JemeQyzpx/Sd...etc, Anyone know what this is?

JemeQyZpx/SdCEhr...This program appears to be running in background. After click "turnoff compter" and before XP closes, a "end program" box appears for this program.

Is this a virus, trogan, spyware, adware, malware?

Virus/adware/spyware scan does not detect it?

Anyone know what this is, and how to block or delete?

computer is running slower.

Thanks

 

Hello and welcome to WindowsBBS Forums.

Here is how we like to begin our analysis of your pc:

For starters, if you do not have them yet, please DL and run AdAware & Spybot Search & Destroy. AdAware and Spybot Search & Destroy are 2 of the most trusted apps in the security area. They are both free, compliment each other nicely, and do not use a lot of resources. They can be found here:

Spybot Search & Destroy v.1.4
AdAware SE Free v1.06r

With AdAware and Spybot: DL, follow the install instructions, check for updates, then scan, repair/remove/quarantine anything found. Reboot before next scan with whichever app is next. The reason for running these apps, is to clean up some of the other 'crapware' on your pc, which, in turn, will make deciphering your HJT log, easier.

Then we use HiJackThis v1.99.1
Please download HijackThis! SetUp from here. Save the file to your desktop.

Double-click the HijackThis! SetUp icon to begin the installation. Follow the prompts for the default install location of:'C:\Program Files\HijackThis'. Tick the 'Create a desktop' button when the option appears. Select next, then allow HijackThis! to start.

Then press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'. Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.

 

Contents of the Saved Scan Log (using HijackThis!)

Logfile of HijackThis v1.99.1
Scan saved at 10:18:53 PM, on 5/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\XPPRO\System32\smss.exe
C:\XPPRO\system32\winlogon.exe
C:\XPPRO\system32\services.exe
C:\XPPRO\system32\lsass.exe
C:\XPPRO\system32\svchost.exe
C:\XPPRO\System32\svchost.exe
C:\XPPRO\Explorer.EXE
C:\XPPRO\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1156604369\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\XPPRO\system32\pctspk.exe
C:\XPPRO\System32\svchost.exe
C:\Program Files\Common Files\AOL\1156604369\ee\AOLSoftware.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1156604369\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\AOL\1156604369\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
C:\XPPRO\system32\wuauclt.exe
C:\XPPRO\system32\wscntfy.exe
c:\program files\common files\aol\1156604369\ee\aolssc.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1156604369\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1156604369\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1156604369\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\XPPRO\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\XPPRO\
O21 - SSODL: bonspells - {11853d5f-f894-4cc7-bbc3-fc7a9dcfd896} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1156604369\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\XPPRO\system32\pctspk.exe

 

This is one of the many SmithFraud\Zlob infections. Please follow directions for the first part of the fix.

Please download SmitfraudFix (by S!Ri). Save it to your desktop.

Double-click the Smithfraud.exe and it will install a new folder to your desktop, called SmithFraudFix. Shortly after that a dos command window will appear. Once it opens, hit any key to continue.
Select option #1 - Search by typing 1 and press "Enter "; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool "; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore you may get an alert.

No need for a new HJT log, just the results from the SmithFraud tool.

 

SmithFraudFix report

SmitFraudFix v2.186

Scan done at 23:21:44.54, Thu 05/24/2007
Run from C:\Documents and Settings\Allen\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\XPPRO\System32\smss.exe
C:\XPPRO\system32\winlogon.exe
C:\XPPRO\system32\services.exe
C:\XPPRO\system32\lsass.exe
C:\XPPRO\system32\svchost.exe
C:\XPPRO\System32\svchost.exe
C:\XPPRO\Explorer.EXE
C:\XPPRO\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1156604369\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\XPPRO\system32\pctspk.exe
C:\XPPRO\System32\svchost.exe
C:\Program Files\Common Files\AOL\1156604369\ee\AOLSoftware.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1156604369\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\AOL\1156604369\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
C:\XPPRO\system32\wuauclt.exe
C:\XPPRO\system32\wscntfy.exe
c:\program files\common files\aol\1156604369\ee\aolssc.exe
C:\XPPRO\system32\CMMON32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\common files\aol\1156604369\ee\anotify.exe
C:\XPPRO\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\XPPRO


»»»»»»»»»»»»»»»»»»»»»»»» C:\XPPRO\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\XPPRO\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\XPPRO\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Allen


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Allen\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ALLEN\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{11853d5f-f894-4cc7-bbc3-fc7a9dcfd896} "= "bonspells "



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs "=" "


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 64.40.40.51
DNS Server Search Order: 209.102.96.10

HKLM\SYSTEM\CCS\Services\Tcpip\..\{39A4FCA5-626B-44EF-8A6D-716560FDDB0B}: NameServer=64.40.40.51 209.102.96.10
HKLM\SYSTEM\CS1\Services\Tcpip\..\{39A4FCA5-626B-44EF-8A6D-716560FDDB0B}: NameServer=64.40.40.51 209.102.96.10


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

Second part of fix:

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please follow the instructions exactly in the order listed; this is very important!

Please download, install, and update the free version of AVG Anti-Spyware 7.5 Save the file to your desktop.

1. Double-click the file and select your language.
2. Follow the prompts to install. The application will add three start ups to your system, be sure and allow them if you have any real time monitoring of your system.
3. Once install has completed, run the program.
4. Be sure the two options are enabled:
   • Resident shield
   • Aromatic updates
5. From the main AVG 'Status' screen, click the update now link the update should begin automatically. If not then hit the [Manual Update] Burton to begin updating.
6. After the update finishes, the status bar will display "Update successful "
7. Click the 'Scanner' tab, and select the 'Settings' tab.
8. Under 'How to act?' click 'Recommended actions' and select 'Quarantine'
9. Under 'Reports' be sure to tick the radio button for 'Automatically generate report after each scan' and un-tick the 'Only if threats were found box.
10. Exit AVG. DO NOT run a scan yet.

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ? "; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter ".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

AFTER SmitfraudFix finishes (and after a reboot if required), please open AVG. (If a reboot is required, please boot BACK into Safe Mode.)

• Click on Scanner
• Click on Complete System Scan and the scan will begin.
• When the scan is finished, click the [Save report] button at the bottom of the screen.
• Then hit the [Save report as] button.
• Save the report to your desktop.
• Click the 'Scanner' tab again and then click the [Apply all actions] button.
• Close AVG

Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the AVG report and a new HijackThis log. (please edit out all 'cookies', 'Recycler folder' and 'restore\system volume folder' references from the AVG log)

 

SmitfraudFix log, AVG rpt, new HijackThis log

SmitFraudFix v2.186

Scan done at 18:21:47.15, Tue 05/29/2007
Run from C:\Program Files\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{11853d5f-f894-4cc7-bbc3-fc7a9dcfd896} "= "bonspells "


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:10:46 PM 5/29/2007

+ Scan result:



C:\WINDOWS\SYSTEM\desktrf.exe -> Adware.Beginto : No action taken.
C:\System Volume Information\_restore{B5CF1CF2-8848-42FD-9918-EEA23EF170A6}\RP167\A0033173.exe -> Adware.CASClient : No action taken.
HKU\S-1-5-21-117609710-507921405-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8BF5B8FC-11CB-409F-8C91-4D4CA04A1B6D} -> Adware.Generic : No action taken.
C:\System Volume Information\_restore{B5CF1CF2-8848-42FD-9918-EEA23EF170A6}\RP167\A0033174.DLL -> Adware.SafeSurfing : No action taken.
C:\WINDOWS\SYSTEM\EGDHTML_1021.dll -> Dialer.EGroup.1021 : No action taken.


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 8:26:15 PM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\XPPRO\System32\smss.exe
C:\XPPRO\system32\winlogon.exe
C:\XPPRO\system32\services.exe
C:\XPPRO\system32\lsass.exe
C:\XPPRO\system32\svchost.exe
C:\XPPRO\System32\svchost.exe
C:\XPPRO\system32\spoolsv.exe
C:\XPPRO\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1156604369\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\XPPRO\system32\pctspk.exe
C:\XPPRO\System32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1156604369\ee\AOLSoftware.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1156604369\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\Common Files\AOL\1156604369\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCEvtHdlr.exe
C:\XPPRO\system32\wuauclt.exe
C:\XPPRO\system32\wuauclt.exe
C:\XPPRO\system32\wscntfy.exe
c:\program files\common files\aol\1156604369\ee\aolssc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1156604369\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1156604369\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1156604369\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\XPPRO\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\XPPRO\
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - America Online - C:\Program Files\Common Files\AOL\1156604369\ee\services\sscFirewallPlugin\ver1_10_3_1\aolavupd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\XPPRO\system32\pctspk.exe

 

Looks like the tool removed the infection, how is the machine running?

We have a couple of minor things to fix.

Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm


O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)


O20 - Winlogon Notify: WgaLogon - C:\XPPRO\

Reboot, run HJT, if the above are gone, no need to repost with new log.

 

Jeme...still lurking...but uninstalled AOL programs, see below

TeMerc,

Jeme... was still lurking and pc slow.

However, A few days ago, I uninstalled AOL programs and have not seem Jeme... since and pc running better. However, I still performed your instructions below and checked items indicated and they were gone after last HJT.

Anything else you suggest to do?

Although, I uninstalled all AOL programs in Control Panel/Add Remove Programs (except AOL Uninstaller), I still have AOL folders on my C: drive...Local Disk (C/Program Files/AOL 9.0....in viewing R/ click Start > Explore. Should I or is there no problem in deleting these folders? AOL is not my ISP any longer. I don't need anything in AOL files.

Also, what is your opinion of McAfee VirusScan 6.0 (all I have now, I know old version) or McAfee in general? Any suggestions on other protection software?

Thank you very much for your assistance thus far.

LAllen

 

Yes, you can delete everything that is AOL related with no ill effects.

In so far as McAfee products go, they seem ok but it also depends on what you buy, complete system suite or stand alone apps. Unless you're running at least 1GIG of RAM, I'd avoid any system suites, they tend to be RAM hungry.

You'll almost always find different people recommend different products for av and firewalls. I rarely get into such convos as they tend to run long and deep with no real concise answers. Each system is different so needs to be addressed differently.

 

Thanks for info

Temerk,

Thanks for info on AOL folders/files and AV/firewall products...I need a faster pc anyway.

I can run Spybot, Adware SE and AVG Anti-Spyware periodically, right? This OK?

Again, thanks for all the help and advice.

LAllen

 

Yes, they can be run, but not simultaneously, nor is it a good idea to have all of the 'monitoring' tools running; AdWatch, TeaTimer or the AVG 'guard'.

AA-SE and Spybot update weekly, check before running scans.

AVG updates daily, sometimes 3-4 times in a days time.

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol 2007 Build 3.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

Due to resolution this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.