Tech Support Team

Lawrie · #1 (**permalink**) **Top** 21st August 2008, 01:45 PM

Hi all,

I recently was downloading music from FROSTWIRE and embedded in a song was a TOOLBAR DOWNLOAD from "MIRAR" a naaaasty little bug that compiles all internet activity and then uses each sight to bombard you with advertisements from each sight you visit or/and its affiliated sponsors. Some ads. Overlapping and putting your CPU to MAX.

Only way you can remove it is to download an UNINSTALL PROGRAM but this only removes the TOOLBAR. It leaves behind the TRACKING COOKIES and files LINKS into your personal folders and documents that when clicked on will RELAUNCH THE TOOLBAR DOWNLOAD.

NASTY AH!!!

Good thing We have THE TECH SUPPORT TEAM thanks guys

Lawrie

Blackmirror · #2 (**permalink**) **Top** 21st August 2008, 02:25 PM

I have posted your hjt log Lawrie

Have you followed the Malware Guide at the top please??

Malware Removal Guide - Read Before Posting

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:09 PM, on 8/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\agi\common\agservice.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\USBToolbox\Res.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\TBPanel.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\tsnpstd3.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\Program Files\Kiwee Toolbar2\2.6.156\kwtbaim.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\NETGEAR\WG111v2\WG111v2.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Winter Fun Pack 2004 for Windows XP\WinterWallToy\WinterWalltoy.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.sweetim.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R3 - URLSearchHook: AGSearchHook Class - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - C:\Program Files\agi\common\_agcutils.pyd
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\2.6.156\KiweeIEToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\2.6.156\KiweeIEToolbar.dll
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\Program Files\USBToolbox\Res.EXE
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-4.0.380.0\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe"
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Suite\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [KiweeHook] "C:\Program Files\Kiwee Toolbar2\2.6.156\kwtbaim.exe"
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NETGEAR WG111v2 Smart Wizard.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk = ?
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - Add to Windows Live Favorites
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolb...lerControl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/JS...ws-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\agi\common\agservice.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 13535 bytes

**evilfantasy** · #3 (**permalink**) **Top** 21st August 2008, 07:55 PM

Hi Donna. Lawrie was working the malware removal guide and the PC kept crashing on some of the files that were being scanned so I asked that just the HJT log be posted.

Lawrie, please uninstall Zone Alarm. Running two firewalls could be part of the problem here.

Download Malwarebytes' Anti-Malware (MBAM)

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Now run a new HijackThis scan and post that log along with the MBAM log.

Lawrie · #4 (**permalink**) **Top** 22nd August 2008, 07:12 AM

Thanks all,

I havn't removed ZONE ALARM yet I'm having trouble finding it.
Also, the ASK toolbar will not uninstall from my system. I'll keep trying I don't like things getting the best of me.

I attached my logfiles/report.

Thanks again

Lawrie

**evilfantasy** · #5 (**permalink**) **Top** 22nd August 2008, 07:31 AM

Go to My Computer->Tools->Folder Options->View tab:

Under the Hidden files and folders heading:
Select Show hidden files and folders.
Uncheck Hide protected operating system files (recommended) option.
Also, make sure there is no checkmark beside Hide file extensions for known file types.
Click OK

----------

Once you have hidden files and folders enabled go to C:\WINDOWS\system32\ZoneLabs

Open the ZoneLabs folder and look for an uninstaller in there. If you can't find one you might need to re-install Zone Alarm and then use the uninstaller to get it uninstalled properly.

----------

Once you have Zone Alarm taken care of (don't worry about the Ask Bar yet) please run ComboFix.

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

Lawrie · #6 (**permalink**) **Top** 22nd August 2008, 08:22 AM

DONE

attached logs

Lawrie

**evilfantasy** · #7 (**permalink**) **Top** 22nd August 2008, 08:53 AM

Do you know what this is?

C:\Program Files\agi\common\agservice.exe

Also do you use these

Kiwee Toolbar2
SweetIM

Lawrie · #8 (**permalink**) **Top** 22nd August 2008, 02:36 PM

I have NO idea what it is, I was puzzeled about it befor but I didn't want to do anything with it incase I stuffed something else up.

C:\Program Files\agi\common\agservice.exe

Also Thease toolbars were downloaded by my kids so that they could get SMILEYS/EMOCIONS for MSN, I thought if they were recomended by MSN (Microsoft) as an addition to LIVE MSN it would be ok. No I don't use them but my kids do.

Kiwee Toolbar2
SweetIM

Is this a problem?

I'm still finding the ASK search bar in my PROGRAM FILES and I'm not shure which sight is the best to download the ZONE ALARM installer from.(so I can un-install it for good). I don't want to download something that stuffes up my system again!!!!

Lawrie

Lawrie · #9 (**permalink**) **Top** 22nd August 2008, 02:48 PM

Also there is a few things that just appeared on my desktop that has confused me. (not hard thease days)

I can't upload them because they are XML.files. ????

Lawrie

**evilfantasy** · #10 (**permalink**) **Top** 22nd August 2008, 04:15 PM

Scan Suspicious File(s)

Use the VirusTotal.com - Multi engine on-line virus scanner
(If more than one file needs scanned they must be done separately and logs posted for each one)

Copy the file path in the below Code box:

Code:

C:\Program Files\agi\common\agservice.exe

At the upload site, click once inside the window next to Browse.
Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
Next click Send File
- Your file will possibly be entered into a queue which normally takes less than a minute to clear.
This will perform a scan across multiple different virus scanning engines.
Important: Wait for all of the scanning engines to complete.
Copy and then Paste the link to the results in the next reply.

Lawrie · #11 (**permalink**) **Top** 24th August 2008, 04:52 AM

I hope this is what you want/need.

MD5: e8cff35104ac7112fae49bd26fcf4716
First received: -
Date: 08.21.2008 00:24:07 (CET) [>3D]
Results: 0/36
Permalink: analisis/0a3cd097bb660df4d600b54f51c75764

Lawrie

**evilfantasy** · #12 (**permalink**) **Top** 24th August 2008, 07:29 AM

No I need the link from the web browser after the scanners are complete. Enter the file again and post the link to the results back here.

VirusTotal.com - Multi engine on-line virus scanner

C:\Program Files\agi\common\agservice.exe

You can find ZA here Download ZoneAlarm Free 7.0.483.0 - FileHippo.com

Lawrie · #13 (**permalink**) **Top** 24th August 2008, 08:24 AM

I hope this is it then, sorry

Virustotal. MD5: e8cff35104ac7112fae49bd26fcf4716

I can't install ZONE ALARM because of a software conflict with my firewall. Should I uninstall my Firewall then try???

Lawrie

**evilfantasy** · #14 (**permalink**) **Top** 24th August 2008, 05:32 PM

Yes uninstall the firewall and try to get ZA completely uninstalled.

Then post a new HijackThis log.

Lawrie · #15 (**permalink**) **Top** 25th August 2008, 09:36 AM

Dear evilfantasy,

I have tried 4 times to install and unintall ZA and no sucess.
each time I uninstall I check win 32 to see if it is there and it's gone REBOOT and it's back.
can I use the HIJACKTHIS FIX CHECK or MALWAREBYTES TOOLS to remove it or is there some other way???

did you find out WHAT- C:\Program Files\agi\common\agservice.exe is ???

attached log

Lawrie

Lawrie · #16 (**permalink**) **Top** 25th August 2008, 04:28 PM

Hi guys,

I tried everything to remove AZ FFFFF........rustrating!!!!
Another 6 attempts and each success in removing it and I cant access the internet or Emails.
It somehow affects how my "E_TRUST SECURITY" works and it blocks everything.
I got a log from E-TRUST my last attempt which I have attached along with Combofix and Hijack this.

Lawrie

**evilfantasy** · #17 (**permalink**) **Top** 25th August 2008, 07:17 PM

I've had to think on this next response and here is where we are.

You are going to have to uninstall all of the adware/spyware/greyware before we continue. I understand your kids use some of it but do you want to teach them bad internet usage, or good? I am by far not trying to be offensive and I apologize if I am but it it too difficult for me to do this any other way especially when this is the exact same problems as last time, only now worse. There has to be good surfing habits and we simply can't condone the use of programs such as Frostwire and a few others. Free isn't always good when it comes to software and we can't ignore possible copyright infringement. It goes against what we stand for.

If we continue I next need an uninstall list from HJT.

Create An Uninstall List

Start HijackThis
Click on the Open the Misc Tools section
Click on the Open Uninstall Manager button.
Click on the Save list button and specify where you would like to save this file and click Save.
- When you press Save button a notepad will open with the contents of that file.
Copy and paste that list in your reply.

Lawrie · #18 (**permalink**) **Top** 26th August 2008, 12:05 PM

Being NEW to computers I was under the understanding that the internet was a wondrous place that enabled you to have the world at your fingertips. Perhaps that is still true but the vulnerabilities that expose us to the ugly side of the sharing of knowledge gives the advantage to those that feel the need to destroy the beauty and simplicity of all we love and respect.

It is Ok I will uninstall anything that is needed to get my computer back.

You have no need to apologize; I am the one that should apologize to you because there is no excuse for ignorance!!!

Lawrie

1000 Solitaire Games
101 Puzzle & Logic Games
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Reader 7.1.0
Age of Emerald (remove only)
ALi RAID Driver
Alpha Ball
ASAP Utilities
Ask Toolbar
ATI - Software Uninstall Utility
AutoCAD 2005 - English
AutoCAD 2005 Express Tools Volumes 1-9
Autodesk DWF Viewer
Break Quest
Bricks of Camelot
Bricks of Egypt
Brixout XP
CA eTrust Internet Security Suite
Can You See What I See (remove only)
Chuzzle Deluxe 1.01
Compatibility Pack for the 2007 Office system
Corel Uninstaller
DVD Shrink 3.2
DVD Solution
Eureka's 1000 Games
Excel Utilities 1.5
Excel VBA Code Cleaner 4.4
Excel VBA Code Documentor 4.0
EXPERTool
Firebird SQL Server - MAGIX Edition (US)
Fonts, Screen Savers, Sound FX & Icons
FrostWire 4.17.0
Fruit Lockers
Gold Miner
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB952287)
Hyperballoid Complete
iWin Games (remove only)
Java(TM) 6 Update 7
Jewel Quest
Jewel Quest II (remove only)
Jewel Quest III (remove only)
Jewel Quest Solitaire
Jewel Quest Solitaire II (remove only)
Lexmark X1100 Series
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia FreeHand 10
MAGIX Music Manager 2006 (US)
MAGIX Music Studio 11 deluxe (US)
MAGIX Photo Manager 2006 (US)
Mahjong Towers II
Malwarebytes' Anti-Malware
MediaShow 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Home Publishing 2000
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Resource Kit
Microsoft Office Converter Pack
Microsoft Office FrontPage 2003
Microsoft Office OneNote 2003
Microsoft Office Outlook 2003 with Business Contact Manager Update
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Sounds
Microsoft Office Visio Professional 2003
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft® Winter Fun Pack 2004 for Windows® XP
MSXML 4.0 SP2 (KB936181)
Multimedia Card Reader
muvee autoProducer 3.5 magicMoments
Nero 7 Essentials
NETGEAR WG111v2 wireless USB 2.0 adapter
Next Generation Visualisations
NVIDIA Drivers
NVIDIA Windows 95/98/ME/2000/XP Stereo Drivers
OneCare Advisor (Windows Live Toolbar)
Pacific Poker
PhotoNow! 1.0
Popup Blocker (Windows Live Toolbar)
Power2Go 5.0
PowerBackup 2.5
PowerProducer
QuickTime
Realtek AC'97 Audio
Realtek High Definition Audio Driver
Ricochet Lost Worlds: Recharged
Ricochet Xtreme
Rival Ball Tournament
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Smart Menus (Windows Live Toolbar)
SmartSound Quicktracks Plugin
Sound Blaster 16
Super Glinx
SweetIM for Messenger 2.5
SweetIM Toolbar for Internet Explorer 3.2
Switch Sound File Converter
Traffic Jam Extreme
Ulead COOL 3D 3.0
Ulead Data-Add 2.0
Ulead DVD MovieFactory 4.0 Suite
Ulead DVD Player 2.0
Ulead VideoStudio 9.0 SE DVD
Ultimate Mahjongg
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
USB PC Camera-168
USB Storage Toolbox
Windows Driver Package - 2Wire (2WIREPCP) Net (09/18/2002 1.4.0.5)
Windows Driver Package - NETGEAR Inc. (RTLWUSB) Net (02/07/2007 5.1283.0207.2007)
Windows Live Favorites for Windows Live Toolbar
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows XP Service Pack 3
WinFast DTV
WinFast Entertainment Center
XY Chart Labeler 6.22
Yahoo! Messenger
Yahoo! Music Jukebox
Yahoo! Toolbar

**evilfantasy** · #19 (**permalink**) **Top** 26th August 2008, 05:50 PM

Ignorance is bliss

It's stupidity that wares on me, and you are far from that

And yes, free on the Internet sometimes comes with a heavy (hidden) cost.

Go to Add or Remove Programs and uninstall:

Ask Toolbar
FrostWire 4.17.0
iWin Games (remove only) <- Try Yahoo Games instead
SweetIM for Messenger 2.5 <- Not only spying on you but sends spyware the other people you communicate with. Yahoo and MSN messengers are safe.
SweetIM Toolbar for Internet Explorer 3.2

Be sure to run CCleaner now and then restart the computer before continuing.

----------

Delete your current version of ComboFix and download it again!

Download Combofix by sUBs from one of the below links.

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Click this link to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log.
Please save that log to post in your next reply.
Re-enable all of your security programs that were disabled during the running of ComboFix.

Note: Do not mouse-click combofix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection.