Cinder and Agobot

Discussion in 'adware, spyware & hijack cleaning' started by Cinder, May 5, 2004.

Thread Status:
Not open for further replies.
  1. Cinder

    Cinder Registered Member

    Joined:
    May 5, 2004
    Posts:
    5
    Re: yet another Win32:Trojan-gen.{VC}

    help................. PLEASE!!!!!!!!!!!!!!!! :oops: I am going out of my mind here trying to get rid of this trojan-gen, I also have a worm/agobot or gaobot I can't get rid of either :'(

    Logfile of HijackThis v1.97.7

    Scan saved at 8:01:48 AM, on 05/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\Program Files\Grisoft\AVG6\avgw.exe
    C:\Documents and Settings\Carrie.PURPLEPOWER\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsi.eastlink.ca/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083522629609
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Cinder,

    Could you be a bit more specific?
    Which program finds which Trojan where? (Full path and filenames, please)

    Your log is clean.
    Are you running both AVG and Avast?
    I only see AVG in the running processes but a Startup for Avast. o_O

    Regards,

    Pieter
     
  3. Cinder

    Cinder Registered Member

    Joined:
    May 5, 2004
    Posts:
    5
    thank you so much for your quick response :) and sorry I was a little vague..lol (frustrated this morning)

    I uninstalled Avast but apparently some of it is still on here..will try to remove it now. I run AVG because I find it easier to use...I am a bit computer illiterate. The AVG warning tells me "Worm/Agobot.13.AJ found in C:\SystemVolumeInformation\_restore......" then it says run AVG to remove but when I run AVG it says no virus' found. In test results it says that there are 27 files(and names them) ....cannot open, not checked. I presume that the problem is in those files...

    here is the log from this morning :doubt:

    Results of Complete Test, date and time 05/05/2004 8:49:59 :

    Testing C:\ volume WINXP_HOM_EN serial 5CFF-309A
    C:\HIBERFIL.SYS Cannot open; not checked!
    C:\Documents and Settings\Carrie.PURPLEPOWER\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\Carrie.PURPLEPOWER\NTUSER.DAT.LOG Cannot open; not checked!
    C:\Documents and Settings\Carrie.PURPLEPOWER\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\Carrie.PURPLEPOWER\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\LocalService.NT AUTHORITY.000\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\LocalService.NT AUTHORITY.000\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\NetworkService.NT AUTHORITY.000\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\NetworkService.NT AUTHORITY.000\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHANDIR.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHANDIR.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHN.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHN.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\D0000000.FCS Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\L0000002.FCS Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DIE.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DIE.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DND.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DND.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_EXT.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_EXT.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_RCV.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_RCV.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\STORYDB.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\STORYDB.IDX Cannot open; not checked!
    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Cannot open; not checked!

    Test finished, duration 00:38:35.8 s
    22803 objects tested, 0 found infected



    o_O

    Cinder
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Cinder,

    The path indicates that it is in your system restore. You can purge your restore points of any infection that may have been backed up in there by following these directions:

    Turn OFF System Restore:
    1. On the Desktop, right-click My Computer.
    2. Click Properties.
    3. Click the System Restore tab.
    4. Check the box beside "Turn off System Restore".
    5. Click Apply, and then click OK.
    6. Restart the computer. (You must restart your computer to clear the old Restore Points)

    Turn System Restore ON:
    1. Follow the above Steps 1 to 3
    2. UNcheck the box beside "Turn off System Restore".
    3. Click Apply, and then click OK.
    4. Restart your computer.
    5. And set a new Restore Point.

    After you have done the above, make sure you go to Microsoft's Update site and download ALL Critical Updates listed for your computer and IE browser.

    It wouldn't hurt to do a full system scan with one of these free on-line anti-virus scanners:
    Free Services

    Let us know how the scans turn out.

    Regards,

    snap
     
  5. Cinder

    Cinder Registered Member

    Joined:
    May 5, 2004
    Posts:
    5
    I have created a new restore point and done all the updates;

    Logfile of HijackThis v1.97.7
    Scan saved at 9:53:58 AM, on 10/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Common Files\CMEII\CMESys.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\Carrie.PURPLEPOWER\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsi.eastlink.ca/
    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
    O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083522629609
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

    And here is my AVG log...it says no virus' found but it cannot open some files to check o_O
    Results of Complete Test, date and time 10/05/2004 8:48:50 :

    Testing C:\ volume WINXP_HOM_EN serial 5CFF-309A
    C:\HIBERFIL.SYS Cannot open; not checked!
    C:\Documents and Settings\Carrie.PURPLEPOWER\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\Carrie.PURPLEPOWER\NTUSER.DAT.LOG Cannot open; not checked!
    C:\Documents and Settings\Carrie.PURPLEPOWER\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\Carrie.PURPLEPOWER\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\LocalService.NT AUTHORITY.000\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\LocalService.NT AUTHORITY.000\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\NetworkService.NT AUTHORITY.000\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\NetworkService.NT AUTHORITY.000\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHANDIR.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHANDIR.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHN.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHN.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\D0000000.FCS Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\L0000002.FCS Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DIE.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DIE.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DND.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DND.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_EXT.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_EXT.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_RCV.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_RCV.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\STORYDB.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\STORYDB.IDX Cannot open; not checked!
    C:\WINDOWS\SMDAT32A.SYS Cannot open; not checked!
    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Cannot open; not checked!
    C:\WINDOWS\SYSTEM32\P2P Networking\CACHE\DATABASE\INDEX256.DBB Cannot open; not checked!

    Test finished, duration 00:48:18.5 s
    24069 objects tested, 0 found infected
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    :eek: :eek:

    Eeeeek. Looks like you installed a spyware ridden filesharing program in the mean time.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

    O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

    Then reboot and delete:
    C:\Program Files\PERFECTNAV <= entire folder
    C:\Program Files\MyWay <= entire folder
    C:\Program Files\Common files\updmgr <= entire folder
    c:\program files\altnet\points manager <= entire folder
    C:\Program Files\Common Files\CMEII <= entire folder
    C:\Program Files\Common Files\GMT <= entire folder

    And uninstall P2P networking in Add/remove Software.

    Regards,

    Pieter
     
  7. Cinder

    Cinder Registered Member

    Joined:
    May 5, 2004
    Posts:
    5
    I've done all that and run the AVG scan again and there are still files it cant open to check..... here are the logs again....

    Logfile of HijackThis v1.97.7
    Scan saved at 5:49:12 PM, on 11/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Hotbar\bin\4.4.6.0\HbInst.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\Program Files\Common Files\GMT\GMT.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hotbar\bin\4.4.6.0\HbSrv.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Documents and Settings\Carrie.PURPLEPOWER\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsi.eastlink.ca/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm
    O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.4.6.0\HbHostIE.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.4.6.0\HbHostIE.dll
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.4.6.0\HbInst.exe /Upgrade
    O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083522629609
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

    and AVG.....


    Results of Complete Test, date and time 11/05/2004 14:03:52 :

    Testing C:\ volume WINXP_HOM_EN serial 5CFF-309A
    C:\HIBERFIL.SYS Cannot open; not checked!
    C:\Documents and Settings\Carrie.PURPLEPOWER\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\Carrie.PURPLEPOWER\NTUSER.DAT.LOG Cannot open; not checked!
    C:\Documents and Settings\Carrie.PURPLEPOWER\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\Carrie.PURPLEPOWER\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\LocalService.NT AUTHORITY.000\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\LocalService.NT AUTHORITY.000\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\NetworkService.NT AUTHORITY.000\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\NetworkService.NT AUTHORITY.000\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHANDIR.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHANDIR.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHN.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHN.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\D0000000.FCS Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\L0000002.FCS Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DIE.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DIE.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DND.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DND.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_EXT.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_EXT.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_RCV.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_RCV.IDX Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\STORYDB.DAT Cannot open; not checked!
    C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\STORYDB.IDX Cannot open; not checked!
    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Cannot open; not checked!

    Test finished, duration 00:53:04.8 s
    24231 objects tested, 0 found infected
     
  8. Cinder

    Cinder Registered Member

    Joined:
    May 5, 2004
    Posts:
    5
    I would just like to thank you for all your help...I dont seem to be having any more problems so far... :)
     
Thread Status:
Not open for further replies.