Software·43,881 discussions

Computer Acting Strange

Locked

I have been able to remove allot with AVAST, SPYWARE TERMINATOR, AVG 8.0, etc….but i know there is still aloot on my computer. I have attached a HJT Log. Can someone please take a look and assist me in getting my computer back? Thanks in advance!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:32 PM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Art Plus\Wallpaper4LE\wallpaper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Palm\hotsync.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php…MjI6Ojg5&lid=2
O2 – BHO: (no name) – {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} – C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 – BHO: (no name) – {2E529F87-2B52-438C-9E7C-7D0A0DD910BA} – C:\WINDOWS\system32\ljJaWnop.dll (file missing)
O2 – BHO: WormRadar.com IESiteBlocker.NavFilter – {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} – C:\Program Files\AVG\AVG8\avgssie.dll
O2 – BHO: (no name) – {5BC7C40A-6B00-4D90-B3AC-DB03D80D6437} – (no file)
O2 – BHO: (no name) – {6089783B-4829-431B-9E53-DB82BDC0DF17} – C:\WINDOWS\system32\tuvVLbXP.dll (file missing)
O2 – BHO: (no name) – {7E853D72-626A-48EC-A868-BA8D5E23E045} – (no file)
O2 – BHO: ST – {9394EDE7-C8B5-483E-8773-474BF36AF6E4} – C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 – BHO: Google Toolbar Helper – {AA58ED58-01DD-4d91-8333-CF10577473F7} – c:\program files\google\googletoolbar1.dll
O2 – BHO: Google Toolbar Notifier BHO – {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} – C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 – BHO: MSNToolBandBHO – {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} – C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 – BHO: (no name) – {D7743E2D-0EF3-44E3-A472-E29B300D3867} – C:\WINDOWS\system32\byXQGxvv.dll (file missing)
O3 – Toolbar: MSN – {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} – C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 – Toolbar: &Google – {2318C2B1-4965-11d4-9B18-009027A5CD4F} – c:\program files\google\googletoolbar1.dll
O3 – Toolbar: &Crawler Toolbar – {4B3803EA-5230-4DC3-A7FC-33638F3D3542} – C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 – HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 – HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [SpywareTerminator] “C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe”
O4 – HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 – HKCU\..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 – HKCU\..\Run: [Art Plus Wallpaper Calendar] “C:\Program Files\Art Plus\Wallpaper4LE\wallpaper.exe” /a
O4 – HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 – Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O8 – Extra context menu item: Crawler Search – tbr:iemenu
O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O10 – Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 – DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) – http://photo.walgreens.com/WalgreensActivia.cab
O18 – Protocol: linkscanner – {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} – C:\Program Files\AVG\AVG8\avgpp.dll
O18 – Protocol: tbr – {4D25FB7A-8902-4291-960E-9ADA051CFBBF} – C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 – AppInit_DLLs: avgrsstx.dll
O20 – Winlogon Notify: ljJaWnop – ljJaWnop.dll (file missing)
O20 – Winlogon Notify: WinCtrl32 – WinCtrl32.dll (file missing)
O23 – Service: Ad-Aware 2007 Service (aawservice) – Lavasoft – C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – ALWIL Software – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 – Service: avast! Web Scanner – ALWIL Software – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 – Service: AVG8 E-mail Scanner (avg8emc) – AVG Technologies CZ, s.r.o. – C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 – Service: AVG8 WatchDog (avg8wd) – AVG Technologies CZ, s.r.o. – C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 – Service: Canon Camera Access Library 8 (CCALib8) – Canon Inc. – C:\Program Files\Canon\CAL\CALMAIN.exe
O23 – Service: Google Updater Service (gusvc) – Google – C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 – Service: Spyware Terminator Realtime Shield Service (sp_rssrv) – Crawler.com – C:\Program Files\Spyware Terminator\sp_rsser.exe
O24 – Desktop Component 0: Privacy Protection – file:///C:\WINDOWS\privacy_danger\index.htm

—
End of file – 6597 bytes

Topic

Clarifications

In reply to Computer Acting Strange

Clarifications

Well, a quick glance tells me:

In reply to Computer Acting Strange

O20 – Winlogon Notify: ljJaWnop – ljJaWnop.dll (file missing)
O20 – Winlogon Notify: WinCtrl32 – WinCtrl32.dll (file missing)

Those are leftovers from a spyware/virus infection. Probably Vundo. I would clean out the BHOs and make sure to clean out all temporary internet files.

Below is a fake spyware message:
O24 – Desktop Component 0: Privacy Protection – file:///C:\WINDOWS\privacy_danger\index.htm

Goto the Trend Micro site and run the Housecall online virus/spyware check.

Part of your issue may be that running overlapping programs like the AdAware/Spyware Terminator/ and Avast at the same time might be causing issues.

You cant run

In reply to Computer Acting Strange

two Antivirus programs at the same time. You seem to have Avast and AVG 8 installed. As Robo has pointed out that there maybe remnants left over. Just to be safe try this.

From another PC download and install these programs and copy the the installed folder along with ComboFix.exe to a USB Stick.

Restart the PC in Safe Mode and turn off System Restore insert the USB Stick and run Sophos.bat when it is completed run ComboFix.exe. When the PC reboots start in Safe Mode again and run Spybot.

Download Spybot – Search & Destroy 1.5.2 and install it. Update it. http://www.safer-networking.org/en/download/index.html

Download Sophos and the latest IDE Files. Install it and extract the IDE files to the C:\SAV32CLI folder.
http://www.sophos.com/support/knowledgebase/article/13251.html

Copy and paste the below two lines into Notepad and save the file to the USB Stick as sophos.bat, it will scan and remove.

===============================
CD SAV32CLI
SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT
===============================

A guide and tutorial on using ComboFix please read this

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

The Sophos SAV32CLI folder can be safely deleted after it is copied to USB.

Also download and install CCleaner to tidy up your Registry. Let it run through until there are no errors left.

http://www.ccleaner.com/download

Additionally

In reply to Computer Acting Strange

Check the others advice, additionally run Spybot in the advanced mode, Tools, Check the ActiveX and BHO boxes. Remove all entries that have the file not found. If you select (example) BHO in the left pane, then click an entry in the right window, it will show you more info on the file. Google any additional unknown files.
Delete this one –
O10 – Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

Also check your startup items.

[Author]

Replies