Little help pls.

[FreewheelinFrank]

R3 - Default URLSearchHook is missing

Fix here:

http://forum.hijackthis.de/archive/index.php/t-720.html

Run HijackThis! again, tick the box next to these items press fix and reboot:

O2 - BHO: LinkTracker Class - {85A77577-A8CA-41b7-AA1E-DDAD4C0B12B1} - (no file)

O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone

O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone

O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing) 

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)   

O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

I cannot find any information on this item:

O16 - DPF: {6CAFBA3E-FB85-11D3-915A-08005ACEEF64} (KPSimDialog Class) - file://E:\plugins\kpsimie.cab

Do you recognise it? Is it something you use? I assume you've run Ad-Aware and Spybot, so it may well be legitimate.

And upgate Java as Spiritsongs has noticed!

[stang1127]

I updated java, but now IE will not load @ all.  It just hangs, I tried to un-install it, & nothing will work.  What happened?

**NM, it seems like Comodo blocked something caussing the issue...all fixed now.. I think.

[stang1127]

Scan saved at 2:06:46 PM, on 10/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Comodo\Comodo Personal Firewall\CPF.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\PROGRA~1\SPYWAR~2\swdoctor.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Comodo Personal Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\rsvp.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matt\Desktop\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: BeInSync - {4F2530BA-8C1D-4A6A-8BA0-74E93ADC9B12} - C:\PROGRA~1\BeInSync\ShellEx.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [Comodo Personal Firewall] C:\Program Files\Comodo\Comodo Personal Firewall\CPF.exe sysrestart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~2\swdoctor.exe /Q
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\ShellEx.dll
O9 - Extra 'Tools' menuitem: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\ShellEx.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: PCPitstop-Tracks-Checker - http://www.pcpitstop.com/privacy/PCPTracks.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122006558031
O16 - DPF: {6CAFBA3E-FB85-11D3-915A-08005ACEEF64} (KPSimDialog Class) - file://E:\plugins\kpsimie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125723089406
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\Documents and Settings\Matt\Local Settings\Temp\EI40_\msxml4.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/WebUploadClient.cab
O20 - AppInit_DLLs: 4APPINITSOFTWARE\Microsoft\Windows NT\CurrentVersion\WindowsAppInit_DLLs,wbsys.dll
O20 - Winlogon Notify: WB - C:\Program Files\AlienGUIse\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - Comodo Research Lab., Inc. - C:\Program Files\Comodo\Comodo Personal Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe


Could not get the fix for that search hook to work it kept giving me an error about importing binary data.

I highly recommend spyware doctor to anyone, it has a lot of different uses & is very handy.  I also am planning to purchase Ewido. it picked up some stuff the other scanners did not...very impressed.  I think I got about all of the crap out of my computer.

[Eddy]

If you fixed everything FreewheelinFrank was saying, you are in trouble.
He told you to fix perfectly normal and harmless services.

[FreewheelinFrank]

Hi stang1127,

I told you to fix the Bitdefender services because I assumed you had removed Bitdefender with a view to installing avast! This is the avast! forum after all. My apologies if you do actually intend to keep Bitdefender.

You can fix the reghook thing my a manual edit of the registry: you just need to re-enter the default value in the location given in the link:

It should look like this:



!Backing up the registry is advisable before making any changes.

[stang1127]

So does everything else look good?  What else can I do to make sure I have no more infected files?  Besides re-format...that is.

[FreewheelinFrank]

Hi stang1127,

You can fix this entry:

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)

Everthing looks OK. Have you still got symptoms?

You may want to restore the Bitdefender entries I asked you to delete if you haven't in fact removed the program. (You can do this inside HijackThis! as long as it isn't in a temp directory.) Bitdefender free doesn't have on-access scanning so it works OK alongside avast!

If Bitdefender isn't working, try uninstalling and reinstalling, or reinstalling to repair entries if the program won't uninstall. Apologies again for asking you to delete those entries.

As a final check, you can visit the Kaspersky online scan site, or one of the other online scanners.

http://www.geocities.com/dontsurfinthenude/antivir2.htm

[Spiritsongs]

  I recommend you uninstall that new-on-the-market
    "Comodo" firewall and let others be the guinea pigs;
      you be better off using an "established" product, like
      Zone Alarm, Sygate, Kerio, Outpost, etc . And if your
      anti-trojan emphasis is on "real-time" protection, meaning
      you BUY a product, choose A-squared instead of Ewido.
      A-squared has the better "real-time" protection and
      Ewido the better scanner.
      And the HijackThis Experts on antiSPYWARE forums always
      advise placing the program in a folder, NOT the desktop .

[DavidR]

So does everything else look good? What else can I do to make sure I have no more infected files? Besides re-format...that is.

I suggest you give yourself a fighting chance in the future and use an alternative browser, firefox or opera which are less suceptable to malware.

Also, whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator.

[stang1127]

You may want to restore the Bitdefender entries I asked you to delete if you haven't in fact removed the program. (You can do this inside HijackThis! as long as it isn't in a temp directory.) Bitdefender free doesn't have on-access scanning so it works OK alongside avast!

I actually wasn't that impressed with it & uninstalled it.

I suggest you give yourself a fighting chance in the future and use an alternative browser, firefox or opera which are less suceptable to malware

I installed Opera, but now A2 is recognizing it as a trojan, is this normal?  I downloaded it from their main web page.

So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

I noticed when I boot into safemode, their is actually the administrator account, & then my account.  So I don't think I put myself as the administrator.  Could be wrong though.

[stang1127]

I recommend you uninstall that new-on-the-market
    "Comodo" firewall and let others be the guinea pigs;
      you be better off using an "established" product, like
      Zone Alarm, Sygate, Kerio, Outpost, etc . And if your
      anti-trojan emphasis is on "real-time" protection, meaning
      you BUY a product, choose A-squared instead of Ewido.
      A-squared has the better "real-time" protection and
      Ewido the better scanner.
      And the HijackThis Experts on antiSPYWARE forums always
      advise placing the program in a folder, NOT the desktop .

Going to take a look @ sygate tonight.

[DavidR]

I suggest you give yourself a fighting chance in the future and use an alternative browser, firefox or opera which are less suceptable to malware

I installed Opera, but now A2 is recognizing it as a trojan, is this normal? I downloaded it from their main web page.

So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

I noticed when I boot into safemode, their is actually the administrator account, & then my account. So I don't think I put myself as the administrator. Could be wrong though.

1. You could also check the offending/suspect file (assuming it isn't to big at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner

2. Even though it shows the Administrator account and yours, you too are likely to have administrator privileges, can you install programs? If so it is likely you have admin privileges. To check go to control panel, user accounts and you should be able to see what privileges you have.

[stang1127]

Anyone have nay idea if there is a registery setting in windows firewall that may disable it from bein used?  I un-installed Camodo in favor of sygate; but, because of an issue with Panda antivirus am having problems getting it installed.  So at this point even Microsofts firewall would be better then nothing.

[galooma]

With regard to windows firewall,you can control that in security centre.
 It should come on by default if there is no other working, however having said that windows didnt recognise Comodo and had its firewall on as well for me.

[Spiritsongs]

   Hi :

      Your recent post is the 1st mention of "Panda Antivirus"
      ( before you mentioned about having Bit Defender ); have
       you recently installed Panda's "Titanium 2006 Antivirus +
       Antispyware" ? As have been mentioned previously,
       should have ONLY 1 antivirus product "resident"
       (providing "real-time" protection ) on a computer.
        And found the following on the sygate forums :
       "You need to uninstall both reinstall Sygate. Then reinstall panda titanium 2005 using a 'Custom installation' and when you get to the 'Choose protection types' screen uncheck 'Firewall protection'. " This was by their "Super Moderator" "Peter UK".
       
        I have Sygate Personal Firewall 5.6 with Avast and have
        experienced NO conflicts .