PDA

View Full Version : cmdService, Maybe more



james1
2007-11-27, 20:49
I am trying to help my Nephew get his computer back to working order. Problem seemed to be cmdService, but I suspect more is going on. Ran SB yesterday, and it seemed to take care of it, but computer still not working. Ran again today, and from the logs below, can you offer any assistance?

Thank you,
James

Spybot log

HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:01 AM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Network\network.exe
C:\DOCUME~1\Pat\LOCALS~1\Temp\19D.tmp.exe
C:\DOCUME~1\Pat\LOCALS~1\Temp\19E.tmp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\javaw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcDsnJKz/X5XzqMoiBTBx+2PvVsNLeIRahFQIZubsctckGYIQ+Xk86Baj4ctpaJsdFOYJ+51+MaR51TAo0ah3zIToJBFK5BNuW2rsLncfUJB69/5EDcXg66/K7KxSc54srz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LocalNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Pad39A-HtEHL] D:\Pad39A.exe
O4 - HKLM\..\Run: [SprintDSLSetup] E:\installs\BrdJmp\SprintDSLSetup.exe
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [19D.tmp] C:\DOCUME~1\Pat\LOCALS~1\Temp\19D.tmp.exe
O4 - HKLM\..\Run: [19E.tmp] C:\DOCUME~1\Pat\LOCALS~1\Temp\19E.tmp.exe
O4 - HKLM\..\Run: [19E.tmp.exe] C:\DOCUME~1\Pat\LOCALS~1\Temp\19E.tmp.exe
O4 - HKLM\..\Run: [19D.tmp.exe] C:\DOCUME~1\Pat\LOCALS~1\Temp\19D.tmp.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.localnet.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115605387593
O16 - DPF: {C886256C-7A63-4213-AD2F-02AD3735DF06} (AtlCtrl Class) - http://dl.adshooter.com/code/SYSsfitb.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6436 bytes

__RiP_ChAiN_
2007-11-27, 22:30
Hello james1,


Important information: You have signs of a backdoor trojan (http://www.geekstogo.com/2007/10/03/what-is-a-backdoor-trojan/) and/or rootkit on your system (more info (http://www.geekstogo.com/forum/Malware-FAQ-t165867.html)). These have the potential to harvest confidential data, and require special attention. Although rare, identity theft, or other fraudulent financial activity is a possibility. We generally have good success removing all signs of these infections. However, if you have adequate backups, required media (CDs), and the ability, at this point it would be wise to consider reformatting and reinstalling your operating system and applications. We can provide you with some helpful links if needed. (link to internal topic when completed)

Before we proceed, we recommend that you temporarily disconnect the infected system from the Internet to protect yourself, and others. This is because these infections may use the Internet for remote access, or even remote control of an infected system. If you don’t have access to another system, and require Internet access, be sure to have a firewall installed. We recommend the free version of Comodo (http://www.personalfirewall.comodo.com/). Note: never run more than one firewall.

If you used the infected system for online banking, any online financial transactions (including eBay and Paypal), or access any sensitive information online, please use a known clean computer, and change your passwords as soon as possible. It would also be wise to contact those same financial institutions to let them know your account information and passwords may have been compromised. Closely monitor all bank and credit card statements. In the event you do notice suspicious activity, it's important you act quickly. Follow these steps recommended by the FTC: Defend: Recover From Identity Theft (http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html).

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=w...66/K7KxSc54srz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [19D.tmp] C:\DOCUME~1\Pat\LOCALS~1\Temp\19D.tmp.exe
O4 - HKLM\..\Run: [19E.tmp] C:\DOCUME~1\Pat\LOCALS~1\Temp\19E.tmp.exe
O4 - HKLM\..\Run: [19E.tmp.exe] C:\DOCUME~1\Pat\LOCALS~1\Temp\19E.tmp.exe
O4 - HKLM\..\Run: [19D.tmp.exe] C:\DOCUME~1\Pat\LOCALS~1\Temp\19D.tmp.exe
O16 - DPF: {C886256C-7A63-4213-AD2F-02AD3735DF06} (AtlCtrl Class) - http://dl.adshooter.com/code/SYSsfitb.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download SDFix (http://download.bleepingcomputer.com/andymanchesta/SDFix.exe) by AndyManchesta and save it to your desktop.
When using this tool, you must use the Administrator's account or an account with "Administrative rights" Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.Reboot your computer in "Safe Mode (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx?mfr=true)" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next replyalong with a new HijackThis log.-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

james1
2007-11-28, 17:55
Thank you for your timely response. I have done as instructed, and logs are below. The computer now seems to working OK - I can at least access the control panel etc. Please let me know if more has to be done.

Again, thanks for the help.

james


SDFix: Version 1.115

Run by Administrator on Wed 11/28/2007 at 10:28 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Pat\Desktop\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 10:39:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\aim\\aim.exe"="C:\\Program Files\\aim\\aim.exe:*:Enabled:AOL Instant Messenger (SM)"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:TaskPanl"
"C:\\WINDOWS\\surfmonkey\\SMProxy.exe"="C:\\WINDOWS\\surfmonkey\\SMProxy.exe:*:Enabled:SMProxy"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------


Files with Hidden Attributes:

Thu 3 Oct 2002 49,223 A..H. --- "C:\Program Files\America Online 8.0\aolphx.exe"
Thu 3 Oct 2002 36,939 A..H. --- "C:\Program Files\America Online 8.0\aoltray.exe"
Thu 3 Oct 2002 40,960 A..H. --- "C:\Program Files\America Online 8.0\RBM.exe"
Thu 3 Oct 2002 233,539 A..H. --- "C:\Program Files\America Online 8.0\waol.exe"
Tue 5 Mar 2002 106,564 A..H. --- "C:\Program Files\CompuServe 7.0\csphx.exe"
Tue 5 Mar 2002 32,840 A..H. --- "C:\Program Files\CompuServe 7.0\cstray.exe"
Mon 4 Mar 2002 40,960 A..H. --- "C:\Program Files\CompuServe 7.0\RBM.exe"
Tue 5 Mar 2002 180,288 A..H. --- "C:\Program Files\CompuServe 7.0\wcs2000.exe"
Tue 2 Aug 2005 187,904 A.SHR --- "C:\WINDOWS\UGF0\asappsrv.dll"
Tue 2 Aug 2005 293,888 A.SHR --- "C:\WINDOWS\UGF0\command.exe"
Mon 9 May 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 3 Oct 2002 49,225 A..H. --- "C:\Program Files\America Online 8.0\COMIT\cswitch.exe"
Tue 5 Mar 2002 77,894 A..H. --- "C:\Program Files\CompuServe 7.0\COMIT\cswitch.exe"
Thu 5 Jan 2006 4,608 A..H. --- "C:\Documents and Settings\Pat\Local Settings\Temp\a.exe"
Thu 3 Oct 2002 106,496 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"
Wed 12 Dec 2001 102,400 A..H. --- "C:\Program Files\Common Files\csshare\shell\us\shellext.dll"

Finished!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:11 AM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\S3tray2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Network\network.exe
C:\DOCUME~1\Pat\LOCALS~1\Temp\19D.tmp.exe
C:\DOCUME~1\Pat\LOCALS~1\Temp\19E.tmp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\javaw.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcDsnJKz/X5XzqMoiBTBx+2PvVsNLeIRahFQIZubsctckGYIQ+Xk86Baj4ctpaJsdFOYJ+51+MaR51TAo0ah3zIToJBFK5BNuW2rsLncfUJB69/5EDcXg66/K7KxSc54srz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LocalNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Pad39A-HtEHL] D:\Pad39A.exe
O4 - HKLM\..\Run: [SprintDSLSetup] E:\installs\BrdJmp\SprintDSLSetup.exe
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [19D.tmp] C:\DOCUME~1\Pat\LOCALS~1\Temp\19D.tmp.exe
O4 - HKLM\..\Run: [19E.tmp] C:\DOCUME~1\Pat\LOCALS~1\Temp\19E.tmp.exe
O4 - HKLM\..\Run: [19E.tmp.exe] C:\DOCUME~1\Pat\LOCALS~1\Temp\19E.tmp.exe
O4 - HKLM\..\Run: [19D.tmp.exe] C:\DOCUME~1\Pat\LOCALS~1\Temp\19D.tmp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.localnet.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115605387593
O16 - DPF: {C886256C-7A63-4213-AD2F-02AD3735DF06} (AtlCtrl Class) - http://dl.adshooter.com/code/SYSsfitb.cab
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6343 bytes

__RiP_ChAiN_
2007-11-29, 03:24
Hello james1,

Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by Oldtimer and save it to your desktop.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=w...66/K7KxSc54srz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Pad39A-HtEHL] D:\Pad39A.exe
O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
O4 - HKLM\..\Run: [19D.tmp] C:\DOCUME~1\Pat\LOCALS~1\Temp\19D.tmp.exe
O4 - HKLM\..\Run: [19E.tmp] C:\DOCUME~1\Pat\LOCALS~1\Temp\19E.tmp.exe
O4 - HKLM\..\Run: [19E.tmp.exe] C:\DOCUME~1\Pat\LOCALS~1\Temp\19E.tmp.exe
O4 - HKLM\..\Run: [19D.tmp.exe] C:\DOCUME~1\Pat\LOCALS~1\Temp\19D.tmp.exe
O16 - DPF: {C886256C-7A63-4213-AD2F-02AD3735DF06} (AtlCtrl Class) - http://dl.adshooter.com/code/SYSsfitb.cab

Now close all windows other than HiJackThis, then click Fix Checked. Close HijackThis.

Run OTMoveIt:
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Program Files\Network
C:\DOCUME~1\Pat\LOCALS~1\Temp\19D.tmp.exe
C:\DOCUME~1\Pat\LOCALS~1\Temp\19E.tmp.exe
D:\Pad39A.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
(If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)
Click the red Moveit! button.
Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Reboot into Normal Mode.

In your next reply please include the following:
A new Hijackthis log.
The OTMoveIt log.


----------- Step 2

Download AVG Anti-Spyware v7.5 (http://free.grisoft.com/doc/20/lng/us/tpl/v5) and save it to your Desktop <- (Important! Vista Users should install from that same location).
(This is Ewdio 4.0 renamed and updated with a special "clean driver" for removing persistent malware.) After download, double click on the file to launch the install process.
Choose a language, click "OK" and then click "Next".
Read the "License Agreement" and click "I Agree".
Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually download and update with the AVG Anti-Spyware Full database installer (http://downloads.ewido.net/avgas-signatures-full-current.exe).
Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, press the WINKEY + M key or Alt + Spacebar to "Minimize" the AVG display. Then right-click on AVG in the Task Bar and select "Maximize". If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows: Click on the "Scanner" button and choose the "Settings" tab.
Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
Under "Reports" select "Do not automatically generate reports".
Click the "Scan" tab to return to scanning options.
Click "Complete System Scan" to start.
When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.IMPORTANT! Do not save the report before you have clicked the :Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
Click on "Save Report" to view all completed scans. Click on the most recent scan you performed, select "Save report as" and save to your desktop. The default file name will be in date/time format: Report-Scan-200706-1606. A copy of each report will be saved in C:\Documents and Settings\<user profile>\Application Data\Grisoft\AVG Antispyware 7.5\Reports.
If you installed AVG AS over a previous version, reports are saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
If you are a Vista user, reports are saved in C:\Users\<username>\AppData\Roaming\Grisoft\AVG Antispyware 7.5\Reports\
Exit AVG Anti-Spyware when done, reboot normally and post the log report in your next response.Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can continue to use as an on-demand scanner or you may purchase a license to use the full version.

james1
2007-11-29, 19:09
As instructed, here are the logs you asked for. Please note, that when I first ran Hijackthis, only one item you listed showed up (O4 - HKLM\..\Run: [Pad39A-HtEHL] D:\Pad39A.exe ). The rest I did nothing with.

Thanks again for you help.

James


OTMoveit Log:

c:\Program Files\Network moved successfully.
File/Folder c:\DOCUME-1\Pat\LOCALS-1\TEMP\19D.tmp.exe not found.
File/Folder c:\DOCUME-1\Pat\LOCALS-1\TEMP\19E.tmp.exe not found.
File/Folder D:\Pad39A.exe not found.

Created on 11/29/2007 10:10:01

HiJackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:30 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LocalNet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SprintDSLSetup] E:\installs\BrdJmp\SprintDSLSetup.exe
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.localnet.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115605387593
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4244 bytes

ort end

james1
2007-11-29, 19:17
Sorry, having a problem doing multi part posts. Here is the AVG log.

Thanks.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:38:17 AM 11/29/2007

+ Scan result:



C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP108\A0010416.srg -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP108\A0010424.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP108\A0010425.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP108\A0010426.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP108\snapshot\MFEX-1.DAT -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP109\A0010439.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP109\A0010440.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP109\A0010441.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP110\A0010443.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP110\A0010444.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP110\A0010445.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP111\A0010449.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP111\A0010450.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP111\A0010451.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP112\A0011460.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP112\A0011461.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP112\A0011462.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP112\A0011463.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP113\A0011465.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP113\A0011466.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP113\A0011467.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011476.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011477.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011478.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011849.vxd -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011850.srg -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011851.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011852.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011853.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011854.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011855.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011856.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011857.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011859.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011860.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011861.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011862.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011863.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011864.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011877.dll -> Adware.Comet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP116\A0013330.exe -> Adware.Comet : Cleaned with backup (quarantined).
C:\WINDOWS\UGF0\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\UGF0\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{27F0F0E5-3C39-AB9F-5881-B63EA0E44B26} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{27F0F0E5-3C39-AB9F-5881-B63EA0E44B26} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
C:\Program Files\Screensavers.com -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Screensavers.com\Installer -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Screensavers.com\Installer\Ready -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Screensavers.com\Installer\Upload -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Screensavers.com\Installer\bin -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Screensavers.com\Installer\bin\iebyterange.xml -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Screensavers.com\Installer\bin\iebyterange.xml.backup -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Screensavers.com\Installer\bin\siuninst.exe -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Screensavers.com\Installer\temp -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\secure32.html -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{722D2939-A14A-41A9-9EAC-AB8F4E295819} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{88D758A3-D33B-45FD-91E3-67749B4057FA} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Interface\{760ACA60-79C3-4875-9D19-B14A5B3FEA77} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Interface\{883EA659-ED80-46F9-9ED2-83327F67789F} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Interface\{B64C73D7-459E-4816-91F9-1348F8E36984} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TypeLib\{0AB5B0D8-2B74-4C1C-8FA4-E52550B8B45B} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-2309612078-3038197085-2327675936-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\Pat\Desktop\mc-58-12-0000094.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP108\A0010420.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP109\A0010432.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP109\A0010436.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP111\A0010456.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP111\A0011456.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011473.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011486.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011497.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011510.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011869.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011870.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\Program Files\Network\network.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer.1 -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CLSID -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CurVer -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller.1 -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CLSID -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CurVer -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller -> Adware.Screensavers : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011529.dll -> Adware.Spysheriff : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011532.dll -> Adware.Spysheriff : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011876.exe -> Adware.Spysheriff : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D49E9D35-254C-4C6A-9D17-95018D228FF5} -> Adware.Starware : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D49E9D35-254C-4C6A-9D17-95018D228FF5} -> Adware.Starware : Error during cleaning.
C:\Program Files\Common Files\zriu\zriud\zriuc.dll -> Adware.TargetServer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011487.INI:swtfcq -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011490.pif:huqmf -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011496.INI:swtfcq -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011500.pif:huqmf -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011508.pif:huqmf -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011509.INI:swtfcq -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011846.pif:huqmf -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011889.INI:swtfcq -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011890.dll -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011513.ini:zbutry -> Downloader.Agent.td : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011883.ini:zbutry -> Downloader.Agent.td : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011891.exe -> Downloader.Agent.td : Cleaned with backup (quarantined).
C:\Documents and Settings\Pat\Local Settings\Temp\a.exe -> Downloader.PassAlert.k : Cleaned with backup (quarantined).
C:\Program Files\Common Files\zriu\zriup.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\Program Files\Common Files\zriu\zriud\vocabulary -> Downloader.TSUpdate.j : Cleaned with backup (qu

james1
2007-11-29, 19:17
arantined).
C:\Program Files\Common Files\zriu\zriua.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011881.exe -> Downloader.TSUpdate.n : Cleaned with backup (quarantined).
C:\Program Files\Common Files\zriu\zriul.exe -> Downloader.TSUpdate.p : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mscornet.exe -> Downloader.Zlob.dy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ld6409.tmp -> Downloader.Zlob.ea : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP109\A0010437.exe -> Dropper.Agent.aac : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP109\A0010438.exe -> Dropper.Agent.aac : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011872.exe -> Dropper.Agent.aac : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011874.exe -> Dropper.Agent.aac : Cleaned with backup (quarantined).
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071128-100803-870.dll -> Dropper.Agent.cy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0012389.dll -> Dropper.Agent.cy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011508.pif:xylhgs -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011846.pif:xylhgs -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011847.dll -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011848.exe -> Hijacker.StartPage.agq : Cleaned with backup (quarantined).
C:\WINDOWS\soft.exe -> Not-A-Virus.Hoax.Win32.Renos.aj : Cleaned with backup (quarantined).
C:\Documents and Settings\Pat\Local Settings\Temp\19B.tmp -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011875.exe -> Not-A-Virus.Hoax.Win32.Renos.al : Cleaned with backup (quarantined).
C:\Documents and Settings\Pat\Local Settings\Temp\19D.tmp -> Not-A-Virus.Hoax.Win32.SpyWare.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Pat\Local Settings\Temp\19D.tmp.exe -> Not-A-Virus.Hoax.Win32.SpyWare.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Pat\Cookies\pat@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@maxim.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@centrport[2].txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@stat.dealtime[2].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@stat.dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@e-2dj6wjk4wgajkbo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@as1.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@tracking.g3x[1].txt -> TrackingCookie.G3x : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@paycounter[2].txt -> TrackingCookie.Paycounter : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@real[2].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@www.real[1].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@starware[2].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@weborama[2].txt -> TrackingCookie.Weborama : Cleaned.
C:\Documents and Settings\Pat\Cookies\pat@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011884.exe -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011885.exe -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011886.exe -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011887.exe -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP114\A0011888.exe -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\WINDOWS\UGF0\o3IX.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Pat\Local Settings\Temp\19E.tmp -> Trojan.Small.ga : Cleaned with backup (quarantined).
C:\Documents and Settings\Pat\Local Settings\Temp\19E.tmp.exe -> Trojan.Small.ga : Cleaned with backup (quarantined).
C:\Documents and Settings\Pat\Local Settings\Temp\3.tmp -> Trojan.Small.ga : Cleaned with backup (quarantined).
C:\Documents and Settings\Pat\Local Settings\Temp\4.tmp -> Trojan.Small.ga : Cleaned with backup (quarantined).


::Report end

__RiP_ChAiN_
2007-11-29, 21:15
Hello james1,

Your logs are looking much better, let's run a quick anti-virus scan to see if anything is still detected :)

Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

james1
2007-11-30, 18:28
Went to the Panda site as suggested. After 3 1/2 hours, it was not ever 10% completed.(using a dial up on the infected computer). Is there some other anti-virus scan or method I could use?

Thanks again.

James

__RiP_ChAiN_
2007-11-30, 23:03
Hello james1,

We can absolutely use something else :)

Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.

james1
2007-12-01, 17:16
Thanks again for your help.

Here are log requested:
Process.exe;C:\Documents and Settings\Pat\Desktop\SDFix\apps;Tool.Prockill;;
A0013373.exe;C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP116;Trojan.DownLoader.5289;Deleted.;
A0013374.exe;C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP116;Adware.TargetServer;;
A0013375.exe;C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP116;Adware.TargetServer;;
A0013376.dll;C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP116;Trojan.DownLoader.1282;Deleted.;
A0013377.exe;C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP116;Trojan.Infos;Deleted.;
A0013379.dll;C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP116;Adware.Comet;;
A0013381.exe;C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP116;Trojan.DownLoader.4844;Incurable.Moved.;
A0013382.exe;C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP116;Trojan.DownLoader.6610;Incurable.Moved.;
A0013383.dll;C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP116;Adware.TargetServer;;
A0013384.dll;C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP116;Trojan.Proxy.493;Deleted.;
A0013385.exe;C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP116;Trojan.Proxy.493;Deleted.;
A0013386.exe;C:\System Volume Information\_restore{CD2F0BC6-CC05-44EB-BA2E-69D2A5CA70FD}\RP116;Trojan.Fakealert;Incurable.Moved.;

Deckard's System Scanner v20071014.68
Run by Pat on 2007-12-01 08:59:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2007-12-01 13:59:54 UTC - RP118 - Deckard's System Scanner Restore Point
3: 2007-11-30 15:16:36 UTC - RP117 - System Checkpoint
2: 2007-11-28 18:07:41 UTC - RP116 - Removed Microsoft Money 2002 System Pack
1: 2007-11-28 18:06:41 UTC - RP115 - Removed Microsoft Money 2002


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 224 MiB (512 MiB recommended).


-- HijackThis (run as Pat.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:27 AM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\javaw.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Pat\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Pat.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by LocalNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SprintDSLSetup] E:\installs\BrdJmp\SprintDSLSetup.exe
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.localnet.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115605387593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4525 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071128-100803-178 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20071128-100803-359 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
backup-20071128-100803-377 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20071128-100803-406 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcDsnJKz/X5XzqMoiBTBx+2PvVsNLeIRahFQIZubsctckGYIQ+Xk86Baj4ctpaJsdFOYJ+51+MaR51TAo0ah3zIToJBFK5BNuW2rsLncfUJB69/5EDcXg66/K7KxSc54srz
backup-20071128-100803-443 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20071128-100803-457 O4 - HKLM\..\Run: [19D.tmp] C:\DOCUME~1\Pat\LOCALS~1\Temp\19D.tmp.exe
backup-20071128-100803-521 O4 - HKLM\..\Run: [19E.tmp.exe] C:\DOCUME~1\Pat\LOCALS~1\Temp\19E.tmp.exe
backup-20071128-100803-600 O4 - HKLM\..\Run: [19D.tmp.exe] C:\DOCUME~1\Pat\LOCALS~1\Temp\19D.tmp.exe
backup-20071128-100803-601 R3 - Default URLSearchHook is missing
backup-20071128-100803-653 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
backup-20071128-100803-663 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
backup-20071128-100803-732 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
backup-20071128-100803-793 O4 - HKLM\..\Run: [19E.tmp] C:\DOCUME~1\Pat\LOCALS~1\Temp\19E.tmp.exe
backup-20071128-100803-809 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20071128-100803-838 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20071128-100803-870 O16 - DPF: {C886256C-7A63-4213-AD2F-02AD3735DF06} (AtlCtrl Class) - http://dl.adshooter.com/code/SYSsfitb.cab
backup-20071128-100803-876 O4 - HKLM\..\Run: [Network] C:\Program Files\Network\network.exe
backup-20071128-100803-911 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
backup-20071128-100803-930 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
backup-20071129-100631-601 O4 - HKLM\..\Run: [Pad39A-HtEHL] D:\Pad39A.exe

james1
2007-12-01, 17:18
Log Files Con't

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

S3 catchme - c:\docume~1\pat\locals~1\temp\catchme.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 WmcCds (Windows Media Connect (WMC)) - c:\program files\windows media connect\mswmccds.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
S3 WmcCdsLs (Windows Media Connect (WMC) Helper) - c:\program files\windows media connect\mswmcls.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-11-01 and 2007-12-01 -----------------------------

2007-11-30 09:38:50 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-11-29 10:54:50 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-11-29 10:13:58 0 d-------- C:\Documents and Settings\Pat\Application Data\Grisoft
2007-11-29 10:13:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-28 10:27:59 0 d-------- C:\WINDOWS\ERUNT
2007-11-28 10:24:32 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-11-28 10:24:32 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-28 10:24:32 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-28 10:24:32 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-11-28 10:24:32 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-28 10:24:32 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-11-28 10:24:32 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-11-28 10:24:32 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-28 10:24:32 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-11-28 10:24:32 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-28 10:24:32 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-11-28 10:24:32 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-28 10:24:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-11-28 10:24:32 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-28 10:24:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2007-11-28 10:24:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-11-28 10:24:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-11-28 10:24:31 0 d-------- C:\Documents and Settings\Administrator\WINDOWS
2007-11-28 10:24:31 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-27 08:06:49 0 d-------- C:\Program Files\Trend Micro
2007-11-26 11:04:37 0 d-------- C:\Documents and Settings\Pat\Application Data\Mozilla
2007-11-26 09:22:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy


-- Find3M Report ---------------------------------------------------------------

2007-12-01 08:59:26 0 d-------- C:\Program Files\Microsoft AntiSpyware
2007-11-29 09:41:24 0 d-------- C:\Program Files\Common Files
2007-11-26 10:46:59 0 d-------- C:\Program Files\Motive
2007-11-26 10:16:51 0 d-------- C:\Program Files\Common Files\zriu
2007-11-26 10:16:11 0 d-------- C:\Program Files\Common Files\Windows
2007-11-26 10:16:10 0 d-------- C:\Program Files\Common Files\Download
2007-11-26 09:40:03 0 d-------- C:\Program Files\EarthLink TotalAccess
2007-11-26 09:36:26 0 d-------- C:\Program Files\aim
2007-11-26 09:28:06 0 d-------- C:\Program Files\BigFix


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\Program Files\NavNT\vptray.exe" [07/19/2001 05:03 PM]
"S3TRAY2"="S3tray2.exe" [02/25/2003 03:33 AM C:\WINDOWS\system32\S3tray2.exe]
"VTPreset"="VTPreset.exe" [02/24/2004 07:17 PM C:\WINDOWS\system32\VTPreset.exe]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [02/10/2005 09:32 PM]
"SprintDSLSetup"="E:\installs\BrdJmp\SprintDSLSetup.exe" []
"SprintModemUpdate"="javaw.exe" [06/03/2004 09:09 PM C:\WINDOWS\system32\javaw.exe]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [01/27/2003 05:16 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"AIM"="C:\Program Files\aim\aim.exe" []
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [07/13/2000 03:00 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

james1
2007-12-01, 17:20
Log files con't:



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) XP 2400+
Percentage of Memory in Use: 67%
Physical Memory (total/avail): 223.48 MiB / 72.62 MiB
Pagefile Memory (total/avail): 546.74 MiB / 363.36 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1950.75 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.53 GiB total, 70.08 GiB free.
D: is CDROM (No Media)
E: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - WDC WD800EB-11DJF0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\aim\\aim.exe"="C:\\Program Files\\aim\\aim.exe:*:Enabled:AOL Instant Messenger (SM)"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:TaskPanl"
"C:\\WINDOWS\\surfmonkey\\SMProxy.exe"="C:\\WINDOWS\\surfmonkey\\SMProxy.exe:*:Enabled:SMProxy"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Pat\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-AH1QBB56U1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Pat
LOGONSERVER=\\YOUR-AH1QBB56U1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Pat\LOCALS~1\Temp
TMP=C:\DOCUME~1\Pat\LOCALS~1\Temp
USERDOMAIN=YOUR-AH1QBB56U1
USERNAME=Pat
USERPROFILE=C:\Documents and Settings\Pat
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Pat (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
56Kbps Internal Modem --> C:\WINDOWS\Modio\SLAMR2KV\Setup.exe /Remove
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
BroadJump Client Foundation --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\BroadJump\Client Foundation\Uninst.isu" -c"C:\Program Files\BroadJump\Client Foundation\RmvBJCFD.dll" -b"CFD" -h"CFD" -a
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HOTLLAMA Media Player - Setup --> C:\PROGRA~1\HOTLLA~1\Player\UNWISE.EXE C:\PROGRA~1\HOTLLA~1\Player\INSTALL.LOG
ICQ --> C:\PROGRA~1\ICQ\ICQUninstall.EXE
Java 2 Runtime Environment Standard Edition v1.3.1_02 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1_02\Uninst.isu"
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Lernout & Hauspie TruVoice for Microsoft Agent --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\cgminst.inf, RemoveCgram
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft AntiSpyware --> MsiExec.exe /I{536F7C74-844B-4683-B0C5-EA39E19A6FE3}
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
Microsoft Works 6.0 --> MsiExec.exe /I{F8D0829C-9C6F-11D3-8080-00C04FA329AA}
Norton AntiVirus Corporate Edition --> MsiExec.exe /I{BD12EB47-DBDF-11D3-BEEA-00A0CC272509}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
ProSavageDDR and Utilities --> C:\PROGRA~1\S3\P4M266\s3setvga.exe -s -fC:\PROGRA~1\S3\P4M266\P4M266.uns
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Realtek RTL8139/810x Fast Ethernet NIC Driver Setup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\setup.exe" -l0x9 REMOVE
S3Display --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Backup Utility --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Media Connect --> msiexec.exe /I {F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}
Windows Media Connect --> MsiExec.exe /I{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}


-- Application Event Log -------------------------------------------------------

Event Record #/Type1165 / Warning
Event Submitted/Written: 11/28/2007 01:14:03 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{43DCF766-6838-4F9A-8C91-D92DA586DFA7}', feature 'DefaultFeature' failed during request for component '{A4AD656D-72E9-43A7-9DD0-E5F6AF438E72}'

Event Record #/Type1164 / Warning
Event Submitted/Written: 11/28/2007 01:14:03 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{43DCF766-6838-4F9A-8C91-D92DA586DFA7}', feature 'DefaultFeature', component '{9F47ECA8-A740-EC80-1AE2-C48048D83AA4}' failed. The resource 'HKEY_CURRENT_USER\Software\Microsoft\Journal Viewer\' does not exist.

Event Record #/Type1163 / Warning
Event Submitted/Written: 11/28/2007 01:14:03 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{43DCF766-6838-4F9A-8C91-D92DA586DFA7}', feature 'DefaultFeature' failed during request for component '{A4AD656D-72E9-43A7-9DD0-E5F6AF438E72}'

Event Record #/Type1162 / Warning
Event Submitted/Written: 11/28/2007 01:14:03 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{43DCF766-6838-4F9A-8C91-D92DA586DFA7}', feature 'DefaultFeature', component '{9F47ECA8-A740-EC80-1AE2-C48048D83AA4}' failed. The resource 'HKEY_CURRENT_USER\Software\Microsoft\Journal Viewer\' does not exist.

Event Record #/Type1161 / Warning
Event Submitted/Written: 11/28/2007 01:14:03 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{43DCF766-6838-4F9A-8C91-D92DA586DFA7}', feature 'DefaultFeature' failed during request for component '{A4AD656D-72E9-43A7-9DD0-E5F6AF438E72}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6921 / Error
Event Submitted/Written: 12/01/2007 09:00:36 AM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The SmartLinkService service has reported an invalid current state 0.

Event Record #/Type6816 / Error
Event Submitted/Written: 11/29/2007 11:41:36 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type6815 / Error
Event Submitted/Written: 11/29/2007 11:41:02 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type6814 / Error
Event Submitted/Written: 11/29/2007 11:40:41 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type6813 / Error
Event Submitted/Written: 11/29/2007 11:40:33 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}



-- End of Deckard's System Scanner: finished at 2007-12-01 09:01:16 ------------

__RiP_ChAiN_
2007-12-02, 13:15
Your logs are looking good, how is your computer running?

james1
2007-12-02, 16:30
Good Morning -

After your very detailed and generous help, the computer in question seems to running just fine. Anything else you think I should do? Please advise if so.

Before connecting back to the internet, we are going to install a virus scan/firewall to try to prevent further problems. I use McAfee on my computer and it seems to do the job. Will also install SpyBot S&D and instruct them on how to use it. Also, I've lectured both my Nephews on the dangers of visiting "questionable" web sites (I know thats how it became infected in the first place) and downloading "free" screen savers and cute smilies. This situation has been a very valuable learning experience to both boys.

I want you to know that my nephews, their parents and myself appreciate all the help you gave us. I think a small donation is in order.:bigthumb:

Again, many thanks.

Best regards,
James



.

__RiP_ChAiN_
2007-12-03, 07:05
Hello james1 :)

A donation is in no way required or asked for, the work we do here is purely voluntary :)
If you really do wish to give a donation however, please take a look here: http://www.spybot.info/en/donate/index.html

Run OTMoveIt
Click the green "CleanUp!" button.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the Internet, you should allow it to do so.
In the left pane, it will display a list of tools and other related files that you may have downloaded or used during our cleanup process, plus backup folders that were created with the bad files present. These are not needed anymore, so OTMoveIt will proceed to delete them.
Do NOT edit anything in that window!
Don't worry if it displays some tools you didn't download or use.
Click "Yes" when it asks to begin the cleanup process.
Then, please reboot your computer.

Congratulations, your computer is now clean of malware!

Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then go to Start > Run and type: Cleanmgr
Click "OK".
Click the "More Options" Tab.
Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topict405.html)

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
IE/Spyad (http://www.bleepingcomputer.com/tutorials/tutorial53.html) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

james1
2007-12-08, 11:42
Dear __RiP_ChAiN_:

Thanks for the final instructions.

The sick computer has been healed and working great, thanks to you good people.

Again, many, many thanks for your help.

Best regards,

james

__RiP_ChAiN_
2007-12-08, 23:28
Thank you for the kind words, I wish you the best of luck in the future, as well :)