Unfortunately I was wrong.My google searches are still being hi-jacked. Also I do not have McAfee installed. I checked in add/remove programs and not there. If you have any other ideas on this I would welcome.
Junior Member
Unfortunately I was wrong.
Administratatouille
Yes, I actually did overlook a few entries two malware related entries on your initial log which appears on the second log as well so again using CleanupXP+, enter the full file name as you did before to remove them permanently:Originally Posted by spaileen
Unfortunately I was wrong.
You should also use the remove folder option (#2) to remove the following folder or u could manually delete it since it is no longer valid:
=====] List of files located at the root of the C Drive:
Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA
Directory of C:\
892.cin
StubInstaller.exe
Before doing any of the above, make sure you download StartupControlPanel (Standalone EXE version) and UNCHECK all entries listed under each one of the 5 tabs=====] Directory Analysis - PROGRAM FILES:
17/01/2006 23:55 <DIR> McAfeewith the exception of the entries referring to AVG anti-virus scanner.
Remember each and every box other than AVG related ones should be unchecked (clear)! Then reboot in Normal mode to delete the above listed files and folder, then without rebooting, do the following:
Run a new AnalyzerXP scan as well as HijackThis scan and attach their logs to your next post.
Important: Remember you should NOT have any programs running in the background when the scans are running!!
If the issue still continues then we will dig deeper...let me know but do not re-enable any of the startup entries just yet, ok?
~TL
Junior Member
I have followed your instructions.
Unfortunately however the goole hi-jacking is still taking place.
[==========] AnalyzerXP 3.6 by TL - forum.networktechs.com (www.IamNotaGeek.com) [==========]
19/06/2007
17:45
Some of the files listed could be safe and valid, so before you do anything, research further.
You could also submit this log on forum.networktechs.com - Spyware Central for help.
Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA
Directory of C:\WINDOWS\Tasks
07/06/2007 01:22 268 Uniblue SpyEraser Nag.job
07/06/2007 01:21 342 Uniblue SpyEraser.job
2 File(s) 610 bytes
0 Dir(s) 63,762,571,264 bytes free
TaskName Next Run Time Status
==================================== ======================== ===============
MP Scheduled Scan 01:56:00, 20/06/2007
Uniblue SpyEraser Nag 15:14:00, 21/06/2007
Uniblue SpyEraser Never
=====] Looking for suspicious file types in WINDOWS folder:
W32i - - - - 37,027 03-25-2007 c:\windows\atmoun.exe
W32i - - - - 49,152 11-29-2005 c:\windows\setpwrcg.exe
Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA
Directory of C:\WINDOWS
W32i - - - - 24,576 09-18-2003 c:\windows\system32\cpl_moh.cpl
W32i - - - - 32,768 04-20-2005 c:\windows\system32\instlsp.exe
W32i - - - - 40,960 01-19-2001 c:\windows\system32\instmon.exe
W32i - - - - 145,408 11-06-2005 c:\windows\system32\lame.exe
W32i - - - - 237,568 08-07-2003 c:\windows\system32\lame_enc.dll
W32i - - - - 86,016 08-18-2003 c:\windows\system32\lxbkih.exe
W32i - - - - 77,824 08-18-2003 c:\windows\system32\lxbklcnp.dll
W32i - - - - 40,960 11-13-2002 c:\windows\system32\lxbkvs.dll
W32i - - - - 258,560 11-17-2005 c:\windows\system32\musictagsax.dll
W32i - - - - 65,536 01-25-2007 c:\windows\system32\nmsaccess.exe
W32i - - - - 157,696 07-19-2002 c:\windows\system32\oggenc.exe
DOS - - - - 38,567 03-14-2002 c:\windows\system32\pcpbios.exe
W32i - - - - 4,103,032 03-26-2007 c:\windows\system32\spoonuninstall.exe
W32i - - - - 4,096 08-16-1998 c:\windows\system32\sysres.dll
W32i - - - - 73,728 04-20-2003 c:\windows\system32\vumeter.ax
W32i - - - - 40,960 06-25-2002 c:\windows\system32\wavdest.ax
05/09/2006 23:01 2,455,488 ieapfltr.dat
22/11/2006 20:50 778,240 asrecmms.ocx
25/06/2006 20:56 176,128 dvdauthor.ocx
=====] Looking for suspicious file types in Current User profile:
W32i APP ENU 1.20.100.1203 shp 24,576 07-25-2002 c:\windows\downloaded program files\dwusplay.dll
W32i APP ENU 1.20.100.1203 shp 196,608 07-25-2002 c:\windows\downloaded program files\dwusplay.exe
W32i APP ENU 3.10.100.1155 shp 323,584 07-27-2004 c:\windows\downloaded program files\isusweb.dll
=====] List of files located at the root of the C Drive:
Volume in drive C has no label.
Volume Serial Number is 1CEC-78DA
Directory of C:\
03/03/2006 19:31 12,284,879 AVG7QT.DAT
29/11/2005 14:52 4,098 dell.sdr
04/12/2005 16:52 4,128 INFCACHE.1
10/08/2004 14:04 0 IO.SYS
10/08/2004 14:04 0 MSDOS.SYS
15/12/2005 18:40 168 setupfax.log
19 File(s) 12,296,066 bytes
0 Dir(s) 63,762,300,928 bytes free
=====] Directory Analysis - PROGRAM FILES:
01/04/2006 14:42 <DIR> Ahead
13/03/2006 22:11 <DIR> OLYMPUS
03/03/2006 19:29 <DIR> Grisoft
(Ignore the ones you know of)
=====] Directory Analysis - COMMON FILES (subfolder of Program Files folder):
=====] Directory Analysis - WINDOWS folder:
Volume Serial Number is 1CEC-78DA
Directory of C:\WINDOWS
18/06/2007 16:38 <DIR> Downloaded Installations
05/06/2007 17:18 <DIR> ie7updates
04/06/2007 17:29 <DIR> WBEM
04/06/2007 17:28 <DIR> ie7
04/06/2007 17:25 <DIR> network diagnostic
27/01/2006 13:16 <DIR> Minidump
0 File(s) 0 bytes
158 Dir(s) 63,762,321,408 bytes free
=====] Process Analysis - User-based processes with their Services:
Image Name PID Services
========================= ====== =============================================
ctfmon.exe 1700 N/A
avgcc.exe 1604 N/A
alg.exe 2352 ALG
=====] Process Analysis - Currently running Service based Processes:
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
MsMpEng.exe 1212 Console 0 18,300 K
ctfmon.exe 1700 Console 0 4,028 K
LEXBCES.EXE 1864 Console 0 3,432 K
LEXPPS.EXE 1912 Console 0 3,316 K
guard.exe 200 Console 0 1,412 K
avgamsvr.exe 556 Console 0 324 K
avgupsvc.exe 732 Console 0 664 K
avgemc.exe 1104 Console 0 1,812 K
avgcc.exe 1604 Console 0 836 K
alg.exe 2352 Console 0 3,480 K
=====] System Variables:
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Gerry B\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GERRY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Gerry B
LOGONSERVER=\\GERRY
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\Sys tem32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WS F;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\GERRYB~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\GERRYB~1\LOCALS~1\Temp
USERDOMAIN=GERRY
USERNAME=Gerry B
USERPROFILE=C:\Documents and Settings\Gerry B
windir=C:\WINDOWS
[====================] End of Log [====================]
Logfile of HijackThis v1.99.1
Scan saved at 17:41:52, on 19/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AnalyzeThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/...veXClient1.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
Administratatouille
Please download AVG Spyware and Rootkit scanners from this link. Then update both utilities. Afterwards reboot in SAFE mode and run first the Spyware scanner then the Rootkit scanner. Attach both logs to your next post please.
I will be going thru the HJT/AnalyzerXP logs later on today.
~TL
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote
