Dell Dimension 2400 w/ Nasties [HijackThis Log]

That combo fix is one awesome little pkg

Last night was the first time since I have had this machine that I could go straight to the intended sight in normal mode. we still have a couple of problems but soooo much better

Thank you for all your assistance.

For you readers make sure you check out TeMerc's personal site, lots of good info there. I personally have had thoughts of building a test box and do what you have, but just not enough time in my days right now, maybe in the near future

Will download the pkgs and post logs as requested tonight when I get home.

 

Most recent hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 10:59:39 PM, on 7/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe "
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


could not find these after killbox ran:

O4 - HKCU\..\Run: [ijthv] C:\WINDOWS\system32\mvinua.exe reg_run


O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)

Nor any of these:
Please go to Add/Remove, and if found, uninstall the following:
WinAntiVirus Pro 2006
OIN or PurityScan or ClickSpring

Also disabled that WinAntiVirus2006 Firewall Service.

Ewido is still finding that Awtst as a problem, I dont see it in the hjt and all seems much better than before!

 

Where is Ewido finding this, can you give me the detail from the log, run another scan with it and run Combo fix again too, thanks.

 

Here is ewido scan will run combo fix then post that as well:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:49:44 PM 7/20/2006

+ Scan result:



HKU\S-1-5-21-1834031902-1778048477-2337226689-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8037F7F0-80B6-453A-A7CB-5371A4A09BB8} -> Adware.Begin2Search : No action taken.
C:\!KillBox\nsa8.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsa8.dll( 5) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsaA.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsaA.dll( 6) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsaC.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsaC.dll( 7) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsbD.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsbD.dll( 8) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nscB.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nscB.dll( 9) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsd13.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsd13.dll( 10) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsdB.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsdB.dll( 11) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nseD.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nseD.dll( 12) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nseF.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nseF.dll( 13) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsgB.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsgB.dll( 14) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nshB.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nshB.dll( 15) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsi10.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsi10.dll( 16) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsiA.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsiA.dll( 17) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsn9.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsn9.dll( 18) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsoE.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsoE.dll( 19) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsp16.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsp16.dll( 20) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsr2C.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsr2C.dll( 21) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsrB.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsrB.dll( 22) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nssA.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nssA.dll( 23) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nssB.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nssB.dll( 24) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsvB.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nsvB.dll( 25) -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nswB.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\nswB.dll( 26) -> Adware.HotSearchBar : No action taken.
C:\HJT\backups\backup-20060716-230100-792.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nsa8.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nsaA.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nsaC.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nsbD.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nscB.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nsd13.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nsdB.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nseD.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nseF.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nsgB.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nshB.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nsi10.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nsiA.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nsn9.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nsoE.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nsp16.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nsr2C.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nsrB.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nssA.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nssB.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nsvB.dll -> Adware.HotSearchBar : No action taken.
C:\WINDOWS\SYSTEM32\nswB.dll -> Adware.HotSearchBar : No action taken.
C:\!KillBox\awtst.dll -> Adware.Virtumonde : No action taken.
C:\!KillBox\awtst.dll( 2) -> Adware.Virtumonde : No action taken.
C:\HJT\backups\backup-20060716-230100-446.dll -> Adware.Virtumonde : No action taken.
C:\HJT\backups\backup-20060717-213254-757.dll -> Adware.Virtumonde : No action taken.
C:\WINDOWS\SYSTEM32\__delete_on_reboot__p_m_k_j_g_._d_l_l_ -> Adware.Virtumonde : No action taken.
C:\WINDOWS\SYSTEM32\__delete_on_reboot__s_s_q_p_q_._d_l_l_ -> Adware.Virtumonde : No action taken.
C:\WINDOWS\SYSTEM32\awtst.dll -> Adware.Virtumonde : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Matt Ray\Cookies\matt ray@www.adtrak[1].txt -> TrackingCookie.Adtrak : No action taken.
C:\Documents and Settings\Matt Ray\Cookies\matt ray@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Matt Ray\Cookies\matt ray@casinopays[1].txt -> TrackingCookie.Casinopays : No action taken.
C:\Documents and Settings\Matt Ray\Cookies\matt ray@crbanner.casinopays[2].txt -> TrackingCookie.Casinopays : No action taken.
C:\Documents and Settings\Matt Ray\Cookies\matt ray@c.enhance[1].txt -> TrackingCookie.Enhance : No action taken.
C:\Documents and Settings\Matt Ray\Cookies\matt ray@as-eu.falkag[2].txt -> TrackingCookie.Falkag : No action taken.
C:\Documents and Settings\Matt Ray\Cookies\matt ray@ehg-inforspaceinc.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Matt Ray\Cookies\matt ray@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Matt Ray\Cookies\matt ray@revenue[1].txt -> TrackingCookie.Revenue : No action taken.
C:\Documents and Settings\Matt Ray\Cookies\matt ray@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : No action taken.
C:\Documents and Settings\Matt Ray\Cookies\matt ray@searchingbooth[2].txt -> TrackingCookie.Searchingbooth : No action taken.
C:\Documents and Settings\Matt Ray\Cookies\matt ray@trafficmp[2].txt -> TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\Matt Ray\Cookies\matt ray@affiliates.x10[1].txt -> TrackingCookie.X10 : No action taken.
C:\Documents and Settings\Matt Ray\Cookies\matt ray@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end

 

Combo fix log 072006 2106

Start Time= Thu 07/20/2006 21:06:21.60
Running from: C:\Documents and Settings\Matt Ray\Desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-20 21:06 1,860 C:\WINDOWS\system32\tstwa.ini
2006-07-20 20:27 <DIR> C:\Program Files\ewido anti-spyware 4.0
2006-07-18 21:10 573,492 C:\WINDOWS\system32\awtst.dll
2006-07-15 21:40 <DIR> C:\Program Files\ewido anti-malware
2006-07-15 21:05 441,808 C:\WINDOWS\system32\perfstringbackup.ini
2006-07-05 21:43 376 C:\WINDOWS\odbc.ini
2006-07-05 21:43 <DIR> C:\Documents and Settings\Matt Ray\Application Data\microsoft
2006-07-02 23:00 <DIR> C:\Program Files\vafv
2006-07-02 22:53 <DIR> C:\Program Files\windows nt
2006-07-02 22:53 <DIR> C:\Program Files\common files
2006-07-02 19:33 <DIR> C:\Program Files\internet explorer
2006-07-02 15:44 <DIR> C:\Documents and Settings\Matt Ray\Application Data\mcafee.com personal firewall
2006-07-02 15:15 <DIR> C:\Documents and Settings\Matt Ray\Application Data\lavasoft
2006-06-19 16:20 702,768 C:\WINDOWS\system32\wgalogon.dll
2006-06-12 23:55 291 C:\WINDOWS\lqoul.dll
2006-06-12 23:07 <DIR> C:\Program Files\lavasoft
2006-06-12 22:13 <DIR> C:\Program Files\spybot - search & destroy
2006-06-07 12:55 3,626 C:\Program Files\Common Files\mekef.html
2006-05-19 07:59 94,720 C:\WINDOWS\system32\iphlpapi.dll
2006-05-19 07:59 148,480 C:\WINDOWS\system32\dnsapi.dll
2006-05-19 07:59 111,616 C:\WINDOWS\system32\dhcpcsvc.dll
2006-05-02 14:43 <DIR> C:\Program Files\messenger
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nswb.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsvb.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nssb.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nssa.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsrb.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsr2c.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsp16.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsoe.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsn9.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsia.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsi10.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nshb.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsgb.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsef.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsed.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsdb.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsd13.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nscb.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsbd.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsac.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsaa.dll
2006-04-24 12:20 151,552 C:\WINDOWS\system32\nsa8.dll
2006-04-16 17:11 <DIR> C:\Documents and Settings\Matt Ray\Application Data\macromedia
2006-04-16 08:11 <DIR> C:\Program Files\Common Files\sysprotect
2006-04-14 03:01 <DIR> C:\Program Files\outlook express
2006-04-14 03:01 <DIR> C:\Program Files\Common Files\system
2006-04-05 10:31 <DIR> C:\Program Files\privacyeraser computing
2006-04-05 10:31 <DIR> C:\Program Files\Common Files\aol
2006-04-05 10:31 <DIR> C:\Program Files\aol
2006-04-03 11:00 <DIR> C:\Program Files\dell aio printer a920
2006-03-15 15:07 <DIR> C:\Program Files\installshield installation information
2006-03-15 15:07 <DIR> C:\Program Files\google
2006-03-10 22:17 <DIR> C:\Program Files\Common Files\installshield
2006-03-10 16:38 <DIR> C:\Program Files\hunting unlimited
2006-02-23 15:05 <DIR> C:\Program Files\america online 9.0
2006-02-18 04:02 <DIR> C:\Program Files\windows media player
2006-01-23 11:16 <DIR> C:\Program Files\mystery case files huntsville
2006-01-16 13:34 <DIR> C:\Program Files\reflexivearcade
2006-01-15 17:20 <DIR> C:\Program Files\real
2005-12-07 17:13 <DIR> C:\Program Files\aod
2005-06-23 16:18 <DIR> C:\Program Files\country justice
2005-05-12 09:08 <DIR> C:\Program Files\_arcadedownloadfolder
2005-03-05 19:24 <DIR> C:\Program Files\usa bass
2005-03-05 19:22 <DIR> C:\Program Files\drevenge
2005-02-27 18:06 <DIR> C:\Program Files\dell a920
2005-02-15 08:49 <DIR> C:\Program Files\ubisoft
2005-02-01 21:25 <DIR> C:\Program Files\directx
2004-12-07 23:08 <DIR> C:\Program Files\Common Files\adobe
2004-11-13 21:18 <DIR> C:\Program Files\Common Files\nsv
2004-11-08 18:56 <DIR> C:\Program Files\yahoo!
2004-11-05 23:15 <DIR> C:\Program Files\bardes 2004 interactive
2004-10-21 21:41 <DIR> C:\Program Files\ncbuy
2004-10-21 21:41 <DIR> C:\Program Files\Common Files\swf studio
2004-10-21 19:33 <DIR> C:\Program Files\Common Files\microsoft shared
2004-10-21 19:27 <DIR> C:\Program Files\Common Files\designer
2004-10-21 19:26 <DIR> C:\Program Files\snapshot viewer
2004-10-21 19:26 <DIR> C:\Program Files\microsoft office
2004-10-17 18:24 <DIR> C:\Program Files\abbyy finereader 6.0
2004-10-17 18:24 <DIR> C:\Program Files\abbyy finereader 5.0 sprint
2004-10-08 15:58 <DIR> C:\Program Files\adobe
2004-10-08 15:57 <DIR> C:\Program Files\Common Files\borland shared
2004-10-08 15:56 <DIR> C:\Program Files\wordperfect office 12
2004-10-08 15:56 <DIR> C:\Program Files\Common Files\corel
2004-10-08 15:55 <DIR> C:\Program Files\dell
2004-10-08 15:54 <DIR> C:\Program Files\musicmatch
2004-10-08 15:53 <DIR> C:\Program Files\mcafee.com
2004-10-08 15:52 <DIR> C:\Program Files\your company name
2004-10-08 15:52 <DIR> C:\Program Files\jasc software inc
2004-10-08 15:52 <DIR> C:\Documents and Settings\Matt Ray\Application Data\jasc software inc
2004-10-08 15:51 <DIR> C:\Program Files\dell computer
2004-10-08 15:51 <DIR> C:\Program Files\Common Files\dell
2004-10-08 15:50 <DIR> C:\Documents and Settings\Matt Ray\Application Data\sonic
2004-10-08 15:48 <DIR> C:\Program Files\microsoft encarta
2004-10-08 15:48 <DIR> C:\Program Files\learn2.com
2004-10-08 15:48 <DIR> C:\Program Files\earthlink setup
2004-10-08 15:48 <DIR> C:\Program Files\Common Files\aolshare
2004-10-08 15:48 <DIR> C:\Program Files\aol companion
2004-10-08 15:47 <DIR> C:\Program Files\quicktime
2004-10-08 15:47 <DIR> C:\Program Files\Common Files\real
2004-10-08 15:47 <DIR> C:\Program Files\Common Files\nullsoft
2004-10-08 15:46 <DIR> C:\Program Files\sonic
2004-10-08 15:46 <DIR> C:\Program Files\Common Files\sonic
2004-10-08 15:44 <DIR> C:\Program Files\digital line detect
2004-10-08 15:43 <DIR> C:\Program Files\java
2004-10-08 15:43 <DIR> C:\Program Files\Common Files\java
2004-10-08 15:43 <DIR> C:\Program Files\broadcom management programs
2004-10-08 15:43 <DIR> C:\Documents and Settings\Matt Ray\Application Data\sun
2004-10-08 15:32 <DIR> C:\Program Files\conexant
2004-10-08 15:19 <DIR> C:\Program Files\xerox
2004-10-08 15:19 <DIR> C:\Program Files\windowsupdate
2004-10-08 15:19 <DIR> C:\Program Files\uninstall information
2004-10-08 15:19 <DIR> C:\Program Files\online services
2004-10-08 15:19 <DIR> C:\Program Files\netmeeting
2004-10-08 15:19 <DIR> C:\Program Files\msn gaming zone
2004-10-08 15:19 <DIR> C:\Program Files\msn
2004-10-08 15:19 <DIR> C:\Program Files\movie maker
2004-10-08 15:19 <DIR> C:\Program Files\microsoft frontpage
2004-10-08 15:19 <DIR> C:\Program Files\complus applications
2004-10-08 15:19 <DIR> C:\Program Files\Common Files\speechengines
2004-10-08 15:19 <DIR> C:\Program Files\Common Files\services
2004-10-08 15:19 <DIR> C:\Program Files\Common Files\odbc
2004-10-08 15:19 <DIR> C:\Program Files\Common Files\mssoap
2004-10-08 15:19 <DIR> C:\Documents and Settings\Matt Ray\Application Data\identities


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-18 21:10 573,492 C:\WINDOWS\system32\awtst.dll
2006-07-18 21:10 1,860 C:\WINDOWS\system32\tstwa.ini
2006-07-18 21:05 266,407,936 C:\hiberfil.sys

 

I think I Got IT

I searched on this computer for awtst.dll also found the same jumble of the file backwards - tstwa.ini
I think it was re building itself from this little NASTY ini
I Googled awtst removal and found another version of VUNDO FIX v2.13 on bleeping computer

Downloaded VundoFix.exe from here: http://www.atribune.org/downloads/VundoFix.exe
rebooted into safe mode (alone nothing else just SAFE MODE)
Double-click VundoFix.exe to extract the files from desktop
This will create a VundoFix folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning. At this point press enter one time.

At this point typed the following file path

C:\WINDOWS\system32\awtst.dll
Press Enter,
At this point type the following file path :
C:\WINDOWS\system32\tstwa.*
Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

The fix will run then HijackThis will open.
In HiJackThis, placed a check next to the following items and clicked FIX CHECKED:
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\awtst.dll

O20 - Winlogon Notify: awtst - C:\WINDOWS\system32\awtst.dll

After fixed these items, closed Hijackthis, then forced a reboot

Upon reboot ewido was fat and happy

went to active scan and found a few

left the tools in:
C:\Documents and Settings\Administrator\Desktop\VundoFix\VundoFix\process.exe
C:\Documents and Settings\Administrator\Desktop\VundoFixb.exe[process.exe
C:\Documents and Settings\Matt Ray\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe
C:\Documents and Settings\Matt Ray\Desktop\VundoFixb.exe[process.exe]
C:\Smit Fraud\SmitfraudFix\Process.exe

removed the nastys:
C:\Documents and Settings\Matt Ray\Cookies\matt y@banners.searchingbooth[1].txt[/email]
C:\WINDOWS\SYSTEM32\DRIVERS\sscan.sys
C:\WINDOWS\SYSTEM32\FT_SilentSudokuInstaller.exe[FT_SudokuInstaller.exe][Sudoku.exe]
C:\WINDOWS\SYSTEM32\Setup94.exe
C:\WINDOWS\SYSTEM32\stera.exe
C:\WINDOWS\SYSTEM32\win.exe[DH.dll]

So Take that all you NASTYS

Will test again tomorrow after another long day in my IT world starting at 0600 again

All you watchers and readers DO NOT GIVE UP to the reinstall urge
Kick NASTYS in the patookie
you just might learn something new along the way!!!

 

Latest HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 11:58:31 PM, on 7/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe "
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

 

Well that is excellent. That older manual fix was going to be my next course of action.

My associate, Blender also noticed another infection on your system, tho, not sure how active it is:
C:\Program Files\Common Files\sysprotect <<<<this folder

You need to delete that, see if it goes away easily.

Nice job in researching things.

 

The whole sysprotect folder deleted quite nicely! Thank you blender

And a huge thank you TeMerc

I have some concerns I want to go over with the owner of this system like why don't you have an updated AV? I am tempted to load one and charge him for it but... what are friends for right?

I am working on getting just one big promotion to take me to one job only, if I get that you will be seeing a lot more of me helping out on winbbs. I enjoyed the researching side - just not enough time in my days right now.

TeMerc Thank you again,

Ron aka cpumedic

 

So many people just think they auto update or don't even realize they need to be updated. I'm no longer surprised by the lack of knowledge when it comes to basic stuff, this was actually one of the reasons I got my own website and keep it pretty basic in it's techno babble.

Good luck, and we look forward to seeing you here helping out with others. If you're interested in becoming a properly trained HJT analyst, let me know there are several training sites which will Gide you through how to do them, and where to look, loads of info to be garnered.

We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.1.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

 

I am definitely interested in training. Will contact you for that info, I saw some the other night while searching for that file fix.

Am in the process now of cleaning the other user account as it has some popups nothing like the main user though.

May post a hjt of this acct when spybot, adaware & ewido are finished with it.

Thanks again,
Ron aka cpumedic

 

OK, very good I look forward to hearing from you.

As this thread is already 3 pages long, please start a new thread for any other user accounts needing clean up. I'll be locking this one.