PDA

View Full Version : Problems with YAHABAGS hyjack from google



bdilts
2007-05-29, 20:10
I am having a problem with a hyjack from google searches that direct me to yahabags.com. I did the CA online scan and fixed the 2 problems did Spybot S&D from safe mode now I'm posting my Hyjack this log. I appreciate any help.


Logfile of HijackThis v1.99.1
Scan saved at 9:58:03 AM, on 5/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\system32\ccsrvc.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Seagate Software\WCS\pageserver.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\IBM\AFS\Client\Program\afsd_service.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINNT\system32\vmnat.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\vmnetdhcp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SM1BG.EXE
C:\Program Files\Icons\SetIcon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
C:\PROGRA~1\HPCD-D~1\Umbrella\DVDTray.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Microsoft Office97\Office\OSA.EXE
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {A9A49F2F-DA0A-453F-88E6-178D44CD20F8} - C:\WINNT\system32\iwcntmin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C0D3A841-1DB3-48D4-B281-96EE07162C6E} - C:\WINNT\system32\jkkli.dll (file missing)
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1470752665.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1470752665.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [DVDTray] "C:\PROGRA~1\HPCD-D~1\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINNT\system32\bbrkjnkj.dll",realset
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office97\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1470752665.dll/gn_menu1.html
O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1470752665.dll/gn_menu2.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hs.ucdhs.ucdavis.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C1A95AF-F49D-4EF3-BC82-198879D419CB}: NameServer = 152.79.105.105,152.79.115.115,169.237.250.250
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ucdmc.ucdavis.edu,ucdavis.edu,ucop.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C1A95AF-F49D-4EF3-BC82-198879D419CB}: NameServer = 152.79.105.105,152.79.115.115,169.237.250.250
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hs.ucdhs.ucdavis.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ucdmc.ucdavis.edu,ucdavis.edu,ucop.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hs.ucdhs.ucdavis.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = ucdmc.ucdavis.edu,ucdavis.edu,ucop.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ucdmc.ucdavis.edu,ucdavis.edu,ucop.edu
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: ppeclt - C:\WINNT\SYSTEM32\PPEClt.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINNT\system32\schdsrvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Unknown owner - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OracleDAFIS_HOMEClientCache - Unknown owner - C:\Oracle\DaFIS\BIN\ONRSD.EXE
O23 - Service: Seagate Page Server (pageserver) - Unknown owner - C:\Program Files\Seagate Software\WCS\pageserver.exe" -service -cache -deleteCache (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: IBM AFS Client (TransarcAFSDaemon) - Unknown owner - C:\Program Files\IBM\AFS\Client\Program\afsd_service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINNT\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINNT\system32\vmnat.exe
O23 - Service: Seagate Web Component Server (WebCompServer) - Unknown owner - C:\Program Files\Seagate Software\WCS\WebCompServer.exe" -service (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

pskelley
2007-05-30, 16:57
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.

I wish to be sure you have read and understand the above instuctions so we are on the same page.

For your information:
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

You have a marker in the HJT log that indicates this is probably a Vundo infection. Hackers have learned to hide it from V1.99.1. Please follow these directions:
Download Trend Micro Hijack This™
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download
Download it to your Program Files folder.
Doubleclick the HijackThis_V2.exe to start it.
Click "Do a System Scan and save a logfile"
This will create a HijackThislog.
Copy and paste the contents of the log in your next reply

Thanks

bdilts
2007-05-30, 20:49
As suggested I removed viewpoint. Thank you.

Below is the new scan.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:44:21 AM, on 5/30/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\system32\ccsrvc.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Seagate Software\WCS\pageserver.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\IBM\AFS\Client\Program\afsd_service.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINNT\system32\vmnat.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\vmnetdhcp.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SM1BG.EXE
C:\Program Files\Icons\SetIcon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
C:\PROGRA~1\HPCD-D~1\Umbrella\DVDTray.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Microsoft Office97\Office\OSA.EXE
C:\Program Files\Altiris\AClient\AClntUsr.exe
C:\Program Files\HiJackthis_v2\HiJackThis_v2.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {A9A49F2F-DA0A-453F-88E6-178D44CD20F8} - C:\WINNT\system32\iwcntmin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {C0D3A841-1DB3-48D4-B281-96EE07162C6E} - C:\WINNT\system32\jkkli.dll (file missing)
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1470752665.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1470752665.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [DVDTray] "C:\PROGRA~1\HPCD-D~1\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINNT\system32\bbrkjnkj.dll",realset
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office97\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1470752665.dll/gn_menu1.html
O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1470752665.dll/gn_menu2.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hs.ucdhs.ucdavis.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C1A95AF-F49D-4EF3-BC82-198879D419CB}: NameServer = 152.79.105.105,152.79.115.115,169.237.250.250
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ucdmc.ucdavis.edu,ucdavis.edu,ucop.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C1A95AF-F49D-4EF3-BC82-198879D419CB}: NameServer = 152.79.105.105,152.79.115.115,169.237.250.250
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hs.ucdhs.ucdavis.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ucdmc.ucdavis.edu,ucdavis.edu,ucop.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hs.ucdhs.ucdavis.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = ucdmc.ucdavis.edu,ucdavis.edu,ucop.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ucdmc.ucdavis.edu,ucdavis.edu,ucop.edu
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINNT\system32\schdsrvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OracleDAFIS_HOMEClientCache - Unknown owner - C:\Oracle\DaFIS\BIN\ONRSD.EXE
O23 - Service: Seagate Page Server (pageserver) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\pageserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: IBM AFS Client (TransarcAFSDaemon) - Unknown owner - C:\Program Files\IBM\AFS\Client\Program\afsd_service.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINNT\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINNT\system32\vmnat.exe
O23 - Service: Seagate Web Component Server (WebCompServer) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\WebCompServer.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
O24 - Desktop Component 0: (no name) - http://www.yugiohkingofgames.com/images/ecards/card_frame.gif

--
End of file - 14225 bytes

pskelley
2007-05-30, 21:36
Thanks for returning your information. It appears you removed Vundo recently and did not get it all. We will remove what is left and see how the computer is running.

I would like to know about this item:
O24 - Desktop Component 0: (no name) - http://www.yugiohkingofgames.com/ima...card_frame.gif
Do you know what that is and why it is there? If not, remove it with HJT.


1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A9A49F2F-DA0A-453F-88E6-178D44CD20F8} - C:\WINNT\system32\iwcntmin.dll
O2 - BHO: (no name) - {C0D3A841-1DB3-48D4-B281-96EE07162C6E} - C:\WINNT\system32\jkkli.dll (file missing)
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINNT\system32\bbrkjnkj.dll",realset
(if you did not set these restrictions you may remove them if you wish)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINNT\system32\bbrkjnkj.dll <<< delete that file

(If you have any trouble with that file, use this tools with these instructions)
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb

5) Follow these direction to run AVG Anti-Spyware, delete or quarantine anything it finds and post the scan results.
http://forums.security-central.us/showthread.php?t=3165

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the scan results from AVG Anto-Spyware and a new HJT log. Let me know how the computer is running.

Thanks

bdilts
2007-06-04, 18:57
SORRY FOR DELAY. Still working on getting AVG to run without a problem - takes quite some time and the first 2 times it ended with an error message athat saidd something had gone wrong. Am downloading fresh install and will try again.
Thank you - just wonted to let you know that I'm still working on it.

pskelley
2007-06-04, 19:59
Though it runs well on most computers, it does have issues running once in a while. It should take under an hour to complete a scan. If you can't get it to happen, post a new HJT log so I can have a look. Let me know about any problems with malware you are having.

Thanks

bdilts
2007-06-05, 23:56
First the AVG results - As stated before I had some issues and ended up doing several scans which I combined into one log.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:51:37 AM 6/4/2007

+ Scan result:



C:\WINNT\system32\iwcntmin.dll -> Adware.BHO : Cleaned.
C:\Documents and Settings\bdilts.HS.000\Desktop\New Folder\QuickTime_Pro_7.1.3.100.zip/start.exe -> Downloader.Zlob.bed : Cleaned.
C:\Documents and Settings\bdilts.HS.000\Desktop\QuickTime_Pro_7.1.3.100.zip/start.exe -> Downloader.Zlob.bed : Cleaned.

C:\Documents and Settings\bdilts.HS.000\Desktop\Stuff\truesyncplus_new.zip/gprs/win32/software/gm32.cab/GPRSManager.exe -> Heuristic.Win32.Dialer : Cleaned.
:mozilla.6:C:\Documents and Settings\bdilts\Application Data\Mozilla\Firefox\Profiles\vxuv9k88.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.848:C:\Documents and Settings\bdilts\Application Data\Mozilla\Firefox\Profiles\vxuv9k88.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.849:C:\Documents and Settings\bdilts\Application Data\Mozilla\Firefox\Profiles\vxuv9k88.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.820:C:\Documents and Settings\bdilts\Application Data\Mozilla\Firefox\Profiles\vxuv9k88.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.821:C:\Documents and Settings\bdilts\Application Data\Mozilla\Firefox\Profiles\vxuv9k88.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.822:C:\Documents and Settings\bdilts\Application Data\Mozilla\Firefox\Profiles\vxuv9k88.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.823:C:\Documents and Settings\bdilts\Application Data\Mozilla\Firefox\Profiles\vxuv9k88.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.399:C:\Documents and Settings\bdilts\Application Data\Mozilla\Firefox\Profiles\vxuv9k88.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.456:C:\Documents and Settings\bdilts\Application Data\Mozilla\Firefox\Profiles\vxuv9k88.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.572:C:\Documents and Settings\bdilts\Application Data\Mozilla\Firefox\Profiles\vxuv9k88.default\cookies.txt -> TrackingCookie.Sex-in-www : Cleaned.
:mozilla.585:C:\Documents and Settings\bdilts\Application Data\Mozilla\Firefox\Profiles\vxuv9k88.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.586:C:\Documents and Settings\bdilts\Application Data\Mozilla\Firefox\Profiles\vxuv9k88.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.587:C:\Documents and Settings\bdilts\Application Data\Mozilla\Firefox\Profiles\vxuv9k88.default\cookies.txt -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.824:C:\Documents and Settings\bdilts\Application Data\Mozilla\Firefox\Profiles\vxuv9k88.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.

C:\Documents and Settings\bdilts.HS.000\Desktop\QuickTime_Pro_7.1.3.100.zip/start.exe -> Downloader.Zlob.bed : Cleaned.
C:\Documents and Settings\bdilts.HS.000\Desktop\Stuff\truesyncplus_new.zip/gprs/win32/software/gm32.cab/GPRSManager.exe -> Heuristic.Win32.Dialer : Cleaned.

HKU\S-1-5-21-1874068349-1688302950-636360099-16888\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned.

C:\Program Files\HiJackthis_v2\backups\backup-20070530-121224-192.dll -> Adware.BHO : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\Cydoor.zip/cd_clint.dll -> Adware.Cydoor : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\Cydoor3.zip/cd_htm.dll -> Adware.Cydoor : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\Gator4.zip/DateManager.exe -> Adware.Gator : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc10.bad -> Adware.Virtumonde : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc11.bad -> Adware.Virtumonde : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc7.bad -> Adware.Virtumonde : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\Advertisingcom.zip/bdilts@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\Advertisingcom1.zip/bdilts@servedby.advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\Advertisingcom2.zip/bdilts@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\Advertisingcom3.zip/bdilts@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\AvenueAInc.zip/bdilts@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\AvenueAInc1.zip/bdilts@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\BFast.zip/bdilts@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\BFast1.zip/bdilts@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@com[3].txt -> TrackingCookie.Com : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\CommissionJunction1.zip/bdilts@www.commission-junction[1].txt -> TrackingCookie.Commission-junction : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\CommissionJunction3.zip/bdilts@www.commission-junction[2].txt -> TrackingCookie.Commission-junction : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\CoreMetrics.zip/bdilts@data.coremetrics[2].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@www.directnetadvertising[2].txt -> TrackingCookie.Directnetadvertising : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\DoubleClick.zip/bdilts@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\DoubleClick1.zip/bdilts@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\Enliven.zip/bdilts@ads.enliven[1].txt -> TrackingCookie.Enliven : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\FastClick.zip/bdilts@fastclick[3].txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\FastClick1.zip/bdilts@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\FastClick2.zip/bdilts@fastclick[3].txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\FastClick3.zip/bdilts@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@ehg-bestbuy.hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@ehg-oreilly.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@ehg-oreilly.hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@ehg-techtarget.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@ehg-techtarget.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@ehg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@ehg.hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox.zip/bdilts@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox1.zip/bdilts@ehg-intel.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox10.zip/bdilts@ehg-samsungusa.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox11.zip/bdilts@ehg-micron.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox12.zip/bdilts@w132.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox13.zip/bdilts@ehg-idg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox14.zip/bdilts@ehg-samsungusa.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox15.zip/bdilts@ehg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox16.zip/bdilts@hg1.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox17.zip/bdilts@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox18.zip/bdilts@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox19.zip/bdilts@ehg-novell.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox2.zip/bdilts@ehg-nokiafin.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox20.zip/bdilts@ehg-bestbuy.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox3.zip/bdilts@ehg-novell.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox4.zip/bdilts@ehg-oreilly.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox5.zip/bdilts@ehg-techtarget.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox6.zip/bdilts@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox7.zip/bdilts@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox8.zip/bdilts@phg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitBox9.zip/bdilts@ehg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitsLink.zip/bdilts@counter2.hitslink[2].txt -> TrackingCookie.Hitslink : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\HitsLink1.zip/bdilts@counter.hitslink[2].txt -> TrackingCookie.Hitslink : Cleaned.
C:\Documents and Settings\bdilts.HS.000\Cookies\bdilts@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\Clop10.zip/bdilts@ao.lop[1].txt -> TrackingCookie.Lop : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\Clop52.zip/bdilts@bins.lop[1].txt -> TrackingCookie.Lop : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\Clop7.zip/bdilts@lop[1].txt -> TrackingCookie.Lop : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\Clop8.zip/bdilts@bins.lop[1].txt -> TrackingCookie.Lop : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\Clop9.zip/bdilts@www1.lop[1].txt -> TrackingCookie.Lop : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\MediaPlex.zip/bdilts@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\MediaPlex1.zip/bdilts@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\OffshoreClicks.zip/bdilts@php.offshoreclicks[2].txt -> TrackingCookie.Offshoreclicks : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\CommissionJunction.zip/bdilts@www.qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\CommissionJunction2.zip/bdilts@www.qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\bdilts.HS.000\Cookies\bdilts@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/Documents and Settings/bdilts.HS.000/Cookies/bdilts@www.sex-in-www[1].txt -> TrackingCookie.Sex-in-www : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\SexList.zip/bdilts@sexlist[1].txt -> TrackingCookie.Sexlist : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\SexList1.zip/bdilts@sexlist[1].txt -> TrackingCookie.Sexlist : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\SexTracker.zip/bdilts@counter9.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\SexTracker1.zip/bdilts@sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\SexTracker2.zip/bdilts@counter14.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\SexTracker3.zip/bdilts@counter16.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\SexTracker4.zip/bdilts@counter10.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\SexTracker5.zip/bdilts@counter11.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\SexTracker6.zip/bdilts@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\SexTracker7.zip/bdilts@counter10.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@spylog[2].txt -> TrackingCookie.Spylog : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Program Files\PestPatrol\Quarantine\20070510075504.zip/winnt/temp/cookies/bdilts@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\ValueClick.zip/bdilts@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\ValueClick1.zip/bdilts@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\ValueClick2.zip/bdilts@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Program Files\Quick Batch File Compiler\stubg.dll -> Trojan.Small : Cleaned.

::Report end

bdilts
2007-06-05, 23:57
Now the HJT log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:49:55 PM, on 6/5/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\ccsrvc.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Seagate Software\WCS\pageserver.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\IBM\AFS\Client\Program\afsd_service.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINNT\system32\vmnat.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\vmnetdhcp.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\Icons\SetIcon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
C:\PROGRA~1\HPCD-D~1\Umbrella\DVDTray.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Microsoft Office97\Office\OSA.EXE
C:\Program Files\HiJackthis_v2\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1470752665.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1470752665.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [DVDTray] "C:\PROGRA~1\HPCD-D~1\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office97\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1470752665.dll/gn_menu1.html
O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1470752665.dll/gn_menu2.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hs.ucdhs.ucdavis.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C1A95AF-F49D-4EF3-BC82-198879D419CB}: NameServer = 152.79.105.105,152.79.115.115,169.237.250.250
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ucdmc.ucdavis.edu,ucdavis.edu,ucop.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C1A95AF-F49D-4EF3-BC82-198879D419CB}: NameServer = 152.79.105.105,152.79.115.115,169.237.250.250
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hs.ucdhs.ucdavis.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ucdmc.ucdavis.edu,ucdavis.edu,ucop.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hs.ucdhs.ucdavis.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = ucdmc.ucdavis.edu,ucdavis.edu,ucop.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ucdmc.ucdavis.edu,ucdavis.edu,ucop.edu
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINNT\system32\schdsrvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OracleDAFIS_HOMEClientCache - Unknown owner - C:\Oracle\DaFIS\BIN\ONRSD.EXE
O23 - Service: Seagate Page Server (pageserver) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\pageserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: IBM AFS Client (TransarcAFSDaemon) - Unknown owner - C:\Program Files\IBM\AFS\Client\Program\afsd_service.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINNT\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINNT\system32\vmnat.exe
O23 - Service: Seagate Web Component Server (WebCompServer) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\WebCompServer.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 14115 bytes

pskelley
2007-06-06, 00:40
Thanks for returning your information, you can see the junk AVG was up against. As far as the HJT log goes, I can't see anything that looks like malware, but you have programs running I do not recognize. Look at the HJT log and make sure you know everything that is running.

I see a couple of nasties that may indicate a hidden Smitfraud Infection. Do this to find out:
http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm


AVG Anti-Spyware, I want to be sure all of those areas actually got clean, so please do this:

1) Make sure all files and folders are still visable.

2) Delete all Firefox cookies that you do not need.
http://mozilla.gunnars.net/firefox_help_firefox_cookie_tutorial.html
C:\Documents and Settings\bdilts\Application Data\Mozilla\Firefox\Profiles\

3) C:\RECYCLER\S-1-5-21-854245398-1202660629-2146839715-1000\Dc22.1\Recovery\ <<< clean out that folder

4) Empty your recycle bin

5) C:\Program Files\PestPatrol\Quarantine\ <<< empty that quarantine folder, if you no longer use the Program, uninstall it in Add Remove Programs.

Post the report from Smitfraudfix and let me know how this computer is running.

Thanks

bdilts
2007-06-06, 01:41
Scan results from SmithFraudFix
BTW - Thank you, Thank you, Thank you!
Computer appaors to be running better. Will know after a few google searches.


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:49:55 PM, on 6/5/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\system32\ccsrvc.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Seagate Software\WCS\pageserver.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\IBM\AFS\Client\Program\afsd_service.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINNT\system32\vmnat.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\vmnetdhcp.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\Icons\SetIcon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
C:\PROGRA~1\HPCD-D~1\Umbrella\DVDTray.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Microsoft Office97\Office\OSA.EXE
C:\Program Files\HiJackthis_v2\HiJackThis_v2.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1470752665.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1470752665.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [DVDTray] "C:\PROGRA~1\HPCD-D~1\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office97\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1470752665.dll/gn_menu1.html
O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19--1470752665.dll/gn_menu2.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hs.ucdhs.ucdavis.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C1A95AF-F49D-4EF3-BC82-198879D419CB}: NameServer = 152.79.105.105,152.79.115.115,169.237.250.250
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ucdmc.ucdavis.edu,ucdavis.edu,ucop.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C1A95AF-F49D-4EF3-BC82-198879D419CB}: NameServer = 152.79.105.105,152.79.115.115,169.237.250.250
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = hs.ucdhs.ucdavis.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ucdmc.ucdavis.edu,ucdavis.edu,ucop.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = hs.ucdhs.ucdavis.edu
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = ucdmc.ucdavis.edu,ucdavis.edu,ucop.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ucdmc.ucdavis.edu,ucdavis.edu,ucop.edu
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINNT\system32\schdsrvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Web Jetadmin (HPWebJetadmin) - Apache Software Foundation - C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: OracleDAFIS_HOMEClientCache - Unknown owner - C:\Oracle\DaFIS\BIN\ONRSD.EXE
O23 - Service: Seagate Page Server (pageserver) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\pageserver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: IBM AFS Client (TransarcAFSDaemon) - Unknown owner - C:\Program Files\IBM\AFS\Client\Program\afsd_service.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINNT\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINNT\system32\vmnat.exe
O23 - Service: Seagate Web Component Server (WebCompServer) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\WebCompServer.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

--
End of file - 14115 bytes

bdilts
2007-06-06, 01:43
oops - guess it might help if I sent the correct log... sorry.

SmitFraudFix v2.192

Scan done at 15:34:42.39, Tue 06/05/2007
Run from C:\Documents and Settings\bdilts.HS.000\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\system32\ccsrvc.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Seagate Software\WCS\pageserver.exe
C:\Program Files\HP Web Jetadmin\hpwebjetd.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\IBM\AFS\Client\Program\afsd_service.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINNT\system32\vmnat.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\system32\vmnetdhcp.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\Icons\SetIcon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
C:\PROGRA~1\HPCD-D~1\Umbrella\DVDTray.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Microsoft Office97\Office\OSA.EXE
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» H:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\bdilts.HS.000


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\bdilts.HS.000\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BDILTS~1.000\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel 82558-based Integrated Ethernet with Wake on LAN
DNS Server Search Order: 152.79.105.105
DNS Server Search Order: 152.79.115.115
DNS Server Search Order: 169.237.250.250

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1C1A95AF-F49D-4EF3-BC82-198879D419CB}: NameServer=152.79.105.105,152.79.115.115,169.237.250.250
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1C1A95AF-F49D-4EF3-BC82-198879D419CB}: NameServer=152.79.105.105,152.79.115.115,169.237.250.250
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1C1A95AF-F49D-4EF3-BC82-198879D419CB}: NameServer=152.79.105.105,152.79.115.115,169.237.250.250
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1C1A95AF-F49D-4EF3-BC82-198879D419CB}: NameServer=152.79.105.105,152.79.115.115,169.237.250.250


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

pskelley
2007-06-06, 01:54
Sounds good, Smitfraudfix was clean as is the HJT log:bigthumb:

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.