virus:AdWare.Win32.IWon" And no action has been taken.


C:\WINDOWS\SYSTEM32\GirlControlCom.dll It has been tagged as "not-a-virus: Porn-Downloader.Win32.StripPlayer and no no action has been taken.

It has been scanning for than an hour now and I didnt expect it to even go that long without locking up so when/if it finishes I will post up the rest of the files if there are anymore.

 

[Buzz1927]

And post a new Hijackthis log as well.

 

[NoLuck@All]

Some more files from Micro World:

C:\WINDOWS\TEMP\backups\backup-20051109-080519-528.dll It has been tagges as "not-a-virus:AdWare.Win32.IWon" No action taken.

I dont know why this one came up again, but it was logged-
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll It has been tagged "not-a-virus:AdWare.Win32.WinAD.be" No action was taken.



..still scanning

 

[Buzz1927]

..still scanning

It takes a long time, but that's because it's thorough. We should find most problems with this.

 

[NoLuck@All]

Yay more:

C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy2.zip infected by "Password-protected-EXE" Virus! No action taken yet.

C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy5.zip infected by "Password-protected-EXE" Virus! No action taken yet.

Those 2 seem be important if you ask me.

Now how long does this scan usually take? I have about 15GB on the hard drive.

 

[Buzz1927]

Those two are ok, how long it takes depends on the speed of your comp.

 

[NoLuck@All]

C:\WINDOWS\NDNuninstall5_48.exe Tagged as "not-a-virus:AdWare.Win32.NewDotNet" No action was taken.

C:\_RESTORE\TEMP\A0371965.CPY Tagged as "not-a-virus:AdWare.Win32.WinAD.be" No action was taken.

C:\_RESTORE\TEMP\A0371966.CPY Tagged as "not-a-virus:AdWare.Win32.Relevance.c" no action was taken.

C:\Program Files\My Love\island.exe Tagged as not-a-virus:RiskTool.Win32.HideWindows. No action was taken. I dont know why [not-a-virus....] wasnt in qoutes on the My Love File. I know my love was another big virus on here.


Ill post up the old Files so you dont have to fish around for them:
C:\WINDOWS\NSNuninstall5_48.exe It has been tagged as "not-a-virus:AdWare.Win32.NewDotNet". No action has been taken.

C:\WINDOWS\Desktop\Jeremy\My Documents\My Music\The Strokes - Is This It - 07 - Last Night(1).mp3 It has been tagged as "not a virus:AdWare.Win32.WebHancer.290" and no action has been taken.

C:\WINDOWS\TEMP\backups\backup-20051109-080519-528.dll It has been tagges as "not-a-virus:AdWare.Win32.IWon" And no action has been taken.


C:\WINDOWS\SYSTEM32\GirlControlCom.dll It has been tagged as "not-a-virus: Porn-Downloader.Win32.StripPlayer and no no action has been taken.

C:\WINDOWS\TEMP\backups\backup-20051109-080519-528.dll It has been tagges as "not-a-virus:AdWare.Win32.IWon" No action taken.

I dont know why this one came up again, but it was logged-
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll It has been tagged "not-a-virus:AdWare.Win32.WinAD.be" No action was taken.

C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy2.zi p infected by "Password-protected-EXE" Virus! No action taken yet.

C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy5.zi p infected by "Password-protected-EXE" Virus! No action taken yet.

And here is the Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 2:59:29 AM, on 11/11/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCIOMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\POP3TRAP.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 2002\WEBTRAP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TEMP\MWAVSCAN.COM
C:\WINDOWS\TEMP\KAVSS.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.turboford.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.ebay.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-01AA0055595A} - http://www.truesuite.com/trueblock/TrueBlockInstall.exe
O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
O16 - DPF: {E13F1132-4CA0-4005-84D3-51406E27D269} (BTDownloadCtrl Control) - http://www.shockwave.com/content/thinktanks/BTDownloadCtrl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab

This is becoming one heckl of a handfull. Buzz, I want to thank you for your time taken and the pointers given out.

 

[NoLuck@All]

That TEMP file remover your had me download is awsome. Removed 15061 files and 351MB. And thats space I certainly needed.

 

[Buzz1927]

Download Kaspersky.
http://www.kaspersky.com/trials?chapter=154373188

Make sure it's up to date, then boot into safemode and run a full scan.

When it's finished scanning you can uninstall it.

Then try Spysweeper again.

Then boot back to normal mode.

Download and run RegCleaner.
http://majorgeeks.com/download460.html

Then post back to say how things are now.

 

[BrandonL]

i think you should run the computer in safe mode until you get everything cleared up... just make sure you run it with "networking"... there's an option for it on the select screen

 

[Buzz1927]

just make sure you run it with "networking"

This is a very bad idea, as the firewall and antivirus programs won't be running, is this how you access the internet?

 

[BrandonL]

why wouldn't they be running... even if they weren't u could still open them manually though

 

[Apokarteron]

ClockSync by the way is malware

 

[NoLuck@All]

Finally got Spy Sweeper to work. Its still on a short fuse but it scanned and thats all I need from it. Something odd is that it wont post the log. It is huge and I dont know if that has something to do with it. Its about 5 pages long when opened in Microsoft Works. My computer is running much faster and Im very pleased.

Buzz, I downloaded the RegCleaner but Im not sure how to "run" it like you said to do.

Something else new is when I try to open Windows Media Player, it pops up a message saying "An internal application error has occured". Im not too worried about it. Compaired to how the computer was running before, Ill take a non-functional media player any day

 

[Buzz1927]

For RegCleaner, go to Tools > Registry Cleanup > Do Them All. Delete all the entries found.
Not sure about the media player, all the crap you had on there has probably corrupted something, you could try a repair, maybe.

 

[BrandonL]

my media player used to be the same way. i kno it's not a big problem but if u wanna fix it either redownload the media player or use a different one.

and btw... keep posts up to date on how the RegCleaner goes.