Malware Prob

[BWillia]

(part 3)...

3) Interestingly enough, here's the log file PANDA Antivirus for today's activity:

Panda Antivirus + Firewall 2007 incident report

EVENT DATE RESULTS ADDITIONAL INFORMATION
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Virus detected: Trj/Shutdown.Z 04/22/07 15:51:44 Disinfected Location: c:\documents and settings\daddy\doctorweb\quarantine\a0186769.exe
Virus detected: Trj/Shutdown.Z 04/22/07 15:51:44 Disinfected Location: c:\documents and settings\daddy\doctorweb\quarantine\a0184093.exe
Virus detected: Trj/Spamer.BB 04/22/07 15:14:00 Disinfected Location: c:\windows\system32\vexga8me6.exe
Virus detected: W32/Sdbot.JYK.worm 04/22/07 15:14:00 Disinfected Location: c:\windows\system32\vexga4m1et4.exe
Virus detected: Trj/Clicker.AAS 04/22/07 15:13:59 Disinfected Location: c:\windows\system32\vexga3me2.exe
Virus detected: Trj/Alanchum.UR 04/22/07 15:13:59 Disinfected Location: c:\windows\system32\vexga1me4t1.exe
Virus detected: Trj/Clicker.SU 04/22/07 15:13:59 Disinfected Location: c:\windows\system32\vexg6ame4.exe
Virus detected: Trj/Disablekey.BF 04/22/07 15:13:04 Disinfected Location: c:\windows\system32\max1d164v.exe
Adware detected: Adware/Adsmart 04/22/07 15:12:36 Eliminated Location: c:\windows\system32\dlh9jkd1q1.exe
Adware detected: adware/spymarshal 04/22/07 14:52:04 Eliminated Location: c:\windows\xpupdate.exe
Tracking program detected: Application/BraveSentry 04/22/07 14:46:32 Eliminated Location: c:\program files\bravesentry\bravesentry2.dll
Tracking program detected: Application/BraveSentry 04/22/07 14:46:25 Eliminated Location: c:\program files\bravesentry\bravesentry.exe
Tracking program detected: Application/MalwareAlarm 04/22/07 14:46:11 Eliminated Location: c:\program files\bravesentry\bravesentry0.dll
Tracking program detected: Application/MalwareAlarm 04/22/07 14:46:00 Eliminated Location: c:\program files\bravesentry\bravesentry1.dll
Tracking program detected: Application/BraveSentry 04/22/07 14:45:16 Eliminated Location: c:\program files\bravesentry\bravesentry3.dll
Adware detected: Adware/BraveSentry 04/22/07 14:45:16 Eliminated Location: c:\program files\bravesentry\uninstall.exe
Virus detected: Trj/Shutdown.Z 04/22/07 14:43:03 Disinfected Location: c:\documents and settings\daddy\desktop\smitfraudfix\restart.exe
Virus detected: Trj/Shutdown.Z 04/22/07 14:24:13 Disinfected Location: c:\documents and settings\daddy\desktop\smitfraudfix\restart.exe
Spyware detected: Cookie/Server.iad.Liveperson 04/22/07 14:08:02 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@server.iad.liveperson[1].txt
Spyware detected: Cookie/Bluestreak 04/22/07 14:07:49 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@bluestreak[1].txt
Update 04/22/07 14:01:14 Incorrect Error: Error in the download process
Update 04/22/07 14:01:08 Incorrect Error: Error in the download process
Adware detected: adware/adsmart 04/22/07 13:58:48 Eliminated Location: c:\windows\system32\kernels32.exe
Spyware detected: Cookie/Statcounter 04/22/07 08:51:28 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@statcounter[1].txt
Spyware detected: Cookie/Statcounter 04/22/07 08:51:23 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@statcounter[1].txt
Spyware detected: Cookie/Statcounter 04/22/07 08:51:23 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@statcounter[2].txt
Spyware detected: Cookie/Statcounter 04/22/07 08:51:13 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@statcounter[1].txt
Update 04/22/07 08:28:56 OK New threat signatures: 333
Spyware detected: Cookie/Atlas DMT 04/22/07 00:22:03 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@atdmt[1].txt
Spyware detected: Cookie/FastClick 04/22/07 00:22:03 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@fastclick[1].txt
Spyware detected: Cookie/FastClick 04/22/07 00:22:02 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@fastclick[2].txt
Spyware detected: Cookie/YieldManager 04/22/07 00:22:01 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@ad.yieldmanager[2].txt
Spyware detected: Cookie/YieldManager 04/22/07 00:22:01 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@ad.yieldmanager[1].txt
Spyware detected: Cookie/FastClick 04/22/07 00:21:59 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@fastclick[2].txt
Spyware detected: Cookie/Atlas DMT 04/22/07 00:21:59 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@atdmt[1].txt
Spyware detected: Cookie/FastClick 04/22/07 00:21:59 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@fastclick[1].txt
Spyware detected: Cookie/Statcounter 04/22/07 00:21:57 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@statcounter[1].txt
Spyware detected: Cookie/RealMedia 04/22/07 00:20:11 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@realmedia[1].txt
Spyware detected: Cookie/Advertising 04/22/07 00:17:32 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@advertising[1].txt
Spyware detected: Cookie/Tribalfusion 04/22/07 00:13:16 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@tribalfusion[1].txt
Spyware detected: Cookie/Advertising 04/22/07 00:10:43 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@advertising[1].txt
Spyware detected: Cookie/FastClick 04/22/07 00:06:47 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@fastclick[1].txt
Spyware detected: Cookie/Traffic Marketplace 04/22/07 00:04:35 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@trafficmp[1].txt
Spyware detected: Cookie/Traffic Marketplace 04/22/07 00:04:35 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@trafficmp[2].txt
Spyware detected: Cookie/Traffic Marketplace 04/22/07 00:04:35 Eliminated Location: c:\documents and settings\daddy\cookies\daddy@trafficmp[3].txt



It seemed to find a lot of issues that it hadn't before. Hope this may help. Notice that it found Trojan.virtumod in the Online TV folder which is
what I believe started all of this.


Also, I only have 1 account user on the computer (with administration privileges).

Was disappointed to see the pop-up windows still come us as I tried to post this last message. I'll do what it takes to try and get this clean.
Hoping not to have to go the route of reformatting, but if that's what it's going to take, then so be it.

Thanks yet again for your help.

[pskelley]

Who uses the computer besides you? These latest scans have indicated reasons for the problems you are having.
PCBug Doctor v1.0.0.4 Trial to Full by Great Elmo!!.EXE;C:\Documents and Settings\All Users\Documents;Tool.GameCrack;Incurable.Moved.;

C:\Documents and Settings\Daddy\Desktop\Online TV Player 3.0.920 Plus Crack;Trojan.Virtumod;Deleted.;

Let's clean the System Restore files, follow these instruction, make sure you turn SR off, reboot then turn SR back on.
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

No Smitfraud infection, you can delete that tool, in fact delete all tools we downloaded for the fix so far except Dr. Web.

Since these are redirects, let look for hidden Wareout infection:
Thanks to LonnyBJones and anyone else who helped with this fix.

1) Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

2) Now let's do a good cleaning like this:
* Clean your Cache and Cookies in IE:

• Close all instances of Outlook Express and Internet Explorer
• Go to Control Panel > Internet Options > General tab
• Click the "Delete Cookies" button
• Next to it, Click the "Delete Files" button
• When prompted, place a check in: "Delete all offline content", click OK

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

• Go to Tools > Options.
• Click Privacy in the menu on the left side of the Options window.
• Click the Clear button located to the right of each option (History, Cookies, Cache).
• Click OK to close the Options window
  Alternatively, you can clear all information stored while browsing by clicking Clear All.
  A confirmation dialog box will be shown before clearing the information.

* Clean other Temporary files + Recycle bin

• Go to start > run and type: cleanmgr and click ok.
• Let it scan your system for files to remove.
• Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
• Press OK to remove them.

Make sure you clean out the Prefetch folder:
http://www.tunexp.com/tips/maintain_...e_performance/
NOTE** your computer may run a little slower for a boot or two until Windows repopulates Prefetch with needed files.

3) Now run Dr. Web again and post the results of the scan along with the report from Fixwareout and a new HJT log.

Thanks

[BWillia]

The PCBug Doctor was an uninstall. I missed this the other time around and tried to uninstall it. It's gone now. The Online TV Player program was the torrent I went and regrabbed in case you wanted to look at it (since this was the cause of the issue). Since you didn't, it's also now deleted.

I turned off System Restore and turned it back on. Here's the FixWareout log:


Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
C:\Documents and Settings\Daddy\Application Data\Install.dat Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMixerTray"="C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NvMixerTray.exe"
"SecureClean4RegManager"="\"C:\\Program Files\\WhiteCanyon\\SecureClean 4\\scregmanager4.exe\""
"SecureClean4Tray"="\"C:\\Program Files\\WhiteCanyon\\SecureClean 4\\sctray4.exe\""
"D-Link AirPlus XtremeG"="G:\\Program Files\\D-Link\\AirPlus XtremeG\\AirPlusCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"G:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"RoxioAudioCentral"="\"G:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"Windows Defender"="\"G:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"APVXDWIN"="\"G:\\Program Files\\Panda Software\\Panda Antivirus + Firewall 2007\\APVXDWIN.EXE\" /s"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CursorXP"="G:\\Program Files\\CursorXP\\CursorXP.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»



A run of Dr. Web again came up completely empty. No baddies found. Since there were no baddies, I couldn't generate a report.

I cleaned out all my cookies, cache and prefetch folder. Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:17:09 PM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Windows Defender\MsMpEng.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\Diskeeper\DkService.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
G:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\psimreal.exe
G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\avciman.exe
G:\Program Files\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Brett's Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] G:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "G:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "G:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Windows Defender] "G:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [APVXDWIN] "G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CursorXP] G:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121385835968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CachemanXP (CachemanXPService) - OuterTechnologies - G:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - G:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - g:\program files\panda software\panda antivirus + firewall 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - G:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - G:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


As always, thanks for the help.

[BWillia]

Still getting the pop-ups. Not sure if this will help you or not, but I noticed that there are 3 folders sitting in my c:\Program Files directory that are bogus. They are:

C:\Program Files\xerox
C:\Program Files\msn gaming zone
C:\Program Files\microsoft frontpage

I couldn't delete them so I booted into safe mode and was successfully able to delete them. However, on reboot they reappeared again.

[pskelley]

OK Brett, let discuss this a bit, first you need to understand that the crack (illegal) is not all that is downloaded, often these sites send junk along with it that is hard if not near impossible to find. I am also seeing anyone of a dozen program in your uninstall list that may well have come with adware to create popups. I do not have the time to have every users remove the junk one by one to see if we can find the hidden item causing the problem. You might consider when this all started and start looking at the installation dates of programs to see if you can spot something installed around the time the popups started.
I see this in the log: http://www.excite.com/ and I thought we removed it? It could well be creating popups. Please look under options in your Google toolbar and make sure the popup blocker is activated.

C:\Program Files\xerox
C:\Program Files\msn gaming zone
C:\Program Files\microsoft frontpage
I would look hard at those, even though they look legit, hackers call their junk whatever they want. Open them and look at the files, scan the files with these tools:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
They do not look like Windows files, look at properties of the files. There should be no reason you can't delete them, you did say there is only one user account, is it also the administrative account? You may need administrative rights to remove them?

Keep in mind that the Guard function in AVG Anti-Spyware might also block changes. If need be uninstall the program and try it then, make sure Windows Defender is disabled also.

I see no problems in the HJT log. I see Fixwareout did remove on .dat file. It also reset your hosts file so there is no reason to look there.
Let's has another look for a hidden rootkit, this is a new tool so we will be using it for the first time together, just follow the instructions:

Please read this information before you proceed,
if programs are running the results will be effected as described.
http://www.sophos.com/readmes/readsar.txt

Please download Sophos Anti-Rootkit,and save it on your desktop.
http://www.sophos.com/products/free-...i-rootkit.html
1. Double-click sarsfx.exe to extract the files and leave the default settings.
2. Open the folder C:\SOPHTEMP and double-click sargui.exe to start the program.
3. Make sure the following are checked:
- Running processes
- Windows Registry
- Local Hard Drives
4. Click the "Start Scan" button.
5. Click the "OK" button after you get the notification that the scan has finished and close the program.
6. Click on Start>Run and type, or copy and paste:-
%temp%\sarscan.log
then press Enter.
7. This should open the log from the rootkit scan.
Post the log into your next reply.
Note: If the scan is performed while the computer is in use, false positives may appear in the scan results.
This is caused by files or registry entries being deleted,including temporary files being deleted automatically.

Let's also look at the results from this scanner:

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and the results from the rootkit scan and any comments you think will help.

Thanks

[BWillia]

Good morning,
Here's the latest based on your last reply:

1) The http://www.excite.com is the home page setting. We removed the http://www.excite.com from the "Trusted Zones" of IE.

2) The reason I'm suspicious about those directories I mentioned earlier is that they supposedly contain no files in them (right clicking on properties shows 0 files), yet they continually can't be deleted. Also, I'm suspicious of their naming convention because of their lack of capitalization. Unfortunately, I couldn't run the online virus scan for individual files because there supposedly aren't any in those folders and the online sites wouldn't allow me to upload folders.

3) I disabled the real-time guards for Windows Defender and AVG. Here's the results of Sophos:

Sophos Anti-Rootkit Version 1.2 (data 1.01) (c) 2006 Sophos Plc
Started logging on 4/23/2007 at 10:41:04 AM
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\DeterministicNetworks\DNE\Parameters\SymbolicLinkValue
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\a347scsi\Config\jdgg40
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012004072220040723
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Microsoft\Windows Media\WMSDK\General\ComputerName
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\Automation Protocols
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\Suffixes\video/x-ivf
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\User Trusted External Applications\G:\PROGRA~1\DAP\DAP.EXE
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Netscape\Netscape Navigator\Viewers\video/x-ivf
Hidden: registry item \HKEY_USERS\S-1-5-18\Software\Pinnacle Systems\Studio 9\Preferences\SmartSound Folder
Stopped logging on 4/23/2007 at 10:44:49 AM

Not sure what that DAP.EXE file is. I couldn't locate the directory...but I think DAP might've been a download accelerator freeware program that no longer resides on my comp.

4) Here's the results of combofix:

"Daddy" - 07-04-23 10:52:25 Service Pack 2
ComboFix 07-04-21.2V - Running from: C:\Documents and Settings\Daddy\Desktop\


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dlh9jkd1q2.exe
C:\WINDOWS\system32\dlh9jkd1q6.exe
C:\WINDOWS\system32\dlh9jkd1q7.exe
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\vexg4am1et2.exe
C:\WINDOWS\system32\vexga5me3.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\Documents and Settings\All Users.\documents\settings
C:\WINDOWS\system32\bund1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm
-------\LEGACY_NM
-------\LEGACY_NPF


((((((((((((((((((((((((((((((( Files Created from 2007-03-23 to 2007-04-23 ))))))))))))))))))))))))))))))))))


2007-04-23 10:40 <DIR> d-------- C:\SOPHTEMP
2007-04-23 00:11 <DIR> d-------- C:\Program Files\msn gaming zone
2007-04-23 00:11 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-04-22 14:36 <DIR> d-------- C:\DOCUME~1\Daddy\DoctorWeb
2007-04-22 14:27 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-22 14:27 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-21 21:10 106 --a------ C:\delete.bat
2007-04-19 22:08 3,156 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-19 21:04 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic
2007-04-19 21:04 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\DivX
2007-04-18 20:34 97,280 --a------ C:\VundoFix.exe
2007-04-18 19:16 71,552 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-04-18 19:01 9,216 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys
2007-04-18 19:01 44,544 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS
2007-04-18 19:01 36,864 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys
2007-04-18 19:01 23,296 --a------ C:\WINDOWS\system32\drivers\smsflt.sys
2007-04-18 19:01 185,472 --a------ C:\WINDOWS\system32\drivers\idsflt.sys
2007-04-18 19:01 181,696 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-04-18 19:01 16,256 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys
2007-04-18 19:01 141,312 --a------ C:\WINDOWS\system32\drivers\netflt.sys
2007-04-18 19:01 103,936 --a------ C:\WINDOWS\system32\drivers\netfltdi.sys
2007-04-18 19:01 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-04-18 19:00 57,344 --a------ C:\WINDOWS\system32\pavipc.dll
2007-04-18 19:00 45,056 --a------ C:\WINDOWS\system32\avldr.dll
2007-04-18 19:00 245,760 --a------ C:\WINDOWS\system32\PavSHook.dll
2007-04-18 19:00 16,640 --a------ C:\WINDOWS\system32\drivers\cpoint.sys
2007-04-18 19:00 139,264 --a------ C:\WINDOWS\system32\TpUtil.dll
2007-04-18 19:00 101,888 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL
2007-04-18 18:52 26,752 --a------ C:\WINDOWS\system32\drivers\ShldDrv.sys
2007-04-18 18:52 165,120 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2007-04-17 21:07 <DIR> d-------- C:\Program Files\Common Files\Panda Software
2007-04-17 00:17 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-16 23:59 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-16 08:33 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-04-16 08:32 <DIR> d-------- C:\WINDOWS\system32\micro1


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-21 21:41 -------- d-------- C:\DOCUME~1\Daddy\APPLIC~1\utorrent
2007-04-20 20:21 8786 --a------ C:\WINDOWS\mozver.dat
2007-04-18 19:00 -------- d--h----- C:\Program Files\installshield installation information
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --------- C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --------- C:\WINDOWS\system32\win32k.sys
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvMixerTray"="C:\\Program Files\\NVIDIA Corporation\\NvMixer\\NvMixerTray.exe"
"SecureClean4RegManager"="\"C:\\Program Files\\WhiteCanyon\\SecureClean 4\\scregmanager4.exe\""
"SecureClean4Tray"="\"C:\\Program Files\\WhiteCanyon\\SecureClean 4\\sctray4.exe\""
"D-Link AirPlus XtremeG"="G:\\Program Files\\D-Link\\AirPlus XtremeG\\AirPlusCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"G:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"RoxioAudioCentral"="\"G:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"Windows Defender"="\"G:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"APVXDWIN"="\"G:\\Program Files\\Panda Software\\Panda Antivirus + Firewall 2007\\APVXDWIN.EXE\" /s"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CursorXP"="G:\\Program Files\\CursorXP\\CursorXP.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E1DADA05-3E74-43B0-B3CE-FC347DB7C76B}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gcasServ"
"hkey"="HKLM"
"command"="\"G:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"G:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SP2 Connection Patcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SP2ConnPatcher"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyCatcher Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyCatcher"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bc535920-fc72-11d9-a5ab-000d8858167a}]
Shell\AutoRun\command setupSNK.exe
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_MEMSWEEP2


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-23 10:53:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-23 10:54:01
C:\ComboFix-quarantined-files.txt ... 07-04-23 10:54


5) Just a couple notes regarding the behavior of the pop-ups:

a) I don't get any pop-ups when I first boot the PC. They don't start until I try to open a browser window. So if I go into a game (i.e. Guild Wars) after booting, I don't seem to get any pop-ups.

b) When I surf the web in "Safe Mode with Networking", I don't get any pop-ups.

c) Another experience that may help...I entered the phrase "Panda Scan" in the search box toolbar (points to google) of IE. A pop-up occurred with the phrase "a Scan" entered into the pop-up site (wish I could remember what site it was, but I didn't write it down). Looks like it missed the "Pand" part of the phrase I entered in the search box and only got the last couple of characters (processor was probably busy at time). Not sure if this behavior helps explain anything, but thought I'd mention it.

Thanks,
Brett

[pskelley]

To tell you the truth I have about exausted my thoughts. Since the popups don't start until you open a browser, my guess is they are coming from online. If it was something on the computer they would popup rather you are online or not.
I also get popups and the Google Toolbar stops 99% of them for me, install it and give it a try.
http://toolbar.google.com/T4/index_pack.html
When you download it, accept only the toolbar and popup blocker. They will try to get you to check a lot of junk that is eye candy and resource wasters. Once you get it in place, make sure you check under Options that the popup blocker is activated. Let me know if it helps.

I do not have the time to look over those reports from Sophos and combofix, a quick glance showed nothing, I normally avoid logs on Sunday...my day of rest.

Thanks

[BWillia]

No problem. I really want to express my thanks to you for helping me with this issue. You guys/gals provide a terrific service for the online community, often a thankless job. Keep up the good fight.

[BWillia]

All clean. Looks like the final missing piece to this puzzle was solved by Spy Sweeper. Here's the log:

10:06 PM: Removal process completed. Elapsed time 00:00:20
10:06 PM: A reboot was required but declined.
10:06 PM: Quarantining All Traces: zedo cookie
10:06 PM: Quarantining All Traces: burstnet cookie
10:06 PM: Quarantining All Traces: videodome cookie
10:06 PM: Quarantining All Traces: tribalfusion cookie
10:06 PM: Quarantining All Traces: trafficmp cookie
10:06 PM: Quarantining All Traces: targetnet cookie
10:06 PM: Quarantining All Traces: webtrendslive cookie
10:06 PM: Quarantining All Traces: valuead cookie
10:06 PM: Quarantining All Traces: realmedia cookie
10:06 PM: Quarantining All Traces: mediaplex cookie
10:06 PM: Quarantining All Traces: imrworldwide.com cookie
10:06 PM: Quarantining All Traces: goclick cookie
10:06 PM: Quarantining All Traces: fortunecity cookie
10:06 PM: Quarantining All Traces: findwhat cookie
10:06 PM: Quarantining All Traces: excite cookie
10:06 PM: Quarantining All Traces: exitexchange cookie
10:06 PM: Quarantining All Traces: 2o7.net cookie
10:06 PM: Quarantining All Traces: atlas dmt cookie
10:06 PM: Quarantining All Traces: tacoda cookie
10:06 PM: Quarantining All Traces: yieldmanager cookie
10:06 PM: Quarantining All Traces: websponsors cookie
10:06 PM: Quarantining All Traces: drsnsrch.com hijack
10:06 PM: HKLM: system\controlset001\services\core\ is in use. It will be removed on reboot.
10:06 PM: C:\WINDOWS\system32\drivers\core.sys is in use. It will be removed on reboot.
10:06 PM: core adware is in use. It will be removed on reboot.
10:06 PM: Quarantining All Traces: core adware
10:06 PM: Quarantining All Traces: trojan-dropper-micro1
10:06 PM: Quarantining All Traces: virtumonde
10:06 PM: Removal process initiated
9:57 PM: Traces Found: 39
9:57 PM: Custom Sweep has completed. Elapsed time 00:43:38
9:57 PM: File Sweep Complete, Elapsed Time: 00:41:17
9:45 PM: Warning: TCompressedFile.GetStreams(1): Stream read error
9:37 PM: Warning: TCompressedFile.GetStreams(1): Stream read error
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:34 PM: Warning: Unable to sweep compressed file: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:33 PM: ApplicationMinimized - EXIT
9:33 PM: ApplicationMinimized - ENTER
9:26 PM: Warning: SweepDirectories: Cannot find directory "e:". This directory was not added to the list of paths to be scanned.
9:24 PM: Warning: Failed to open file "c:\documents and settings\daddy\application data\mozilla\firefox\profiles\default.3sr\parent.lock". The operation completed successfully
9:23 PM: C:\WINDOWS\system32\drivers\core.sys (ID = 513403)
9:16 PM: C:\WINDOWS\system32\micro1 (ID = 2147550659)
9:16 PM: Found Trojan Horse: trojan-dropper-micro1
9:16 PM: Starting File Sweep
9:16 PM: Warning: SweepDirectories: Cannot find directory "a:". This directory was not added to the list of paths to be scanned.
9:16 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:16 PM: c:\documents and settings\daddy\cookies\daddy@zedo[1].txt (ID = 3762)
9:16 PM: Found Spy Cookie: zedo cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@www.burstnet[1].txt (ID = 2337)
9:16 PM: Found Spy Cookie: burstnet cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@videodome[2].txt (ID = 3638)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@videodome[1].txt (ID = 3638)
9:16 PM: Found Spy Cookie: videodome cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@tribalfusion[3].txt (ID = 3589)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@tribalfusion[1].txt (ID = 3589)
9:16 PM: Found Spy Cookie: tribalfusion cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@trafficmp[3].txt (ID = 3581)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@trafficmp[1].txt (ID = 3581)
9:16 PM: Found Spy Cookie: trafficmp cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@targetnet[1].txt (ID = 3489)
9:16 PM: Found Spy Cookie: targetnet cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@tacoda[3].txt (ID = 6444)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@tacoda[2].txt (ID = 6444)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@statse.webtrendslive[2].txt (ID = 3667)
9:16 PM: Found Spy Cookie: webtrendslive cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@reduxads.valuead[2].txt (ID = 3627)
9:16 PM: Found Spy Cookie: valuead cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@realmedia[1].txt (ID = 3235)
9:16 PM: Found Spy Cookie: realmedia cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@mediaplex[1].txt (ID = 6442)
9:16 PM: Found Spy Cookie: mediaplex cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@imrworldwide[2].txt (ID = 2845)
9:16 PM: Found Spy Cookie: imrworldwide.com cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@goclick[2].txt (ID = 2732)
9:16 PM: Found Spy Cookie: goclick cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@fortunecity[1].txt (ID = 2686)
9:16 PM: Found Spy Cookie: fortunecity cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@findwhat[1].txt (ID = 2674)
9:16 PM: Found Spy Cookie: findwhat cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@exitexchange[3].txt (ID = 2633)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@exitexchange[2].txt (ID = 2633)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@excite[2].txt (ID = 2631)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@excite[1].txt (ID = 2631)
9:16 PM: Found Spy Cookie: excite cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@count4.exitexchange[1].txt (ID = 2634)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@count1.exitexchange[1].txt (ID = 2634)
9:16 PM: Found Spy Cookie: exitexchange cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@cartoonnetwork.122.2o7[1].txt (ID = 1958)
9:16 PM: Found Spy Cookie: 2o7.net cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@atdmt[3].txt (ID = 2253)
9:16 PM: c:\documents and settings\daddy\cookies\daddy@atdmt[2].txt (ID = 2253)
9:16 PM: Found Spy Cookie: atlas dmt cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@anad.tacoda[1].txt (ID = 6445)
9:16 PM: Found Spy Cookie: tacoda cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@ad.yieldmanager[2].txt (ID = 3751)
9:16 PM: Found Spy Cookie: yieldmanager cookie
9:16 PM: c:\documents and settings\daddy\cookies\daddy@a.websponsors[1].txt (ID = 3665)
9:16 PM: Found Spy Cookie: websponsors cookie
9:16 PM: Starting Cookie Sweep
9:16 PM: Registry Sweep Complete, Elapsed Time:00:00:16
9:16 PM: HKU\S-1-5-21-2000478354-1708537768-1060284298-1004\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
9:16 PM: Found Adware: drsnsrch.com hijack
9:16 PM: HKLM\system\controlset002\services\core\ (ID = 2118420)
9:16 PM: HKLM\system\controlset002\enum\root\legacy_core\ (ID = 2118399)
9:16 PM: HKLM\system\controlset001\services\core\ (ID = 2118343)
9:16 PM: HKLM\system\controlset001\enum\root\legacy_core\ (ID = 2118323)
9:16 PM: Found Adware: core adware
9:16 PM: HKLM\software\microsoft\uniqdata\ (ID = 1997747)
9:16 PM: Found Adware: virtumonde
9:15 PM: Starting Registry Sweep
9:15 PM: Memory Sweep Complete, Elapsed Time: 00:01:58
9:13 PM: Starting Memory Sweep
9:13 PM: Start Custom Sweep
9:13 PM: Sweep initiated using definitions version 902
9:11 PM: The Internet Communication shield has blocked access to: WWW.THESERIALS.COM
9:11 PM: The Internet Communication shield has blocked access to: WWW.THESERIALS.COM
Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: Off
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
9:08 PM: Shield States
9:08 PM: Spyware Definitions: 902
9:06 PM: Spy Sweeper 5.3.2.2361 started
9:06 PM: Spy Sweeper 5.3.2.2361 started
9:06 PM: | Start of Session, Thursday, April 26, 2007 |
***************

[tashi]

Thank you for letting us know, as the problem appears to be resolved this topic has been archived.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.