Can not remove trojan horse dropper

Place HijackThis.exe into a new folder on the desktop named HJT or similar.

Fix the following entries with HijackThis.

O23 - Service: msmbios (Microsoft System Management BIOS Driver) - Unknown owner - C:\WINDOWS\mssmbios.exe (file missing)
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\msconfig32.exe (file missing)
O23 - Service: Windows Process Moniter - Unknown owner - C:\WINDOWS\winmon.exe (file missing)
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)

Close HijackThis.

Copy the following to notepad and save.

Microsoft System Management BIOS Driver
Sound Service
Windows Process Moniter
wtaskbarmngr

Reboot to safe mode, open HijackThis to the Misc Tools section, click Delete an NT Service, open the saved notepad file, copy and paste each of the names into the box, hitting enter after each. Do not allow a reboot until all are complete. Should any give you a 'not found' or similar error, try these.

msmbios
Sound Sservice Driver
Windows Taskbar Manager

Reboot back into normal mode when done and do another Panda scan. This time, upon completion, click 'Save Report' and place it on the desktop. Post the contents of that log and a new HijackThis log.

 

Hi,
After this post, a Panda active virus scan and HijackThis log will be posted...In the mean time, I wanted to post the results of the files you wanted placed in Notepad, etc, etc...When I copied and pasted the following into Misc tools section of HijackThis, this was what it said;
Microsoft System Management BIOS Driver
Sound Service
wtaskbarmngr
ALL WERE RESPONDED WITH "The service Microsoft System Management BIOS Driver is enabled or running.Disable it first using HijackThis or Services.msc window
Windows Process Moniter
WAS GREETED WITH "Service Windows Process Manager was not found in the registry,make sure you entered the short name of the service.,vbExclamation

 

Logfile of HijackThis v1.99.1
Scan saved at 11:08:49 PM, on 9/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\EarthLink 5.0\etoolbar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\EarthLink 5.0\FastLane\ARUpld32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 9 for hijackthis-2.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe "
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108584393156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{739B062A-E2D3-4492-87DA-2D1D5502C488}: NameServer = 207.217.77.82 207.217.120.83
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: msmbios (Microsoft System Management BIOS Driver) - Unknown owner - C:\WINDOWS\mssmbios.exe (file missing)
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\msconfig32.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)

 

Incident Status Location

Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/wupd No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\WINDOWS\silent_setup.exe
Adware:Adware/Hotoffers No disinfected C:\WINDOWS\system32\msodae.dll

 

Click Start>run and copy/paste the following commands, hitting enter after each.

sc stop Microsoft System Management BIOS Driver
sc delete Microsoft System Management BIOS Driver
sc stop Sound Service
sc delete Sound Service
sc stop wtaskbarmngr
sc delete wtaskbarmngr

Then, locate and delete the following files.

C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\WINDOWS\silent_setup.exe
C:\WINDOWS\system32\msodae.dll

HijackThis.exe is still in a temporary directory (and zipped);
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 9 for hijackthis-2.zip\HijackThis.exe

Please extract it to a new folder of it's on on the desktop, in My Documents or something, and run it from there. Scan again and fix the following entries if still present.

O23 - Service: msmbios (Microsoft System Management BIOS Driver) - Unknown owner - C:\WINDOWS\mssmbios.exe (file missing)
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\msconfig32.exe (file missing)
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)

Open Zone Alarm, click Program Control, then the Programs tab. Highlight and right click>remove any known bad entries, such as mssmbios.exe. If there are any entries you question, check them out with Google or post here for guidance.

 

Hi,
I'm a little confused about where I'm suppose to copy & paste those files...Once I click on start, then run, I'm guessing in the run box is where I am suppose to type in those files but that's where I get confused about the copy and paste ??? I will need a little more guidance from you on that...As for the HijackThis, I will try and correct thatand post back later on today.

I ALSO WANT TO THANK YOU FOR YOUR TIME AND PATIENCE WITH ME ON THIS, ALOT OF THE STEPS YOU HAVE ASKED ME TO DO HAS BEEN THE FIRST FOR ME AND A GREAT EXPERIENCE.

 

That is the correct place. I want you to highlight and copy each command, then paste them (instead of typing) into the run dialog box. You can leave this window open while doing so.

 

Logfile of HijackThis v1.99.1
Scan saved at 8:25:33 PM, on 9/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\EarthLink 5.0\etoolbar.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\EarthLink 5.0\FastLane\ARUpld32.exe
C:\Documents and Settings\Owner\Desktop\hijackthis-1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe "
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108584393156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{739B062A-E2D3-4492-87DA-2D1D5502C488}: NameServer = 207.217.77.82 207.217.120.83
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: msmbios (Microsoft System Management BIOS Driver) - Unknown owner - C:\WINDOWS\mssmbios.exe (file missing)
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\msconfig32.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

 

Hi,
I followed your directions on the files you wanted copied and pasted into the run box as follows:
sc stop Microsoft System Management BIOS Driver
sc delete Microsoft System Management BIOS Driver
sc stop Sound Service
sc delete Sound Service
sc stop wtaskbarmngr
sc delete wtaskbarmngr

As for the other files you wanted deleted, here they are;
C:\WINDOWS\SYSTEM32\cache32dsrf45fs - found & deleted
C:\WINDOWS\silent_setup.exe - could not find it
C:\WINDOWS\system32\msodae.dll - could not find it

Zone Alarm: Found mssmbios.exe and deleted it (all others appear legit)

 

Hi,
SoRry about this but I did not realize I failed to put a check mark in the HijackThis log if they were still present:
023 - Service: msmbios -------- was there, checked & fix selected
023 - Service: Sound Service Driver ------- was there,checked & fix selected
023 - Service: Windows Taskbar Manager -- not there

Since I did it after I sent the Hijack log to you, will that be okay or will you want another one sent to verify the above is gone ???

 

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:48:03 PM, 9/22/2005
+ Report-Checksum: CA23A58C

+ Scan result:

No infected objects found.


::Report End

 

Attn; noahdfear

As you can see "Ewido" did not find any infections "finally "
AdwareSE..............Found none
Spybot..................Found CoolWWWSearch.Aff.Winshow >removed it
I followed the path of it, deleted what I felt
was affliated, rebooted, ran Spybot again and it detected
nothing.
AVG......................Found none

P.S...Stay tune for a fresh HijackThis log and if the entries you requested be removed do not show, with the above listed findings, I will feel confident we can close this chapter once and for all...

 

Logfile of HijackThis v1.99.1
Scan saved at 11:38:49 PM, on 9/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\EarthLink 5.0\etoolbar.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\EarthLink 5.0\FastLane\ARUpld32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe "
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1108584393156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{739B062A-E2D3-4492-87DA-2D1D5502C488}: NameServer = 207.217.77.82 207.217.120.83
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: msmbios (Microsoft System Management BIOS Driver) - Unknown owner - C:\WINDOWS\mssmbios.exe (file missing)
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\msconfig32.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

 

Hi Master Green,

How many days were you working on this project?

Like I said earlier, you ALL did a great job.

For me, this was more entertaining and DEFINITLY more educating than watching TV. (Sick huh? ! )

WAY TO GO GUYS!!

Karen

 

Hi KAL,
I have been 3 weeks and approx76 hours...I am one of those who believes if it got in there, it can come out and without "noahdfear" assistance, I'm sure this would of been extremely difficult for me to have done on my own...I have learned alot and had the experiences of a life time with some of the things I was asked to do...I find this type of work very challenging and love every minute of it...I HOPE SOME DAY TO BE ONE OF THE BEST IN THE BUISNESS WHEN IT COMES TO REMOVING,SPYWARE, MALEWARE, TROJANS AND VIRUSES. ...One of the things I hope noahdfear and myself have accomplished is, for everyone to see what is involved and what it takes to find and destroy the enemy, and that not all the time is this type of work "a walk in the park "...

 

Click Start>run and type services.msc, then hit enter. In the services list, locate the following two services, each of which may have an alternate name.

Microsoft System Management BIOS Driver or msmbios

Sound Service or Sound Sservice Driver

Right click each entry and select properties. If the service is running, click stop. Set each service to Startup type 'Disabled', click 'Apply' and 'OK' to close. Close the services window.

Copy the following quotebox to notepad and save.

Reboot to safe mode.

Open HijackThis to the misc tools section, then click 'Delete an NT Service'. Open the saved text and copy the first service name, Microsoft System Management BIOS Driver, then paste it into the service to delete dialog box, then click OK. If not found, try the alternate name, msmbios. Repeat for Sound Service / Sound Sservice Driver. Close HijackThis.

Click Start>run and type cmd to open a command window. Copy the commands for file deletion from the saved text, one at a time, pasting them into the command window and hitting enter after each. Close the command window and reboot to normal mode.

Do another online scan with Panda Active scan, save and post the report, along with a new HijackThis log.

 

Hi,
Okay I will do so this evening...Sorry for posting so much but wanted to save some time and let you see where we still were at...This afternoon, I downloaded ETRemover because at the onset of all this the X-Cleaner had alot of difficulty remover the Elite toolbar...Even thou it has not shown up as of late, I ran it and all went very smooth (in safe mode)...I then ran Ewido in safe mode as well and no infections reported...

 

No problem with what you've posted........every bit of information is valuable.

You won't need that ETRemover......the LQFix I had you run when I first joined this topic took care of that (it's updated regularly to include the latest variants).

You're almost there.....hang in there!

 

Hi,
Okay, did not realize what exactly the LQfix did, another lesson learned...I too feel like we are almost there, almost like we have what we want backed into a corner and it's either come out peacefully or we are coming in to get ya'...Shortly will be making an attempt to do those other chores you gave me.

 

Incident Status Location

Adware:adware/wupd No disinfected Windows Registry