PDA

View Full Version : New Malware.j


Egypt
2007-01-16, 00:39
hello,

i tried reading a post form the archives about Mcfee giving warnings abotu a malware called " new malware.j" i didnt really understand.

my Mcfee keeps telling me that my C:\WINDOWS\system32\csrs.exe file is infected by the "New Malware.j" trojan.

my friend recommended that i run this online fixer called HouseCall .. and i tried that about three times.. but during the scanning.. my browser will jsut randomly quit without any pop-up warning or anything.

i am very much in the dark and am wondering how i can get rid of this trojan.

thanks.
tashi
2007-01-16, 03:10
Hello

Please follow the procedure in this link: "BEFORE you POST" -Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

Post the requested information into this topic, and a helper will advise you as soon as available.

Cheers.
Egypt
2007-01-17, 17:06
hrmm.. i did the panda scan.. but when i tried ot start my computer is safe mode by pressing F8 at startup... instead of getting a menu which included safe mod option.. i got a "boot menu" where safe mode was nowhere to be found.. im confused.
Egypt
2007-01-17, 17:14
anyways.. i did not do the safe mode step. since apparently i dont have a safe mode ahaha. but i did the two log steps so here they are.

**
Panda scan:


Incident Status Location

Virus:W32/Gaobot.PAS.worm Disinfected Operating system
Virus:trj/multidropper.jb Disinfected Operating system
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jake\Cookies\jake@247realmedia[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jake\Cookies\jake@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Jake\Cookies\jake@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Jake\Cookies\jake@adrevolver[3].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Jake\Cookies\jake@adtech[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jake\Cookies\jake@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jake\Cookies\jake@atdmt[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jake\Cookies\jake@atwola[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jake\Cookies\jake@casalemedia[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jake\Cookies\jake@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jake\Cookies\jake@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jake\Cookies\jake@fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jake\Cookies\jake@mediaplex[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jake\Cookies\jake@realmedia[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Jake\Cookies\jake@statcounter[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jake\Cookies\jake@tribalfusion[1].txt
Virus:W32/Gaobot.PAS.worm Disinfected C:\Documents and Settings\Jake\Local Settings\Temp\393638.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mike\Cookies\mike@2o7[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Mike\Cookies\mike@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mike\Cookies\mike@atdmt[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Mike\Cookies\mike@casalemedia[1].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Mike\Cookies\mike@citi.bridgetrack[1].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Mike\Cookies\mike@data.coremetrics[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mike\Cookies\mike@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Mike\Cookies\mike@fastclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Mike\Cookies\mike@hitbox[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Mike\Cookies\mike@media.fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Mike\Cookies\mike@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Mike\Cookies\mike@overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Mike\Cookies\mike@qksrv[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mike\Cookies\mike@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Mike\Cookies\mike@zedo[2].txt
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\MZGPMRW9\popup[1].htm
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mom\Cookies\mom@2o7[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mom\Cookies\mom@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mom\Cookies\mom@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mom\Cookies\mom@bs.serving-sys[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Mom\Cookies\mom@casalemedia[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Mom\Cookies\mom@com[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mom\Cookies\mom@doubleclick[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mom\Cookies\mom@serving-sys[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mom\Cookies\mom@tribalfusion[1].txt
***
Egypt
2007-01-17, 17:15
***

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 11:11:40 AM, on 1/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Intel Driver] Wincbr.exe
O4 - HKLM\..\RunServices: [Intel Driver] Wincbr.exe
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper20064142.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
pskelley
2007-01-19, 20:23
Hello and welcome to the forum, if you still need help and are not receiving it elsewhere, let's start like this.

How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [Intel Driver] Wincbr.exe
O4 - HKLM\..\RunServices: [Intel Driver] Wincbr.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

Search for and delete this file: Wincbr.exe

Follow the instructions in this link, make sure you delete or at least quarantine anything the program locates. Save that scan report!
http://forums.security-central.us/showthread.php?t=3165

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the AVG Anti-Spyware scan report and a new HJT log. Let me know how the computer is running now.

Thanks
Egypt
2007-01-19, 22:56
here is the avg:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:39:54 PM 1/19/2007

+ Scan result:



C:\Documents and Settings\Jake\Local Settings\Temporary Internet Files\Content.IE5\WP2F8DQ7\11500[1].exe -> Backdoor.Rbot.adf : No action taken.
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\PKL01F62\11500[1].exe -> Backdoor.Rbot.adf : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP26\A0003077.exe -> Backdoor.Rbot.adf : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP26\A0003092.exe -> Backdoor.Rbot.adf : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP26\A0003142.exe -> Backdoor.Rbot.adf : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP26\A0003165.exe -> Backdoor.Rbot.adf : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP26\A0003185.exe -> Backdoor.Rbot.adf : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP26\A0003186.exe -> Backdoor.Rbot.adf : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP26\A0003200.exe -> Backdoor.Rbot.adf : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP26\A0003201.exe -> Backdoor.Rbot.adf : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP27\A0003248.exe -> Backdoor.Rbot.adf : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP27\A0003249.exe -> Backdoor.Rbot.adf : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP27\A0003254.exe -> Backdoor.Rbot.adf : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP27\A0003255.exe -> Backdoor.Rbot.adf : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP27\A0003259.exe -> Backdoor.Rbot.adf : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP27\A0003260.exe -> Backdoor.Rbot.adf : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP27\A0003261.exe -> Backdoor.Rbot.adf : No action taken.
C:\WINDOWS\system32\bak\srshost.exe -> Backdoor.Rbot.adf : No action taken.
C:\WINDOWS\system32\winl0gon.exe -> Backdoor.Rbot.adf : No action taken.
C:\Documents and Settings\Jake\Local Settings\Temporary Internet Files\Content.IE5\KL2FGD6N\l[1].htm -> Downloader.Small.co : No action taken.
C:\Documents and Settings\Jake\Desktop\slsk\adobe photoshop cs2 9.0\adobe photoshop cs2 crack.zip/apcs2ge/Adobe Photoshop CS2 Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
C:\Program Files\Adobe\Adobe Photoshop CS2\Adobe Photoshop CS2 Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP12\A0001503.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP12\A0001505.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP12\A0001536.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@247realmedia[1].txt -> TrackingCookie.247realmedia : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@sento.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@geosign.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Mom\Cookies\mom@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Mom\Cookies\mom@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@adbrite[1].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@adrevolver[2].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Mom\Cookies\mom@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@atdmt[1].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Mom\Cookies\mom@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@casalemedia[2].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@casalemedia[1].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Mom\Cookies\mom@casalemedia[1].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Mom\Cookies\mom@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : No action taken.
C:\Documents and Settings\Mom\Cookies\mom@twci.coremetrics[1].txt -> TrackingCookie.Coremetrics : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Mom\Cookies\mom@doubleclick[2].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@media.fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@ehg-foxmovies.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@ehg-youtube.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@overture[2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@qksrv[1].txt -> TrackingCookie.Qksrv : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@edge.ru4[1].txt -> TrackingCookie.Ru4 : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Mom\Cookies\mom@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Mom\Cookies\mom@serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@statcounter[1].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@anad.tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Mom\Cookies\mom@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Jake\Cookies\jake@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Mike\Cookies\mike@zedo[2].txt -> TrackingCookie.Zedo : No action taken.


::Report end

hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 4:56:17 PM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\internet explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper20064142.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
pskelley
2007-01-19, 23:58
Follow the instructions in this link, make sure you delete or at least quarantine anything the program locates. Save that scan report!
http://forums.security-central.us/showthread.php?t=3165


Scan again and post the logs again. Please read and follow the directions carefully. Does no good to run the tool if you take no action.
Thanks
Egypt
2007-01-20, 00:01
i followed your instructiosn to the lettter.. and i deelteed all the things that AVG found. .. so i dunno why it says that i didnt. but i will do it again.
pskelley
2007-01-20, 00:09
OK and thanks, you can see those two trojans right at the beginning of the report, we sure want to make sure all of that junk if gone.:bigthumb:
Egypt
2007-01-20, 01:48
hrm so i did it again here is what happened.

avg:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:42:45 PM 1/19/2007

+ Scan result:



C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP29\A0003331.exe -> Backdoor.Rbot.adf : Cleaned.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP29\A0003332.exe -> Backdoor.Rbot.adf : Cleaned.
C:\Documents and Settings\Jake\Desktop\slsk\adobe photoshop cs2 9.0\adobe photoshop cs2 crack.zip/apcs2ge/Adobe Photoshop CS2 Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
C:\System Volume Information\_restore{A68FF2C0-6B79-4311-AC7E-5F72A3EAA9ED}\RP29\A0003333.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
C:\Documents and Settings\Jake\Cookies\jake@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Jake\Cookies\jake@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Jake\Cookies\jake@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Jake\Cookies\jake@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Jake\Cookies\jake@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Jake\Cookies\jake@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.


::Report end

hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 7:45:43 PM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\NeroCheck.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
c:\program files\internet explorer\iexplore.exe
C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Program Files\QuickTime\qttask.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Ahead\InCD\InCD.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Rogers\SelfHealing\SHS.exe
C:\Program Files\Rogers\Update Manager\UpdateManager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper20064142.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
pskelley
2007-01-20, 02:27
Thanks, the HJT log looks clean me, let do this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

How's the computer running now?

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Egypt
2007-01-20, 03:13
alright so i turned restore off/ on .. and thigns look liek they have looked .. but this time i didnt get a prompt from my McAfee telling me that they have detected a problem.. which is probably a good sign. SO i think things are back to normal. but if there are any further problems i will let you know..


thank you SO much for all your help!
pskelley
2007-01-27, 11:43
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.