Programs abruptly shutting down - AGOBOT.uy detected

It seems lately that if I bring up something onto the desktop that before I can open, change or set it ..it dissapears.

I've tried the Sys Config Utility and it dissapears before I can get into it.
I've tried to install a virus scanner but it dissapears off the desktop before I cant set it up...no matter how many times I bring them up they dissapear within a few seconds.

Whilst I may be "old" I am not that slow.....it does have a problem, not me.
Does any one have the answer.

Thanks
roy66

 

Thanks Pete, seems you were right on, I seem to have been infected by the dreaded AGOBOT.uy worm and have utilised the Highjackthis software to give me the following readout......which means absolutely nothing to me but must have within it the requirements for correction.

roy66

Logfile of HijackThis v1.97.7
Scan saved at 8:48:50 PM, on 4/03/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msnmsgr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Free History Eraser\historyeraser.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboFormWatcher.exe
C:\Program Files\KeirNet\K9\K9.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHT~1\eanthtutor.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE
C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE
C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe
C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.superwebsearch.com/ie/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCATC~1.DLL
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Windows Messenger] msnmsgr.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [fhccall] C:\WINDOWS\System32\fhccall.exe
O4 - HKLM\..\Run: [FC42DEUM] C:\WINDOWS\System32\FC42DEUM.exe
O4 - HKLM\..\Run: [pxsapi] C:\WINDOWS\System32\pxsapi.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\RunServices: [Windows Messenger] msnmsgr.exe
O4 - HKCU\..\Run: [SPSTEALT] "C:\Program Files\Free History Eraser\historyeraser.exe" /stealt
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboFormWatcher.exe
O4 - Startup: Launch K9.lnk = C:\Program Files\KeirNet\K9\K9.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Block This Page (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{50E43A1A-79F9-45C7-8095-A229D174484F}: NameServer = 203.12.160.35 203.12.160.36

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/

Indicates a coolwebsearch variant
Probably the next step, is too download and run
CWShredder---Save to disk-----Close down all other open windows and run CWShredder and let it FIX all problems
Reboot and post a fresh Hijackthis log....
Scroll to the bottom of the page and download the Normal form
http://www.spywareinfo.com/~merijn/cwschronicles.html

 

I aggree with indmusic ,run schredder


I dont see evidence of AGOBOT what happend at the Online scan ?
if it was unable to fix or delete start the PC in safe mode and scan with your (updated) anti virus programs
(what happened ?)
try this free online scan (they seam to target agbot better)
Computer Associates Virus Information Center - eTrust AV Web Scanner: http://www3.ca.com/virusinfo/virusscan.aspx
========
Next uninstall 'eAnthology'
Uninstall procedure
Uninstall Acceleration Soft from "Add/Remove Programs" in the Windows Control Panel. Look for an entry called 'eAnthology'
then if still precent
C:\PROGRAM FILES\ACCELERATION <= delete entire folder
========
make a new folder such as anti spyware in example C:\antispyware and put hijackthis.exe in it then run it
Place a check next to these items then close all IE's and any programs that show in the taskbar and hit fix selected.

O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [fhccall] C:\WINDOWS\System32\fhccall.exe
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup

Im not positive on these two cant see any information ,,which is not a good sign, if you know they belong to a lagitamate program leave them alone ,,if unsure fix them
O4 - HKLM\..\Run: [FC42DEUM] C:\WINDOWS\System32\FC42DEUM.exe
O4 - HKLM\..\Run: [pxsapi] C:\WINDOWS\System32\pxsapi.exe

Reboot and delte this folder(if still present)
C:\PROGRAM FILES \COMMON~1\EACCEL~1

and Post a Fresh HijackThis log.

 

In addition to already suggested for removal

O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll

You received the spyware from eAnthology. A piggyback install, the install license agreement may have said something about other software bundled with it, if it was read completely.
Get rid of History Eraser, another spy/adware laden product, it installed the fhccall.exe.
You'll find the CWShredder link below, as well as the other folks posts.
Also, after using the Shredder, install Spybot, link below. Update it, then Check for Problems. Remove everything already check off.
If it asks to be allow to be run and next boot, allow it and reboot.
Note, if it does this, you will need to click on the Spybot Search & Destroy icon above the Immunize and Recovery Icons on the left to get to where you can remove additional item that are found.
Then do another HijackThis.