Virtumonde (??) Assistance Needed with Infection

M

MsMaverick

New member
Hello,

I'm new to these forums. Thank you in advance for your assistance. You folks have set up a remarkable resource for help here.

A HJT log is included at the end of this post.

Here is a bit of history of first:

Computer problems started on 7/8/2007, after... <gulp, I'll be honest>... I downloaded and ran a file I shouldn't have. I have included a log of events Zone Alarm recorded at that time, which might show detail helpful for assessment. According to Zone Alarm alerts, the file RETADPU2000352.EXE attempted several suspicious actions that I at first allowed (big mistake) then blocked. I have since searched for and deleted all instances of RETADPU2000*.EXE manually. I then performed scans with the following programs, not necessarily in the order listed and after loading updates for latest definitions (...too late for immunization, darn it).


1) SPYBOT - found and fixed these four items, related to Virtumonde:
Virtumonde: Text file - C:\WINDOWS\wr.txt
Virtumonde: Settings - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR
Virtumonde: Executable - C:\Documents and Settings\Owner\Local Settings\Temp\removalfile.bat
Virtumonde: Library - C:\WINDOWS\SYSTEM32\winopn32.dll

I have performed SpyBot checks a few times since, including once in SafeMode, and no problems were found.


2) AVG FREE - found and deleted
C:\Temporary Internet Files\ContentIE5\WT270927\adfcook[1]


3) Zone Alarm's anti-spyware tool (no problems found),


4) Symantec's Virtumonde Removal Tool (found nothing).


5) Attempted a system restore to a point before infection. Windows was unable to perform the restore.


6) Attempted to run Trend Micro's online scanner several times. Getting the scan to start was unsuccessful.

_______________________________________________________________________________________

7) Ran eTrust's online scanner with the following results:

eTrust Antivirus Web Scanner
http://www.ca.com/us/securityadvisor/virusinfo/scan.aspx

Scanned July 13, 2007 ~ 1:20 AM

Virus scan finished. No viruses found.
Scan Results: Scan Completed. 106470 files scanned. No viruses found.

File Infection Status Path
- No Infections


Scanned again - July 13, 2007 ~ 1:32AM

Virus scan finished. No viruses found.
Scan Results: Scan Completed. 106440 files scanned. No viruses found.

File Infection Status Path
- No Infections

________________________________________________________________________________________

The following symptoms persist:

Each time the computer is started, and without a connection to the internet, 'something' tries to load a web page in IE and cannot detect an internet connection. A dialog presents the option for connecting to the internet or staying offline. For a few day's selecting "Stay Offline" seemed to prevent 'evil' pop-ups. Now, no matter what I select, (even offline) a web page opens in IE - unless I do not respond to the dialog "Web page unavailable while offline" and leave it open. When the computer is connected to the internet, a dialog appears with a goofy "celebrity" offer (same one each time), then bogus web pages open related to web content that I have legitimately loaded. For instance, during an online virus scan, bogus security-related pages open in new windows or tabs, using whichever browser I'm using at the time. The pop-ups seem to become more frequent with increased internect connection time.

Here is an example of the type of URL that the 'something' loads:

http://llehs.com/go//?cmp=nm_ff_ron&uid=ca3f910e2db411dc9b2af67602ffffff&nid=ba&guid=cfcdc779c8af4e8988b853f4b4efc876&url=http:%2F%2Fwww.lavasoft.com%2Fsupport%2Fsecuritycenter%2Fvirtumonde_remover.php&affid=67602&lid=http>




________________________________________________________________________________________
ZONE ALARM LOG AT SUSPECTED TIME OF INFECTION:


ZoneAlarm Logging Client v6.1.744.001
Windows XP-5.1.2600-Service Pack 2-SP
type,date,time,source,destination,transport (Security)
type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent,class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
OSFW,2007/07/08,08:14:46 -5:00 GMT,UNKNOWN(0),Outlook Express,C:\Program Files\Outlook Express\msimn.exe,PROCESS,SPAWNPROCESS,SRC,C:\PROGRAM FILES\Adobe\ACROBAT 7.0\Reader\AcroRd32.exe,d4a76939-ab8aad4a-fbfb4cec-cf2628fd,f625d71-3418736f
OSFW,2007/07/08,08:21:10 -5:00 GMT,UNKNOWN(0),Internet Explorer,C:\Program Files\Internet Explorer\iexplore.exe,PROCESS,SPAWNPROCESS,SRC,C:\PROGRAM FILES\Adobe\ACROBAT 7.0\Reader\AcroRd32.exe,d4a76939-ab8aad4a-fbfb4cec-cf2628fd,f625d71-3418736f
OSFW,2007/07/08,19:31:38 -5:00 GMT,UNKNOWN(0),Firefox,C:\PROGRAM FILES\MOZILLA FIREFOX\firefox.exe,PROCESS,SPAWNPROCESS,SRC,C:\WINDOWS\explorer.exe,a0732187-050030ae-399b2414-36565e64,14-36565e64,6d336-d75ff1e2-36b15833
OSFW,2007/07/08,19:35:40 -5:00 GMT,UNKNOWN(0),crack.exe,C:\INSTALL FILES, NEW\UniBlue\RB_KEYGEN\crack.exe,PROCESS,OPENPROCESS,SRC,winlogon.exe
OSFW,2007/07/08,19:36:10 -5:00 GMT,UNKNOWN(0),serial.exe,C:\INSTALL FILES, NEW\UniBlue\RB_KEYGEN\serial.exe,PROCESS,OPENPROCESS,SRC,"C:\Program Files\Mozilla Firefox\firefox.exe"
OSFW,2007/07/08,19:37:50 -5:00 GMT,UNKNOWN(0),exe12.exe,C:\Documents and Settings\Owner\Local Settings\Temp\exe12.exe,PROCESS,OPENPROCESS,SRC,C:\WINDOWS\Explorer.EXE
PE,2007/07/08,19:38:12 -5:00 GMT,Windows Command Processor,204.0.3.121:53,N/A
PE,2007/07/08,19:38:56 -5:00 GMT,installer,209.86.66.97:53,N/A
OSFW,2007/07/08,19:39:34 -5:00 GMT,UNKNOWN(0),RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,REGISTRY,SETVALUE,SRC,HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN,runner1
PE,2007/07/08,19:40:52 -5:00 GMT,installer,204.2.208.96:53,N/A
ACCESS,2007/07/08,19:41:00 -5:00 GMT,installer was temporarily blocked from connecting to the Internet (204.2.208.96:DNS).,N/A,N/A
PE,2007/07/08,19:41:00 -5:00 GMT,installer,192.168.0.1:53,N/A
ACCESS,2007/07/08,19:41:08 -5:00 GMT,installer was temporarily blocked from connecting to the local zone (192.168.0.1:DNS).,N/A,N/A
ACCESS,2007/07/08,19:41:10 -5:00 GMT,installer was temporarily blocked from sending data to the local zone (192.168.0.1:DNS).,N/A,N/A
OSFW,2007/07/08,19:41:30 -5:00 GMT,UNKNOWN(0),RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,REGISTRY,SETVALUE,SRC,HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN,runner1
OSFW,2007/07/08,19:42:58 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:42:58 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:42:58 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
PE,2007/07/08,19:42:58 -5:00 GMT,installer,65.243.103.50:53,N/A
OSFW,2007/07/08,19:43:30 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:43:30 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:43:30 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
PE,2007/07/08,19:43:30 -5:00 GMT,installer,65.243.103.50:53,N/A
ACCESS,2007/07/08,19:43:44 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (65.243.103.50:DNS).,N/A,N/A
ACCESS,2007/07/08,19:43:44 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (192.168.0.1:DNS).,N/A,N/A
OSFW,2007/07/08,19:49:02 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:49:02 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
ACCESS,2007/07/08,19:49:02 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (88.212.196.89:DNS).,N/A,N/A
OSFW,2007/07/08,19:49:04 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:49:04 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
ACCESS,2007/07/08,19:49:04 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (209.34.86.79:DNS).,N/A,N/A
OSFW,2007/07/08,19:54:20 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:54:20 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
ACCESS,2007/07/08,19:54:20 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (208.67.70.27:DNS).,N/A,N/A
OSFW,2007/07/08,19:54:22 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:54:22 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
ACCESS,2007/07/08,19:54:22 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (192.168.0.1:DNS).,N/A,N/A
PE,2007/07/08,21:09:48 -5:00 GMT,Spybot - Search & Destroy,204.0.3.121:53,N/A
PE,2007/07/08,21:09:56 -5:00 GMT,External updater,204.0.3.121:53,N/A
OSFW,2007/07/08,22:29:04 -5:00 GMT,ALLOWED,Symantec Adware.VirtuMonde Removal Tool,C:\INSTALL FILES, NEW\SECURITY SUITE\FxVMonde.exe,PROCESS,OPENTHREAD,SRC,\SystemRoot\System32\smss.exe
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent,class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
PE,2007/07/09,08:52:16 -5:00 GMT,ondwxcsb.exe,65.243.103.62:80,N/A
ACCESS,2007/07/09,08:52:30 -5:00 GMT,ondwxcsb.exe was temporarily blocked from connecting to the Internet (65.243.103.62:HTTP).,N/A,N/A
OSFW,2007/07/09,08:52:32 -5:00 GMT,UNKNOWN(0),ondwxcsb.exe,C:\WINDOWS\SYSTEM32\ondwxcsb.exe,PROCESS,SPAWNPROCESS,SRC,C:\WINDOWS\SYSTEM32\cmd.exe,eeb024f2-c81f0d55-936fb825-d21a91d6,21a91d6,9aab67-f160988a
OSFW,2007/07/09,14:08:06 -5:00 GMT,UNKNOWN(0),Trend Micro Damage Cleanup Engine (32-Bit),C:\DOCUMENTS AND SETTINGS\Owner\.HOUSECALL6.6\tsc.exe,PROCESS,OPENPROCESS,SRC,"C:\Program Files\Mozilla Firefox\firefox.exe"
PE,2007/07/09,14:20:48 -5:00 GMT,Microsoft Help Center Service,207.46.192.254:80,N/A
OSFW,2007/07/09,14:27:48 -5:00 GMT,UNKNOWN(0),System Restore Application,C:\WINDOWS\SYSTEM32\Restore\rstrui.exe,PROCESS,SPAWNPROCESS,SRC,C:\WINDOWS\SYSTEM32\control.exe,4c6785e3-d2e45ee8-7cb99519-0a0c7737,737,4e3953f



________________________________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:42 PM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SmartDisk\FlashPath2\sdstat.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
O3 - Toolbar: (no name) - {FA91B828-F937-4568-82C1-843627E63ED7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath2\sdstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: HPVC component - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/component34011.cab
O16 - DPF: HPVC resources - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/resources3403.cab
O16 - DPF: HPVC signed - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/signed3402.cab
O16 - DPF: HPVC support - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/support3401.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScanner.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131239801859
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/071aa0953338b9/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab
O16 - DPF: {8395DA35-1EE7-43A0-8515-287490D4BA35} (StoreButton Class) - http://www.freedom.net/analyzer/franalyzer.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8169 bytes
___________________________________________________________________________________________
 
Hi and welcome to the forums. :)
I'm Markka and I will be helping you with your malware issues.

I'll check your HijackThis log. Right now I'm MRU Undergrad, everything that I post to you must be checked by
teachers of Malware Removal University.
Please be patient. :)
 
Hello Markka,

Thank you for your reply. :) I am in no hurry and glad to be a part of your experience with MRU (an impressive web site itself). I look forward to this process.

My computer is usually part of a very small home network. For now, I am keeping the computer disconnected from the network because I don't know if attached computers are at risk. If it fits in, I hope to learn more about this.
 
Hello :)

Rename HijackThis.exe to Scanner.exe by doing the following;

  • Navigate to here; C:\Program Files\Trend Micro\HijackThis
  • Right-click on the HijackThis.exe
  • Choose from the pull-down menu; "Rename"
  • And now Rename HijackThis.exe to Scanner.exe
  • When you're renamed HijackThis, then open it..
  • Take a fresh HijackThis log (Do a system scan and save a log file)
  • Post the fresh HijackThis log to here.
 
Changed HJT .exe to Scanner.exe and produced new log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:53 PM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SmartDisk\FlashPath2\sdstat.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
C:\WINDOWS\system32\dwwin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D2CD37B9-8CB4-4E70-8936-992FD7276CC1} - C:\WINDOWS\system32\awtst.dll
O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\fccdaww.dll
O3 - Toolbar: (no name) - {FA91B828-F937-4568-82C1-843627E63ED7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath2\sdstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: HPVC component - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/component34011.cab
O16 - DPF: HPVC resources - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/resources3403.cab
O16 - DPF: HPVC signed - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/signed3402.cab
O16 - DPF: HPVC support - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/support3401.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScanner.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131239801859
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/071aa0953338b9/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab
O16 - DPF: {8395DA35-1EE7-43A0-8515-287490D4BA35} (StoreButton Class) - http://www.freedom.net/analyzer/franalyzer.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O20 - Winlogon Notify: awtst - C:\WINDOWS\system32\awtst.dll
O20 - Winlogon Notify: fccdaww - C:\WINDOWS\SYSTEM32\fccdaww.dll
O20 - Winlogon Notify: st3i - C:\WINDOWS\
O20 - Winlogon Notify: winopn32 - winopn32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 9029 bytes
 
New Information from AVG

Hi Markka,

I don't know if this helps. Today AVG detected a threat when a file tried to open. I used AVG to scan the directory where the file was located and the following results were produced automatically:

( Please let me know if information like this is, or isn't helpful.)

AVG - Infected Objects in Test Results
General properties
Report name Selected Areas Test
Start time 7/14/2007 14:07
End time 7/14/2007 2:13:53 PM (total: 6:07.8 Min)
Launch method Scanning launched manually
Scanning result Threats found
Report status Scanning completed successfully

Object summary
Scanned 2343
Threats Found 9
Cleaned 0
Moved to vault 1
Deleted 5
Errors 0
C:\WINDOWS\system32\drivers\etc\hosts Change Changed
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP530\A0073748.exe:\keygen.exe Trojan horse Dropper.Generic.NDX Infected, Embedded object, Deleted
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP530\A0073748.exe:\crack.exe Trojan horse SHeur.MG Infected, Embedded object, Deleted
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP530\A0073748.exe:\serial.exe Trojan horse Dialer.HWB Infected, Embedded object, Deleted
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP530\A0073748.exe:\install.exe Trojan horse Downloader.Generic5.AAL Infected, Embedded object, Deleted
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP530\A0073746.exe Deleted
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP530\A0073748.exe Moved to Vault, Archive
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP531\A0073763.dll Deleted
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP532\A0073782.exe Deleted
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP533\A0073848.exe Deleted
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP536\A0075423.exe Deleted
 
I thought it was gone, but no.

After AVG fixed the aforementioned files, it seemed as though the problem had stopped. I had several wonderful hours of unfettered surfing. :bigthumb:

Then, as soon as I opened IE (I mostly use FireFox), the evil pop-ups started again. :sad:
 
Hello :)

Please don't run anymore scanners or fix anything until I tell to you!

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
 
VundoFix Results and New HJT Log

Thank you, Markka. Please pardon the premature scanning and fixing. I have configured all my security software to not do any automatic scans, and I'll sit on my hands ;) with running scans until you give me the okay. :)

Here are the logs:

_________________________________________________________
VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 5:31:13 PM 7/15/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\tstwa.bak1
C:\WINDOWS\system32\tstwa.bak2
C:\WINDOWS\system32\tstwa.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\awtst.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tstwa.bak1
C:\WINDOWS\system32\tstwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\tstwa.bak2
C:\WINDOWS\system32\tstwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini Has been deleted!

Performing Repairs to the registry.
Done!
_____________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:01 PM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SmartDisk\FlashPath2\sdstat.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {338E5398-A311-4890-B3C5-785E029DE0F3} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\fccdaww.dll
O3 - Toolbar: (no name) - {FA91B828-F937-4568-82C1-843627E63ED7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath2\sdstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: HPVC component - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/component34011.cab
O16 - DPF: HPVC resources - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/resources3403.cab
O16 - DPF: HPVC signed - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/signed3402.cab
O16 - DPF: HPVC support - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/support3401.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScanner.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131239801859
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/071aa0953338b9/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab
O16 - DPF: {8395DA35-1EE7-43A0-8515-287490D4BA35} (StoreButton Class) - http://www.freedom.net/analyzer/franalyzer.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O20 - Winlogon Notify: fccdaww - C:\WINDOWS\SYSTEM32\fccdaww.dll
O20 - Winlogon Notify: st3i - C:\WINDOWS\
O20 - Winlogon Notify: winopn32 - winopn32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8835 bytes
 
Hello :)

Before we'll continue I would like you to also upload few malware files for further inspection.

Make your hidden files visible:
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Uncheck "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.
Please go here to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
    • Click "Browse" on the 1. field.
      Browse to the following file and click the file with your mouse, press "Open"
      "Insert the path here!"
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File
Thank you :)
_____________________
  • Double-click VundoFix.exe to run it.
  • Click Scan for Vundo button.
  • Once the scan is complete, Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 1 entry below into the top 1 box
    • C:\WINDOWS\SYSTEM32\fccdaww.dll
  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
 
VundoFix and HJT logs after uploading then deleting fccdaww file

Hello,

:) Thank you so much for your time and for further instructions. :)

I uploaded the file, C:\WINDOWS\SYSTEM32\fccdaww.dll to uploadmalware.com ...
(Was that correct of me to do? :red: In that part of the instructions, I assumed you were referring to the same file you wanted me to remove with VundoFix.)
... and also completed removal of the same file with VundoFix.


Here are the logs:
________________________________________________________________

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.

Scan started at 8:22:35 PM 7/18/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\fccdaww.dll
C:\WINDOWS\SYSTEM32\fccdaww.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\fccdaww.dll
C:\WINDOWS\SYSTEM32\fccdaww.dll Has been deleted!

Performing Repairs to the registry.
Done!
____________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:25 PM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SmartDisk\FlashPath2\sdstat.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {338E5398-A311-4890-B3C5-785E029DE0F3} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\fccdaww.dll (file missing)
O3 - Toolbar: (no name) - {FA91B828-F937-4568-82C1-843627E63ED7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath2\sdstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: HPVC component - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/component34011.cab
O16 - DPF: HPVC resources - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/resources3403.cab
O16 - DPF: HPVC signed - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/signed3402.cab
O16 - DPF: HPVC support - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/support3401.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScanner.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131239801859
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/071aa0953338b9/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab
O16 - DPF: {8395DA35-1EE7-43A0-8515-287490D4BA35} (StoreButton Class) - http://www.freedom.net/analyzer/franalyzer.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O20 - Winlogon Notify: st3i - C:\WINDOWS\
O20 - Winlogon Notify: winopn32 - winopn32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8345 bytes
 
May I Update Java?

Hi Markka :),

I noticed that my version of Java is not current, and that that's not good. Is it okay for me to update Java at this point?

If so, I understand from reading a very recent post on this forum that these are the instructions:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 2 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u2...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.
Click to expand...
 
Hello :)

Yes, you have an outdated version of java, bu we will upgrade it, when you're clean.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
____________________

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows except HijackThis and press fix checked.

O2 - BHO: (no name) - {338E5398-A311-4890-B3C5-785E029DE0F3} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\fccdaww.dll (file missing)
O3 - Toolbar: (no name) - {FA91B828-F937-4568-82C1-843627E63ED7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O20 - Winlogon Notify: st3i - C:\WINDOWS\
O20 - Winlogon Notify: winopn32 - winopn32.dll (file missing)
____________________________
Please download ATF-cleaner and save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser:
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser:
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
__________________________
Please then reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
__________________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      scanavgjk2.jpg
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________


Post:

- A fresh HijackThis log
- AVG Anti-Spyware's report
 
Completed instructions & HJT Log

Hello :),

I have performed all the steps you requested:
1) Downloaded AVGAS and updated signatures.
2) Performed HJT scan and 'fixed' six items.
3) Downloaded and ran ATF-cleaner for Firefox.
4) Rebooted in Safe Mode.
I have a question about booting up in safe mode. After I select the option to run Windows in Safe Mode, the next screen says to choose which operating system to use. The only one listed is, "Microsoft Windows Whistler Personal." Is this normal? (I don't recall seeing this before.)
5) Performed AVGAS scan in safe mode, as instructed.
There was a problem when AVGAS tried to "Apply all actions" to files embedded in .rar files. I am not sure what to do about this. What do you suggest?
6) Posted logs. (AVGAS log follows in next posts.)

______________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:12 PM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SmartDisk\FlashPath2\sdstat.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath2\sdstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: HPVC component - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/component34011.cab
O16 - DPF: HPVC resources - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/resources3403.cab
O16 - DPF: HPVC signed - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/signed3402.cab
O16 - DPF: HPVC support - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/support3401.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScanner.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131239801859
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/071aa0953338b9/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab
O16 - DPF: {8395DA35-1EE7-43A0-8515-287490D4BA35} (StoreButton Class) - http://www.freedom.net/analyzer/franalyzer.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8019 bytes
 
AVGAS Log, Part 1 of 2

:rolleyes: Oh dear... pardon the mess.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:46:27 PM 7/20/2007
+ Scan result:

HKLM\SOFTWARE\Classes\WR -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
:mozilla.10:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.11:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.12:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.13:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.14:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.15:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.16:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.17:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.18:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.19:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.20:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.21:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.22:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.23:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.24:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.8:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.9:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.2o7 : Error during cleaning.
:mozilla.262:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Adbrite : Error during cleaning.
:mozilla.263:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Adbrite : Error during cleaning.
C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Cookies\owner@www.adobe[1].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@www.adobe[1].txt -> TrackingCookie.Adobe : Cleaned.
O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Cookies\owner@www.adobe[1].txt -> TrackingCookie.Adobe : Cleaned.
:mozilla.59:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Adserver : Error during cleaning.
:mozilla.60:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Adserver : Error during cleaning.
:mozilla.61:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Adserver : Error during cleaning.
:mozilla.62:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Adserver : Error during cleaning.
:mozilla.63:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Adserver : Error during cleaning.
:mozilla.10:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Phoenix\Profiles\default\qsqbjxub.slt\cookies.txt -> TrackingCookie.Atdmt : Error during cleaning.
:mozilla.56:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Atdmt : Error during cleaning.
:mozilla.36:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Bridgetrack : Error during cleaning.
:mozilla.66:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Casalemedia : Error during cleaning.
:mozilla.67:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Casalemedia : Error during cleaning.
:mozilla.68:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Casalemedia : Error during cleaning.
:mozilla.69:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Casalemedia : Error during cleaning.
:mozilla.64:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Centrport : Error during cleaning.
:mozilla.407:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Cnn : Error during cleaning.
:mozilla.135:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Com : Error during cleaning.
C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.570:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Cqcounter : Error during cleaning.
:mozilla.136:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Dealtime : Error during cleaning.
:mozilla.58:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Doubleclick : Error during cleaning.
:mozilla.135:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Esomniture : Error during cleaning.
:mozilla.515:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Esomniture : Error during cleaning.
:mozilla.166:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Falkag : Error during cleaning.
:mozilla.167:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Falkag : Error during cleaning.
:mozilla.168:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Falkag : Error during cleaning.
:mozilla.169:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Falkag : Error during cleaning.
:mozilla.170:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Falkag : Error during cleaning.
:mozilla.100:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Googleadservices : Error during cleaning.
:mozilla.125:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Hitbox : Error during cleaning.
:mozilla.126:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Hitbox : Error during cleaning.
:mozilla.127:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Hitbox : Error during cleaning.
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.31:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Imrworldwide : Error during cleaning.
:mozilla.32:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.32:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Imrworldwide : Error during cleaning.
:mozilla.84:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Imrworldwide : Error during cleaning.
:mozilla.86:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Imrworldwide : Error during cleaning.
:mozilla.415:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Ivwbox : Error during cleaning.
:mozilla.72:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Linkbuddies : Error during cleaning.
:mozilla.433:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Liveperson : Error during cleaning.
:mozilla.434:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Liveperson : Error during cleaning.
:mozilla.435:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Liveperson : Error during cleaning.
:mozilla.436:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Liveperson : Error during cleaning.
:mozilla.437:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Liveperson : Error during cleaning.

(Continued in next post)
 
AVGAS Log, Part 2 of 2

C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Cookies\owner@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Cookies\owner@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Cookies\owner@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.19:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Phoenix\Profiles\default\qsqbjxub.slt\cookies.txt -> TrackingCookie.Onestat : Error during cleaning.
:mozilla.20:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Phoenix\Profiles\default\qsqbjxub.slt\cookies.txt -> TrackingCookie.Onestat : Error during cleaning.
:mozilla.190:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Paypal : Error during cleaning.
:mozilla.75:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.75:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Paypal : Error during cleaning.
:mozilla.83:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Paypal : Error during cleaning.
C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Cookies\owner@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Cookies\owner@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.180:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Realmedia : Error during cleaning.
:mozilla.181:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Realmedia : Error during cleaning.
:mozilla.60:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Revsci : Error during cleaning.
:mozilla.61:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Revsci : Error during cleaning.
:mozilla.62:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Revsci : Error during cleaning.
:mozilla.63:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Revsci : Error during cleaning.
:mozilla.64:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Revsci : Error during cleaning.
:mozilla.65:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Revsci : Error during cleaning.
:mozilla.66:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Revsci : Error during cleaning.
:mozilla.149:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Serving-sys : Error during cleaning.
:mozilla.150:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Serving-sys : Error during cleaning.
:mozilla.151:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Serving-sys : Error during cleaning.
:mozilla.152:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Serving-sys : Error during cleaning.
:mozilla.43:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Specificclick : Error during cleaning.
:mozilla.44:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Specificclick : Error during cleaning.
:mozilla.45:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Specificclick : Error during cleaning.
:mozilla.46:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Specificclick : Error during cleaning.
:mozilla.47:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Specificclick : Error during cleaning.
C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Cookies\owner@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.114:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Statcounter : Error during cleaning.
:mozilla.12:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Tacoda : Error during cleaning.
:mozilla.13:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Tacoda : Error during cleaning.
:mozilla.14:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Tacoda : Error during cleaning.
:mozilla.15:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Tacoda : Error during cleaning.
:mozilla.386:O:\BACKUP from Annie\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cookies.txt -> TrackingCookie.Trafic : Error during cleaning.
:mozilla.50:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Tribalfusion : Error during cleaning.
:mozilla.116:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Webtrendslive : Error during cleaning.
:mozilla.48:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Zedo : Error during cleaning.
:mozilla.49:C:\Backup Files\Annie's Documents and Settings.rar/Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\otop47dk.slt\cookies.txt -> TrackingCookie.Zedo : Error during cleaning.


::Report end
 
Hello :)

I have a question about booting up in safe mode. After I select the option to run Windows in Safe Mode, the next screen says to choose which operating system to use. The only one listed is, "Microsoft Windows Whistler Personal." Is this normal? (I don't recall seeing this before.)
Click to expand...
I think this is normal, because you got in safe mode. :)
____________________

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced."
    deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.
_________________________

Kaspersky online scanner works only with Internet Explorer!

Please run an online scanner with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
________________________

Post:
- A fresh HijackThis log
- Kaspersky's report
 
Hello,

I have run CCleaner and a Kaspersky scan. Here are the logs:

__________________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:12 AM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SmartDisk\FlashPath2\sdstat.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath2\sdstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: HPVC component - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/component34011.cab
O16 - DPF: HPVC resources - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/resources3403.cab
O16 - DPF: HPVC signed - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/signed3402.cab
O16 - DPF: HPVC support - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/support3401.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScanner.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131239801859
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/071aa0953338b9/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab
O16 - DPF: {8395DA35-1EE7-43A0-8515-287490D4BA35} (StoreButton Class) - http://www.freedom.net/analyzer/franalyzer.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8113 bytes
_______________________________________________________________
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, July 22, 2007 6:28:12 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 22/07/2007
Kaspersky Anti-Virus database records: 366338
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
O:\
Q:\

Scan Statistics:
Total number of scanned objects: 109969
Number of viruses found: 3
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 03:57:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\AVG7\Log\emc20070721.log Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\parent.lock Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007072120070722\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF3383.tmp Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP539\A0075602.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP543\A0075726.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\VundoFix Backups\awtst.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.kr skipped
C:\VundoFix Backups\fccdaww.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\ANNIE.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT06526.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
O:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
_________________________
- - - - - - - - - - - - - - - - -
 
Hello :)

Delete this folder:

C:\VundoFix Backups
_______________________

Disable system restore:
  • Right click on my computer icon
  • Choose properties
  • Click on system restore tab
  • Select Turn off System Restore
  • Click apply and click OK
  • Reboot!

Enable system restore:
  • Right click on my computer icon
  • Choose properties
  • Click on system restore tab
  • un-check Turn off System Restore
  • Click apply and click OK
  • Reboot!
___________________________

Your java is out of date. Update your java.

Instruction:

  • -> Go to Control panel -> Add/remove programs
  • -> Find java(s) from the list
  • -> Delete this java version:
    jre1.5.0_04
  • -> Please download from here a new java and install it.
  • -> The latest java version is: Java Runtime Environment (JRE) 6u2
________________________

How is your computer running now?

Post:
- A fresh HijackThis log
 
You must log in or register to reply here.
Back
Top