View Full Version : Need a Look Please
Lane412000
2008-03-04, 16:47
Hey
I have a couple of new strange things going on with the computer that I am seeking help with.
1. When I turn on the volume, I have some song that continues playing that I have never heard before.
2. I keep getting pop up for a trusted adware product
Also, I ended up with PartyPoker.Net in my tools menu. Can I delete this?
Lastly, take a look throughout the Hijack file and let me know what else I can dump out of there.
Thanks
lane412000
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:30 AM, on 3/4/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\antiviirus.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe
C:\Program Files\TimeLeft3\TimeLeft.exe
C:\WINNT\System32\SCardSvr.exe
C:\DOCUME~1\LCHERA~1.OWE\LOCALS~1\Temp\kkRGoUqi.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cardinalpps.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cardinalpps.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cardinal Health PPS
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: RDL Rolex - {BF108732-DF6A-4644-BC03-F04EB71763BF} - C:\WINNT\dkxrstqnog.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SprintPort] "C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA9296] command /c del "C:\WINNT\btrklfr.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6673] cmd /c del "C:\WINNT\btrklfr.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6675] command /c del "C:\WINNT\enlfxgw.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6831] cmd /c del "C:\WINNT\enlfxgw.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB9623] command /c del "C:\WINNT\btrklfr.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6784] cmd /c del "C:\WINNT\btrklfr.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2696] command /c del "C:\WINNT\enlfxgw.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1117] cmd /c del "C:\WINNT\enlfxgw.dll_old"
O4 - HKUS\S-1-5-21-52592350-1112094291-630672053-17755\..\Run: [ctfmon.exe] ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-52592350-1112094291-630672053-17755\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show (User '?')
O4 - HKUS\S-1-5-21-52592350-1112094291-630672053-17755\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-52592350-1112094291-630672053-17755\..\RunOnce: [SpybotDeletingB9623] command /c del "C:\WINNT\btrklfr.dll_old" (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-52592350-1112094291-630672053-17755 Startup: Wireless-G Notebook Adapter with SRX Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe (User '?')
O4 - S-1-5-21-52592350-1112094291-630672053-17755 Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.exe (User '?')
O4 - Startup: Wireless-G Notebook Adapter with SRX Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe
O4 - Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cardinalpps.com
O15 - Trusted Zone: *.cahapps.net (HKLM)
O15 - Trusted Zone: *.cardinalhealth.net (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155046283407
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.mikethetiger.com/cam/wg_webeye.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = owenhlt.cardinalpps.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = owenhlt.cardinalpps.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = owenhlt.cardinalpps.net
O21 - SSODL: KernelWin - {eebe7698-051a-4364-83c9-0c643b051a64} - C:\WINNT\Installer\{eebe7698-051a-4364-83c9-0c643b051a64}\KernelWin.dll
O21 - SSODL: apdqnxp - {BDC36390-4E9A-450A-BA06-47364D410B4C} - C:\WINNT\apdqnxp.dll
O21 - SSODL: zip - {3a0201d9-0c91-4635-9ca0-7869806def0f} - C:\WINNT\Installer\{3a0201d9-0c91-4635-9ca0-7869806def0f}\zip.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett Packard - C:\WINNT\Cpqdiag\Cpqdfwag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINNT\system32\FreezeScreenSaver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
--
End of file - 14567 bytes
Lane412000
2008-03-06, 20:55
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 06, 2008 10:56:13 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/03/2008
Kaspersky Anti-Virus database records: 553928
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
F:\
Scan Statistics:
Total number of scanned objects: 101710
Number of viruses found: 1
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 02:26:14
Infected Object Name / Virus Name / Last Action
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Installer\{eebe7698-051a-4364-83c9-0c643b051a64}\KernelWin.dll Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\WINNT\Installer\{3a0201d9-0c91-4635-9ca0-7869806def0f}\zip.dll Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\dZ3bert1.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\mso11.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\y5PSAiAu.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\r5GgxzHT.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\rxjxmshE.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\kkRGoUqi.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\dvndhzvV.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\cFtPReXW.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\nyd5UL95.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\SE8Ot7Qz.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\~DF6199.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\poaTpWoH.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\~DFB140.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\wwhwwlOF.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\~DF4C3C.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\~DF80C0.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\fla3D91.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\History\History.IE5\MSHist012008030620080307\index.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temporary Internet Files\Content.IE5\4E62XLPO\1204751588[1].exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temporary Internet Files\Content.IE5\KHSTC6HU\1204809775[1].exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temporary Internet Files\Content.Word\~WRS0000.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\My Documents\Excel\Expense Report.xls Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Application Data\Microsoft\Outlook\MS Exchange Settings.srs Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Application Data\Microsoft\Outlook\MS Exchange Settings.NK2 Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Application Data\Microsoft\Word\AutoRecovery save of Document1.asd Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\VirusDefs\lulock.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\mifdb\errors.log Object is locked skipped
C:\Program Files\Novatel Wireless\SprintPort\1796\20080306.TXT Object is locked skipped
C:\Program Files\ISS\BlackICE\blackice-service.log Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Tasks\AeXTaskSchedulerLock\taskSchedulerLock.tmp Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\pkgdlvlk.tmp Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Agents\InventoryRuleAgent\InventoryRuleCache.iad Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\PackageDownload\pkgdlvlk.tmp Object is locked skipped
C:\Program Files\antiviirus.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\instaler.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp5522631.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp5715137.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp236690.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp465879.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp5602205.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp498677.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp86983155.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp516232.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp1742135.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp251601.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
Scan process completed.
pskelley
2008-03-07, 18:28
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
We need to do some research first:
http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
Post only the C:\rapport.txt
Thanks
Lane412000
2008-03-08, 07:16
SmitFraudFix v2.300
Scan done at 6:46:27.26, Thu 03/06/2008
Run from C:\Documents and Settings\lcherami.OWENHLT\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\lcherami.OWENHLT
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\lcherami.OWENHLT\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\LCHERA~1.OWE\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\tmp???????.exe FOUND !
C:\Program Files\antiviirus.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
+--------------------------------------------------+
[!] Suspicious: dkxrstqnog.dll
BHO: RDL Rolex - {BF108732-DF6A-4644-BC03-F04EB71763BF}
TypeLib: {02A4A156-966C-4511-9797-ABC1CA0DF2A0}
Interface: {0C4C329C-34DD-4E7E-A624-316F758BFFC9}
Interface: {356BB288-2CE5-4F9E-ADB7-8EAFE63C2014}
[!] Suspicious: apdqnxp.dll
SSODL: apdqnxp - {BDC36390-4E9A-450A-BA06-47364D410B4C}
[!] Suspicious: KernelWin.dll
SSODL: KernelWin - {eebe7698-051a-4364-83c9-0c643b051a64}
[!] Suspicious: zip.dll
SSODL: zip - {3a0201d9-0c91-4635-9ca0-7869806def0f}
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2008-03-08, 13:28
Thanks for posting your information, Smitfraudfix has located the infection and will clean it next. (if there should be a hugh hosts file, edit it out of the report before you post it)
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
Post the C:\rapport.txt and a new HJT log.
Thanks
Lane412000
2008-03-08, 16:29
pskelley
While I am in Safe Mode I am asked to enter my password to start up Windows 2000 Professional. But, my password is not accepted. I have tried with the caps on and off, but it is still is not going through.
Have any suggestions to what I might be doing incorrectly? I am flying out this morning and will check back later this afternoon.
Thanks
lane412000
pskelley
2008-03-08, 16:36
No idea, I have never run Windows 2000. Try running the instructions in normal mode and post the report. We'll see what happens.
Thanks
Lane412000
2008-03-09, 01:13
I ran Smitfraudfix in normal mode. The only question is that I received the following message:
Registry Editor
Cannot import clean.reg: Error opening the file. There may be a disk or file system error.
Otherwise, here are the rapport.txt and hjt logs
SmitFraudFix v2.300
Scan done at 16:59:37.74, Sat 03/08/2008
Run from C:\Documents and Settings\lcherami.OWENHLT\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
Error while deleting C:\WINNT\dkxrstqnog.dll.
C:\WINNT\apdqnxp.dll deleted.
C:\WINNT\Installer\{eebe7698-051a-4364-83c9-0c643b051a64}\KernelWin.dll deleted
C:\WINNT\Installer\{3a0201d9-0c91-4635-9ca0-7869806def0f}\zip.dll deleted
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINNT\privacy_danger\ Deleted
C:\Program Files\antiviirus.exe Deleted
C:\Program Files\tmp???????.exe Deleted
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» DNS
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:43 PM, on 3/8/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe
C:\Program Files\TimeLeft3\TimeLeft.exe
C:\WINNT\System32\SCardSvr.exe
C:\DOCUME~1\LCHERA~1.OWE\LOCALS~1\Temp\tb7qZ8b8.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINNT\explorer.exe
C:\WINNT\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cardinal Health PPS
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SprintPort] "C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - HKUS\S-1-5-21-52592350-1112094291-630672053-17755\..\Run: [ctfmon.exe] ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-52592350-1112094291-630672053-17755\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-52592350-1112094291-630672053-17755 Startup: Wireless-G Notebook Adapter with SRX Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe (User '?')
O4 - S-1-5-21-52592350-1112094291-630672053-17755 Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.exe (User '?')
O4 - Startup: Wireless-G Notebook Adapter with SRX Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe
O4 - Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cardinalpps.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155046283407
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.mikethetiger.com/cam/wg_webeye.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = owenhlt.cardinalpps.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = owenhlt.cardinalpps.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = owenhlt.cardinalpps.net
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett Packard - C:\WINNT\Cpqdiag\Cpqdfwag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINNT\system32\FreezeScreenSaver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
--
End of file - 12738 bytes
pskelley
2008-03-09, 02:14
Looks like the fix still cleaned what it was supposed to, let's
do some more cleaning and see how the computer is running.
While I am thinking about it, I suggest you upgrade to Internet Explorer 7 if just for the additional security it willl give you. Please wait until we are done to do this.
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx
1) See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
Check your Java program for an update.
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
4) Disable the Service
Click Start > Run and type services.msc
Scroll down to FreezeScreenSaver and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINNT\system32\FreezeScreenSaver.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) Right click Start > Explore and navigate to these files/folders and delete them if there.
C:\windows\system32\blank.htm <<< delete that file if there
C:\WINNT\system32\FreezeScreenSaver.exe <<< delete that file
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post a new HJT log and some feedback.
Thanks
Lane412000
2008-03-09, 03:58
I did not find O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINNT\system32\FreezeScreenSaver.exe in the hjt file in #5 of your instructions
Also, I did not find the files listed in #6 of your instructions
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:52 PM, on 3/8/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe
C:\Program Files\TimeLeft3\TimeLeft.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cardinal Health PPS
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SprintPort] "C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - HKUS\S-1-5-21-52592350-1112094291-630672053-17755\..\Run: [ctfmon.exe] ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-52592350-1112094291-630672053-17755\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - S-1-5-21-52592350-1112094291-630672053-17755 Startup: Wireless-G Notebook Adapter with SRX Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe (User '?')
O4 - S-1-5-21-52592350-1112094291-630672053-17755 Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.exe (User '?')
O4 - Startup: Wireless-G Notebook Adapter with SRX Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe
O4 - Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cardinalpps.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155046283407
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.mikethetiger.com/cam/wg_webeye.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = owenhlt.cardinalpps.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = owenhlt.cardinalpps.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = owenhlt.cardinalpps.net
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett Packard - C:\WINNT\Cpqdiag\Cpqdfwag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
--
End of file - 11825 bytes
pskelley
2008-03-09, 04:09
Thanks for returning your information, that's a clean HJT log. Post a new Kaspersky Online Scan using these settings.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Thanks
Lane412000
2008-03-09, 07:00
While the Kaspersky Online Scan was running I was able to locate and delete the following file:
C:\WINNT\system32\FreezeScreenSaver.exe <<< delete that file
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 08, 2008 10:52:10 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/03/2008
Kaspersky Anti-Virus database records: 560039
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
F:\
Scan Statistics:
Total number of scanned objects: 90080
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 02:15:35
Infected Object Name / Virus Name / Last Action
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\~DF947C.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\~DF108D.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\~DFBAFD.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\tb7qZ8b8.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temporary Internet Files\Content.Word\~WRS0001.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Application Data\Microsoft\Outlook\MS Exchange Settings.srs Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Application Data\Microsoft\Outlook\MS Exchange Settings.NK2 Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\VirusDefs\lulock.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\mifdb\errors.log Object is locked skipped
C:\Program Files\Novatel Wireless\SprintPort\2024\20080308.TXT Object is locked skipped
C:\Program Files\ISS\BlackICE\blackice-service.log Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Tasks\AeXTaskSchedulerLock\taskSchedulerLock.tmp Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\pkgdlvlk.tmp Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Agents\InventoryRuleAgent\InventoryRuleCache.iad Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\PackageDownload\pkgdlvlk.tmp Object is locked skipped
C:\Program Files\instaler.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
Scan process completed.
pskelley
2008-03-09, 12:35
Thanks for returning your Kaspersky Scan Results:
(these are nasties, delete the contents of that Temp folder)
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\tb7qZ8b8.exe ------> Trojan-Dropper.Win32.Agent.fbe
(make 100% sure the file in red goes)
C:\Program Files\instaler.exe ------> Trojan-Dropper.Win32.Agent.fbe <<< delete that installer.
That should give you a clean scan, I do not need to see it if it is clean. Any malware issues now?
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Lane412000
2008-03-09, 17:01
Good Morning
I was able to delete:
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\tb7qZ8b8.exe ------> Trojan-Dropper.Win32.Agent.fbe
(make 100% sure the file in red goes)
C:\Program Files\instaler.exe ------> Trojan-Dropper.Win32.Agent.fbe <<< delete that installer.
by doing a file search, I deleted these two items and sent them to the recycle bin and then emptied the bin.
I went back and ran a Spybot S&D and ended up with the following:
--- Search result list ---
Microsoft.Windows.Explorer: [SBI $31F4F7F9] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-52592350-1112094291-630672053-17755\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCloseDragDropBands
Microsoft.Windows.Explorer: [SBI $6E94BB3F] User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-52592350-1112094291-630672053-17755\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar
Is this something I need to deal with?
Lastly, on post 9, we made changes to uncheck the Hide protected operating system files. Should I go back now an reverse this action?
Thanks for the help
lane412000
pskelley
2008-03-09, 18:27
Thanks for the feedback. I am of the opinion (and may be wrong) that if Spybot S&D locates something it should be able to fix it. Are you running the newest version of Spybot S&D 1.5.2? and are you fully Immunized?
http://www.safer-networking.org/en/spybotsd15/index.html
If you are, why not post for the folks who are Spybot S&D experts here:
http://forums.spybot.info/forumdisplay.php?f=4 <<< Spybot forum
http://forums.spybot.info/forumdisplay.php?f=16 <<< false positives
If you want to clean leftovers from the registry, here is a good, free tool: http://www.ccleaner.com/
The registry cleaner is: http://www.ccleaner.com/help/tour/5-issues
To use, simply press the "Scan for Issues" button and once completed press the
"Fix Selected Issues" button. You will be prompted to backup and helped throughout the process.
Be very sure you follow the instructions for making a backup. I have never had to restore an item to the registry using CCleaner but I am always prepared to do so with a backup.
I personally do not hide any files on my computers, but I have no children and no novice users who can delete a file in error. If you want to hide them, please do so. Just reverse the procees you used to view them.
Lane412000
2008-03-10, 04:40
pskelley....thanks for the help in cleaning the mess out of my computer. I am running the latest version of spybot, but will go ahead and visit the sites you provided with links.
Again, thanks for helping me.
lane412000