PDA

View Full Version : smitfraud


myspotts
2008-04-03, 01:53
I am having some serious trouble with this virus.I cant even load my safe mode because it is there as well. I tried to follow the instructions here given to other users but I am very computer illiterite...I have run my spybot and norton and avast and they say they are fixing the problems but to no avail they come back. I tried running the spybot in safe mode but as I said before the little yellow triangle is there as well.I do not really understand all the technical jargon used here so someone that is patient should probly take me on!!!

This si the result of the HJT log i ran. As I am not that computer smart I trid to follow the directions as well as I could.I also ran the SPYBOT and tried to fix the results but they keep coming back.Also the virus is in my safe mode.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:16 PM, on 4/3/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\TIREMOTE\TIRemoteService.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\sbwltbxa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\sbwltbxa.exe,
O1 - Hosts: 172.16.1.12 mhmvpn
O1 - Hosts: 172.16.1.35 RICOHA
O1 - Hosts: 172.16.1.200 MIS
O1 - Hosts: 172.16.1.200 MHMNET
O1 - Hosts: 172.16.1.201 MHM
O1 - Hosts: 172.16.1.202 DB
O1 - Hosts: 172.16.1.203 FS10
O1 - Hosts: 172.16.1.204 CDTOWER1
O1 - Hosts: 172.16.1.205 FDX
O1 - Hosts: 172.16.1.206 FS2
O1 - Hosts: 172.16.1.208 LEGALEX
O1 - Hosts: 172.16.1.207 DBACA
O1 - Hosts: 172.16.1.209
O1 - Hosts: 172.16.1.210 FSEXCH # Exchange 2003
O1 - Hosts: 172.16.1.211 VSERVER
O1 - Hosts: 172.16.1.212 COPYCENTER34COMP
O1 - Hosts: 172.16.1.213 CIM
O1 - Hosts: 172.16.1.214 SUMMATION
O1 - Hosts: 172.16.1.215 ACCUTRAC
O1 - Hosts: 172.16.1.216 FS8
O1 - Hosts: 172.16.1.217 SCANRTR
O1 - Hosts: 172.16.1.218 IPMASTER
O1 - Hosts: 172.16.1.219 CCURE
O1 - Hosts: 172.16.1.220 MITAI # TAPI Server
O1 - Hosts: 172.16.1.221 CPQTG2
O1 - Hosts: 172.16.1.222 FS1 # Win 2003 server
O1 - Hosts: 172.16.1.223 FSDC1 # W2K BAB Server
O1 - Hosts: 172.16.1.224 FSPAT # W2003 Patent Server
O1 - Hosts: 172.16.1.225 MHMPDC # W2003 DC
O1 - Hosts: 172.16.1.226 FS3 # SAVCE/SUS/Scan router
O1 - Hosts: 172.16.1.227 FS4 # Citrix
O1 - Hosts: 172.16.1.228 FS5 # Carpe Diem SQL
O1 - Hosts: 172.16.1.229 FS7 # Accuroute
O1 - Hosts: 172.16.1.230 FSSUMM # Summation SSE
O1 - Hosts: 172.16.1.231 FSMOM # Cheyenne Arcserve
O1 - Hosts: 172.16.1.232 TMM5 # Thing Magic Mercury
O1 - Hosts: 172.16.1.233 ZEBRAPRT # Zebra Printer
O1 - Hosts: 172.16.1.234
O1 - Hosts: 172.16.2.199 RECMGT # Attendance Controller
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Search - ?p=ZK
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlttiffCtl Class) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204448245437
O16 - DPF: {6963E8DD-A2ED-4672-B950-23A571EE8684} (ClivalX.Clival) - https://www.lexis.com/ri/Clival.CAB
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Blue Ocean Software, Inc. - C:\WINNT\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Remote (TIRmtSvc) - Blue Ocean Software, Inc. - C:\WINNT\TIREMOTE\TIRemoteService.exe

--
End of file - 7114 bytes
pskelley
2008-04-04, 16:43
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Do not run and post the Kaspersky scan now until I request it.

I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
You are infected, I am just not sure how bad and with what, it looks like this exploit:
http://www.incodesolutions.com/threats2/System32Rootsbwltbxaexe.php.
and probably a corrupted hosts file. If you want me to see what I can do, follow these instructions.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Post only the C:\rapport.txt

Thanks
myspotts
2008-04-04, 23:37
SmitFraudFix v2.309

Scan done at 16:33:08.34, Fri 04/04/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\TIREMOTE\TIRemoteService.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\sbwltbxa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Opera\Opera.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

C:\WINNT\default.htm FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINNT\\system32\\userinit.exe,C:\\WINNT\\system32\\sbwltbxa.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VM Network Connection
DNS Server Search Order: 68.87.72.130
DNS Server Search Order: 68.87.77.130

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0460B6C9-16C3-493C-B77F-CD2F2A0DA5E1}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0460B6C9-16C3-493C-B77F-CD2F2A0DA5E1}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0460B6C9-16C3-493C-B77F-CD2F2A0DA5E1}: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{84FCB144-F480-4ED1-B7A4-C6356514790E}: DhcpNameServer=172.16.1.225 172.16.1.222
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130 68.87.77.130


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2008-04-04, 23:49
I need information from you.

1) Do you have any idea why the Hosts file is like that in the HJT log?

2) I still see TeaTimer in the Processes, did you disable it as directed in instruction #1

3) This is going to be a complex cleanup and you mention:

but I am very computer illiterite...
If you are unsure, you may want to seek local professional help.

4) If you wish to continue, this is next:
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Post the C:\rapport.txt and a new HJT log. I also need to know about that Hosts file.

Thanks
myspotts
2008-04-05, 00:42
Okay I did what you said and I apologize for the tea timer,as I thought I disabled it but then when I went back it hadnt,now it is...

When I went into safe mode and ran the Smitfraudfix and got to the registry cleaning part I selected yes as you said and this is what came up in a box...

cannot importcleanup.reg:error accessing the registry.

Therefor I wasnt given the option to move on to the next part of your instructions.However here is the rapport from the scan..

SmitFraudFix v2.309

Scan done at 17:06:03.62, Fri 04/04/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost
172.16.1.12 mhmvpn
172.16.1.35 RICOHA
172.16.1.200 MIS
172.16.1.200 MHMNET
172.16.1.201 MHM
172.16.1.202 DB
172.16.1.203 FS10
172.16.1.204 CDTOWER1
172.16.1.205 FDX
172.16.1.206 FS2
172.16.1.208 LEGALEX
172.16.1.207 DBACA
172.16.1.209
172.16.1.210 FSEXCH # Exchange 2003
172.16.1.211 VSERVER
172.16.1.212 COPYCENTER34COMP
172.16.1.213 CIM
172.16.1.214 SUMMATION
172.16.1.215 ACCUTRAC
172.16.1.216 FS8
172.16.1.217 SCANRTR
172.16.1.218 IPMASTER
172.16.1.219 CCURE
172.16.1.220 MITAI # TAPI Server
172.16.1.221 CPQTG2
172.16.1.222 FS1 # Win 2003 server
172.16.1.223 FSDC1 # W2K BAB Server
172.16.1.224 FSPAT # W2003 Patent Server
172.16.1.225 MHMPDC # W2003 DC
172.16.1.226 FS3 # SAVCE/SUS/Scan router
172.16.1.227 FS4 # Citrix
172.16.1.228 FS5 # Carpe Diem SQL
172.16.1.229 FS7 # Accuroute
172.16.1.230 FSSUMM # Summation SSE
172.16.1.231 FSMOM # Cheyenne Arcserve
172.16.1.232 TMM5 # Thing Magic Mercury
172.16.1.233 ZEBRAPRT # Zebra Printer
172.16.1.234
172.16.2.199 RECMGT # Attendance Controller
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com
127.0.0.1 1001-search.info
127.0.0.1 www.1001-search.info
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 123topsearch.com
127.0.0.1 www.123topsearch.com
127.0.0.1 132.com
127.0.0.1 www.132.com
127.0.0.1 136136.net
127.0.0.1 www.136136.net
127.0.0.1 139mm.com
127.0.0.1 www.139mm.com
127.0.0.1 163ns.com
127.0.0.1 www.163ns.com
127.0.0.1 171203.com
127.0.0.1 17-plus.com
127.0.0.1 1800searchonline.com
127.0.0.1 www.1800searchonline.com
127.0.0.1 180searchassistant.com
127.0.0.1 www.180searchassistant.com
127.0.0.1 180solutions.com
127.0.0.1 www.180solutions.com
127.0.0.1 181.365soft.info
127.0.0.1 www.181.365soft.info
127.0.0.1 1987324.com
127.0.0.1 www.1987324.com
127.0.0.1 1-domains-registrations.com
127.0.0.1 www.1-domains-registrations.com
127.0.0.1 1-extreme.biz
127.0.0.1 www.1-extreme.biz
127.0.0.1 1sexparty.com
127.0.0.1 www.1sexparty.com
127.0.0.1 1stantivirus.com
127.0.0.1 www.1stantivirus.com
127.0.0.1 1stpagehere.com
127.0.0.1 www.1stpagehere.com
127.0.0.1 1stsearchportal.com
127.0.0.1 www.1stsearchportal.com
127.0.0.1 2.82211.net
127.0.0.1 www.2006ooo.com
127.0.0.1 2007-download.com
127.0.0.1 www.2007-download.com
127.0.0.1 2020search.com
127.0.0.1 www.2020search.com
127.0.0.1 20x2p.com
127.0.0.1 24.365soft.info
127.0.0.1 www.24.365soft.info
127.0.0.1 24-7pharmacy.info
127.0.0.1 www.24-7pharmacy.info
127.0.0.1 24-7searching-and-more.com
127.0.0.1 www.24-7searching-and-more.com
127.0.0.1 24teen.com
127.0.0.1 www.24teen.com
127.0.0.1 2every.net
127.0.0.1 www.2every.net
127.0.0.1 2ndpower.com
127.0.0.1 2search.com
127.0.0.1 www.2search.com
127.0.0.1 2search.org
127.0.0.1 www.2search.org
127.0.0.1 2squared.com
127.0.0.1 www.2squared.com
127.0.0.1 3322.org
127.0.0.1 www.3322.org
127.0.0.1 365soft.info
127.0.0.1 36site.com
127.0.0.1 www.36site.com
127.0.0.1 3721.com
127.0.0.1 39-93.com
127.0.0.1 3abetterinternet.com
127.0.0.1 www.3abetterinternet.com
127.0.0.1 3bay.it
127.0.0.1 www.3bay.it
127.0.0.1 3ebay.it
127.0.0.1 www.3ebay.it
127.0.0.1 404dns.com
127.0.0.1 www.404dns.com
127.0.0.1 4199.com
127.0.0.1 www.4199.com
127.0.0.1 4corn.net
127.0.0.1 www.4corn.net
127.0.0.1 4ebay.it
127.0.0.1 www.4ebay.it
127.0.0.1 4klm.com
127.0.0.1 4repubblica.it
127.0.0.1 www.4repubblica.it
127.0.0.1 4softget.com
127.0.0.1 www.4softget.com
127.0.0.1 5iscali.it
127.0.0.1 www.5iscali.it
127.0.0.1 5repubblica.it
127.0.0.1 www.5repubblica.it
127.0.0.1 5starvideos.com
127.0.0.1 www.5starvideos.com
127.0.0.1 5tiscali.it
127.0.0.1 www.5tiscali.it
127.0.0.1 5zgmu7o20kt5d8yq.com
127.0.0.1 www.5zgmu7o20kt5d8yq.com
127.0.0.1 6iscali.it
127.0.0.1 www.6iscali.it
127.0.0.1 6sek.com
127.0.0.1 www.6sek.com
127.0.0.1 6tiscali.it
127.0.0.1 www.6tiscali.it
127.0.0.1 7322.com
127.0.0.1 www.7322.com
127.0.0.1 75tz.com
127.0.0.1 777search.com
127.0.0.1 www.777search.com
127.0.0.1 777top.com
127.0.0.1 www.777top.com
127.0.0.1 7939.com
127.0.0.1 www.7939.com
127.0.0.1 7search.com
127.0.0.1 www.7search.com
127.0.0.1 80gw6ry3i3x3qbrkwhxhw.032439.com
127.0.0.1 82211.net
127.0.0.1 8866.org
127.0.0.1 888.com
127.0.0.1 www.888.com
127.0.0.1 images.888.com
127.0.0.1 8ad.com
127.0.0.1 www.8ad.com
127.0.0.1 9505.com
127.0.0.1 www.9505.com
127.0.0.1 971searchbox.com
127.0.0.1 www.971searchbox.com
127.0.0.1 a.bestmanage.org
127.0.0.1 aaasexypics.com
127.0.0.1 aaawebfinder.com
127.0.0.1 www.aaawebfinder.com
127.0.0.1 aavc.com
127.0.0.1 abc-find.info
127.0.0.1 www.abc-find.info
127.0.0.1 abetterinternet.com
127.0.0.1 www.abetterinternet.com
127.0.0.1 abnetsoft.info
127.0.0.1 www.abnetsoft.info
127.0.0.1 aboutclicker.com
127.0.0.1 www.aboutclicker.com
127.0.0.1 abrp.net
127.0.0.1 www.abrp.net
127.0.0.1 absolutee.com
127.0.0.1 www.absolutee.com
127.0.0.1 abyssmedia.com
127.0.0.1 www.abyssmedia.com
127.0.0.1 ac66.cn
127.0.0.1 www.ac66.cn
127.0.0.1 access.Navinetwork.com
127.0.0.1 access.rapid-pass.net
127.0.0.1 accessactivexvideo.com
127.0.0.1 www.accessactivexvideo.com
127.0.0.1 accessclips.com
127.0.0.1 www.accessclips.com
127.0.0.1 access-dvd.com
127.0.0.1 www.access-dvd.com
127.0.0.1 accesskeygenerator.com
127.0.0.1 www.accesskeygenerator.com
127.0.0.1 accessorygeeks.com
127.0.0.1 www.accessorygeeks.com
127.0.0.1 accessthefuture.net
127.0.0.1 www.accessthefuture.net
127.0.0.1 accessvid.net
127.0.0.1 www.accessvid.net
127.0.0.1 acemedic.com
127.0.0.1 www.acemedic.com
127.0.0.1 ace-webmaster.com
127.0.0.1 www.ace-webmaster.com
127.0.0.1 acjp.com
127.0.0.1 acrobat-2007.com
127.0.0.1 www.acrobat-2007.com
127.0.0.1 acrobat-8.com
127.0.0.1 www.acrobat-8.com
127.0.0.1 acrobat-center.com
127.0.0.1 www.acrobat-center.com
127.0.0.1 acrobat-hq.com
127.0.0.1 www.acrobat-hq.com
127.0.0.1 acrobatreader-8.com
127.0.0.1 www.acrobatreader-8.com
127.0.0.1 acrobat-reader-8.de
127.0.0.1 www.acrobat-reader-8.de
127.0.0.1 acrobat-stop.com
127.0.0.1 www.acrobat-stop.com
127.0.0.1 actionbreastcancer.org
127.0.0.1 www.actionbreastcancer.org
127.0.0.1 activesearcher.info
127.0.0.1 www.activesearcher.info
127.0.0.1 activexaccessobject.com
127.0.0.1 www.activexaccessobject.com
127.0.0.1 activexaccessvideo.com
127.0.0.1 www.activexaccessvideo.com
127.0.0.1 activexemedia.com
127.0.0.1 www.activexemedia.com
127.0.0.1 activexmediaobject.com
127.0.0.1 www.activexmediaobject.com
127.0.0.1 activexmediapro.com
127.0.0.1 www.activexmediapro.com
127.0.0.1 activexmediasite.com
127.0.0.1 www.activexmediasite.com
127.0.0.1 activexmediasoftware.com
127.0.0.1 www.activexmediasoftware.com
127.0.0.1 activexmediasource.com
127.0.0.1 www.activexmediasource.com
127.0.0.1 activexmediatool.com
127.0.0.1 www.activexmediatool.com
127.0.0.1 activexmediatour.com
127.0.0.1 www.activexmediatour.com
127.0.0.1 activexsoftwares.com
127.0.0.1 www.activexsoftwares.com
127.0.0.1 activexsource.com
127.0.0.1 www.activexsource.com
127.0.0.1 activexupdate.com
127.0.0.1 www.activexupdate.com
127.0.0.1 activexvideo.com
127.0.0.1 www.activexvideo.com
127.0.0.1 activexvideotool.com
127.0.0.1 www.activexvideotool.com
127.0.0.1 ad.marketingsector.com
127.0.0.1 www.ad.marketingsector.com
127.0.0.1 ad.mokead.com
127.0.0.1 www.ad.mokead.com
127.0.0.1 ad.yieldmanager.com
127.0.0.1 www.ad.yieldmanager.com
127.0.0.1 ad25.com
127.0.0.1 ad45.com
127.0.0.1 ad77.com
127.0.0.1 ad86.com
127.0.0.1 adamsupportgroup.org
127.0.0.1 www.adamsupportgroup.org
127.0.0.1 adarmor.com
127.0.0.1 www.adarmor.com
127.0.0.1 adasearch.com
127.0.0.1 www.adasearch.com
127.0.0.1 adaware.cc
127.0.0.1 adawarenow.com
127.0.0.1 www.adawarenow.com
127.0.0.1 addictivetechnologies.com
127.0.0.1 www.addictivetechnologies.com
127.0.0.1 addictivetechnologies.net
127.0.0.1 www.addictivetechnologies.net
127.0.0.1 add-manager.com
127.0.0.1 www.add-manager.com
127.0.0.1 adgate.info
127.0.0.1 www.adgate.info
127.0.0.1 adipics.com
127.0.0.1 www.adipics.com
127.0.0.1 admin2cash.biz
127.0.0.1 www.admin2cash.biz
127.0.0.1 adnet-plus.com
127.0.0.1 adobe-download-now.com
127.0.0.1 adobe-downloads.com
127.0.0.1 www.adobe-downloads.com
127.0.0.1 adobe-reader-8.fr
127.0.0.1 www.adobe-reader-8.fr
127.0.0.1 adprotect.com
127.0.0.1 www.adprotect.com
127.0.0.1 ads.centralmedia.ws
127.0.0.1 ads.k8l.info
127.0.0.1 ads.kmpads.com
127.0.0.1 ads.marketingsector.com
127.0.0.1 ads.searchingbooth.com
127.0.0.1 ads.z-quest.com
127.0.0.1 ads183.com
127.0.0.1 www.ads183.com
127.0.0.1 adscontex.com
127.0.0.1 www.adscontex.com
127.0.0.1 adservices1.enhance.com
127.0.0.1 www.adservices1.enhance.com
127.0.0.1 adservs.com
127.0.0.1 adsextend.net
127.0.0.1 www.adsextend.net
127.0.0.1 adshttp.com
127.0.0.1 www.adshttp.com
127.0.0.1 adsonwww.com
127.0.0.1 www.adsonwww.com
127.0.0.1 adspics.com
127.0.0.1 www.adspics.com
127.0.0.1 adtrak.net
127.0.0.1 www.adtrak.net
127.0.0.1 adtrgt.com
127.0.0.1 adult777search.info
127.0.0.1 www.adult777search.info
127.0.0.1 adultan.com
127.0.0.1 www.adultan.com
127.0.0.1 adult-engine-search.com
127.0.0.1 www.adult-engine-search.com
127.0.0.1 adult-erotic-guide.net
127.0.0.1 www.adult-erotic-guide.net
127.0.0.1 adultfilmsite.com
127.0.0.1 www.adultfilmsite.com
127.0.0.1 adult-friends-finder.net
127.0.0.1 www.adult-friends-finder.net
127.0.0.1 adultgambling.org
127.0.0.1 adult-host.org
127.0.0.1 adulthyperlinks.com
127.0.0.1 www.adulthyperlinks.com
127.0.0.1 adultmovieplus.com
127.0.0.1 www.adultmovieplus.com
127.0.0.1 adult-personal.us
127.0.0.1 adultsgames.net
127.0.0.1 adultsper.com
127.0.0.1 www.adultsper.com
127.0.0.1 adulttds.com
127.0.0.1 www.adulttds.com
127.0.0.1 adultzoneworld.com
127.0.0.1 www.adultzoneworld.com
127.0.0.1 advcash.biz
127.0.0.1 www.advcash.biz
127.0.0.1 advert.exaccess.ru
127.0.0.1 advertisemoney.info
127.0.0.1 www.advertisemoney.info
127.0.0.1 advertising.paltalk.com
127.0.0.1 advertising-money.info
127.0.0.1 www.advertising-money.info
127.0.0.1 ad-ware.cc
127.0.0.1 ad-w-a-r-e.com
127.0.0.1 www.ad-w-a-r-e.com
127.0.0.1 a-d-w-a-r-e.com
127.0.0.1 www.a-d-w-a-r-e.com
127.0.0.1 adwarebazooka.com
127.0.0.1 www.adwarebazooka.com
127.0.0.1 adwarefinder.com
127.0.0.1 www.adwarefinder.com
127.0.0.1 adwareprotectionsite.com
127.0.0.1 www.adwareprotectionsite.com
127.0.0.1 adwarepunisher.com
127.0.0.1 www.adwarepunisher.com
127.0.0.1 aflgate.com
127.0.0.1 www.aflgate.com
127.0.0.1 africaspromise.org
127.0.0.1 agava.com
127.0.0.1 agava.ru
127.0.0.1 agentstudio.com
127.0.0.1 aginegialle.it
127.0.0.1 www.aginegialle.it
127.0.0.1 www.aifind.info
127.0.0.1 aifind.info
127.0.0.1 airtleworld.com
127.0.0.1 www.airtleworld.com
127.0.0.1 aitalia.it
127.0.0.1 www.aitalia.it
127.0.0.1 akamai.downloadv3.com
127.0.0.1 aklitalia.it
127.0.0.1 www.aklitalia.it
127.0.0.1 akril.com
127.0.0.1 alcatel.ws
127.0.0.1 alfacleaner.com
127.0.0.1 www.alfacleaner.com
127.0.0.1 alfa-search.com
127.0.0.1 alialia.it
127.0.0.1 www.alialia.it
127.0.0.1 aliotalia.it
127.0.0.1 www.aliotalia.it
127.0.0.1 alirtalia.it
127.0.0.1 www.alirtalia.it
127.0.0.1 alitaia.it
127.0.0.1 www.alitaia.it
127.0.0.1 alitaklia.it
127.0.0.1 www.alitaklia.it
127.0.0.1 alitala.it
127.0.0.1 www.alitala.it
127.0.0.1 alitali.it
127.0.0.1 www.alitali.it
127.0.0.1 alitaliaq.it
127.0.0.1 www.alitaliaq.it
127.0.0.1 alitalias.it
127.0.0.1 www.alitalias.it
127.0.0.1 alitaliaz.it
127.0.0.1 www.alitaliaz.it
127.0.0.1 alitalioa.it
127.0.0.1 www.alitalioa.it
127.0.0.1 alitalisa.it
127.0.0.1 www.alitalisa.it
127.0.0.1 alitaliua.it
127.0.0.1 www.alitaliua.it
127.0.0.1 alitalkia.it
127.0.0.1 www.alitalkia.it
127.0.0.1 alitaloia.it
127.0.0.1 www.alitaloia.it
127.0.0.1 alitaluia.it
127.0.0.1 www.alitaluia.it
127.0.0.1 alitaslia.it
127.0.0.1 www.alitaslia.it
127.0.0.1 alitlia.it
127.0.0.1 www.alitlia.it
127.0.0.1 alitralia.it
127.0.0.1 www.alitralia.it
127.0.0.1 alitsalia.it
127.0.0.1 www.alitsalia.it
127.0.0.1 aliutalia.it
127.0.0.1 www.aliutalia.it
127.0.0.1 ALL1COUNT.NET
127.0.0.1 www.ALL1COUNT.NET
127.0.0.1 all4internet.com
127.0.0.1 www.all4internet.com
127.0.0.1 allabtcars.com
127.0.0.1 allabtjeeps.com
127.0.0.1 all-bittorrent.com
127.0.0.1 www.all-bittorrent.com
127.0.0.1 www.allcybersearch.com
127.0.0.1 allcybersearch.com
127.0.0.1 alldnserrors.com
127.0.0.1 www.alldnserrors.com
127.0.0.1 all-downloads-now.com
127.0.0.1 www.all-downloads-now.com
127.0.0.1 all-edonkey.com
127.0.0.1 www.all-edonkey.com

Heres the beginnig,its only letting me put so much at a time so I wasnt sure if this was the right thing because I had to break it up in 12 portions...if not I didnt want to post it all and waste your time..
myspotts
2008-04-05, 00:44
This is the new HJT log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:44:51 PM, on 4/4/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\TIREMOTE\TIRemoteService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\sbwltbxa.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Opera\Opera.exe
C:\WINNT\system32\cidaemon.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\sbwltbxa.exe,
O1 - Hosts: 172.16.1.12 mhmvpn
O1 - Hosts: 172.16.1.35 RICOHA
O1 - Hosts: 172.16.1.200 MIS
O1 - Hosts: 172.16.1.200 MHMNET
O1 - Hosts: 172.16.1.201 MHM
O1 - Hosts: 172.16.1.202 DB
O1 - Hosts: 172.16.1.203 FS10
O1 - Hosts: 172.16.1.204 CDTOWER1
O1 - Hosts: 172.16.1.205 FDX
O1 - Hosts: 172.16.1.206 FS2
O1 - Hosts: 172.16.1.208 LEGALEX
O1 - Hosts: 172.16.1.207 DBACA
O1 - Hosts: 172.16.1.209
O1 - Hosts: 172.16.1.210 FSEXCH # Exchange 2003
O1 - Hosts: 172.16.1.211 VSERVER
O1 - Hosts: 172.16.1.212 COPYCENTER34COMP
O1 - Hosts: 172.16.1.213 CIM
O1 - Hosts: 172.16.1.214 SUMMATION
O1 - Hosts: 172.16.1.215 ACCUTRAC
O1 - Hosts: 172.16.1.216 FS8
O1 - Hosts: 172.16.1.217 SCANRTR
O1 - Hosts: 172.16.1.218 IPMASTER
O1 - Hosts: 172.16.1.219 CCURE
O1 - Hosts: 172.16.1.220 MITAI # TAPI Server
O1 - Hosts: 172.16.1.221 CPQTG2
O1 - Hosts: 172.16.1.222 FS1 # Win 2003 server
O1 - Hosts: 172.16.1.223 FSDC1 # W2K BAB Server
O1 - Hosts: 172.16.1.224 FSPAT # W2003 Patent Server
O1 - Hosts: 172.16.1.225 MHMPDC # W2003 DC
O1 - Hosts: 172.16.1.226 FS3 # SAVCE/SUS/Scan router
O1 - Hosts: 172.16.1.227 FS4 # Citrix
O1 - Hosts: 172.16.1.228 FS5 # Carpe Diem SQL
O1 - Hosts: 172.16.1.229 FS7 # Accuroute
O1 - Hosts: 172.16.1.230 FSSUMM # Summation SSE
O1 - Hosts: 172.16.1.231 FSMOM # Cheyenne Arcserve
O1 - Hosts: 172.16.1.232 TMM5 # Thing Magic Mercury
O1 - Hosts: 172.16.1.233 ZEBRAPRT # Zebra Printer
O1 - Hosts: 172.16.1.234
O1 - Hosts: 172.16.2.199 RECMGT # Attendance Controller
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: &Search - ?p=ZK
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlttiffCtl Class) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204448245437
O16 - DPF: {6963E8DD-A2ED-4672-B950-23A571EE8684} (ClivalX.Clival) - https://www.lexis.com/ri/Clival.CAB
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Blue Ocean Software, Inc. - C:\WINNT\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Remote (TIRmtSvc) - Blue Ocean Software, Inc. - C:\WINNT\TIREMOTE\TIRemoteService.exe

--
End of file - 6891 bytes
pskelley
2008-04-05, 01:24
Do not post any more of that hosts file, I do not need to see it.

I do however need the answer to this question:

1) Do you have any idea why the Hosts file is like that in the HJT log?The numbers that start with: 172.16 <<< did you create that in the hosts file or can we remove those?

If you did not have anything to do with those numbers starting with 172.16.1, proceed like this:

1) Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally post the contents of the Report.txt back on the forum with a new HijackThis log

(wait until we finish to port the reports and logs)

2) In some cases it's sometimes quite usefull to reset TeaTimer, once you've had it disabled to remove HijackThis entries :
Download ResetTeaTimer.bat.
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\sbwltbxa.exe,

(If you had nothing to do with the Hosts files numbers starting with 172.16.1 etc then check and remove them)

O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the report from SDFix and a new HJT log.

Thanks
myspotts
2008-04-05, 04:09
SDFix: Version 1.166

Run by Administrator on Fri 04/04/2008 at 8:44p

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\sdfix

Checking Services :

Killing PID 392 'sbwltbxa.exe'

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINNT\SYSTEM32\ALCNIH~1.BMP - Deleted
C:\WINNT\SYSTEM32\ALGBEPCB.BMP - Deleted
C:\WINNT\SYSTEM32\ALSJET.BMP - Deleted
C:\WINNT\SYSTEM32\ATSJAP~1.BMP - Deleted
C:\WINNT\SYSTEM32\BATOBET.BMP - Deleted
C:\WINNT\SYSTEM32\BEDORM~1.BMP - Deleted
C:\WINNT\SYSTEM32\BETKBQ~1.BMP - Deleted
C:\WINNT\SYSTEM32\BIDORAD.BMP - Deleted
C:\WINNT\SYSTEM32\BIPGB.BMP - Deleted
C:\WINNT\SYSTEM32\BITCRI~1.BMP - Deleted
C:\WINNT\SYSTEM32\BQDKRID.BMP - Deleted
C:\WINNT\SYSTEM32\BQHKB.BMP - Deleted
C:\WINNT\SYSTEM32\BQTCBA~1.BMP - Deleted
C:\WINNT\SYSTEM32\BQTGB.BMP - Deleted
C:\WINNT\SYSTEM32\CJITKN~1.BMP - Deleted
C:\WINNT\SYSTEM32\CREHSR~1.BMP - Deleted
C:\WINNT\SYSTEM32\DCBML.BMP - Deleted
C:\WINNT\SYSTEM32\DGRQPKB.BMP - Deleted
C:\WINNT\SYSTEM32\DKJMHS~1.BMP - Deleted
C:\WINNT\SYSTEM32\DKNMD.BMP - Deleted
C:\WINNT\SYSTEM32\DKRITGF.BMP - Deleted
C:\WINNT\SYSTEM32\DSBAPC~1.BMP - Deleted
C:\WINNT\SYSTEM32\EHCBAD~1.BMP - Deleted
C:\WINNT\SYSTEM32\ELCJIL~1.BMP - Deleted
C:\WINNT\SYSTEM32\ELGRIL~1.BMP - Deleted
C:\WINNT\SYSTEM32\EPKFAH.BMP - Deleted
C:\WINNT\SYSTEM32\EPKFIH~1.BMP - Deleted
C:\WINNT\SYSTEM32\EPOJMLCN.BMP - Deleted
C:\WINNT\SYSTEM32\FIPKRE~1.BMP - Deleted
C:\WINNT\SYSTEM32\FITGJM~1.BMP - Deleted
C:\WINNT\SYSTEM32\FMDCNAT.BMP - Deleted
C:\WINNT\SYSTEM32\FMLGB.BMP - Deleted
C:\WINNT\SYSTEM32\FQLSFIH.BMP - Deleted
C:\WINNT\SYSTEM32\GBQHSF~1.BMP - Deleted
C:\WINNT\SYSTEM32\GFATGF~1.BMP - Deleted
C:\WINNT\SYSTEM32\GFITKN~1.BMP - Deleted
C:\WINNT\SYSTEM32\GNILKFAP.BMP - Deleted
C:\WINNT\SYSTEM32\GNMPKF~1.BMP - Deleted
C:\WINNT\SYSTEM32\GRITSN~1.BMP - Deleted
C:\WINNT\SYSTEM32\HCJMD.BMP - Deleted
C:\WINNT\SYSTEM32\HCNITOF.BMP - Deleted
C:\WINNT\SYSTEM32\HKBQTG~1.BMP - Deleted
C:\WINNT\SYSTEM32\HOBIP.BMP - Deleted
C:\WINNT\SYSTEM32\HSFQTK~1.BMP - Deleted
C:\WINNT\SYSTEM32\IDCNMH~1.BMP - Deleted
C:\WINNT\SYSTEM32\IHCRAHSR.BMP - Deleted
C:\WINNT\SYSTEM32\IHONQDKN.BMP - Deleted
C:\WINNT\SYSTEM32\IPGFEDCF.BMP - Deleted
C:\WINNT\SYSTEM32\IPGRIT~1.BMP - Deleted
C:\WINNT\SYSTEM32\JALOFI~1.BMP - Deleted
C:\WINNT\SYSTEM32\JELCJE~1.BMP - Deleted
C:\WINNT\SYSTEM32\JILGJQ~1.BMP - Deleted
C:\WINNT\SYSTEM32\JMTGF.BMP - Deleted
C:\WINNT\SYSTEM32\KJELCR~1.BMP - Deleted
C:\WINNT\SYSTEM32\KJILKJ~1.BMP - Deleted
C:\WINNT\SYSTEM32\KNIHGFEH.BMP - Deleted
C:\WINNT\SYSTEM32\KRMLKJ.BMP - Deleted
C:\WINNT\SYSTEM32\KRMTKNET.BMP - Deleted
C:\WINNT\SYSTEM32\KRQHGB~1.BMP - Deleted
C:\WINNT\SYSTEM32\LGJIPO~1.BMP - Deleted
C:\WINNT\SYSTEM32\LKFMD.BMP - Deleted
C:\WINNT\SYSTEM32\LKNILO~1.BMP - Deleted
C:\WINNT\SYSTEM32\LKRADS~1.BMP - Deleted
C:\WINNT\SYSTEM32\LKRATO~1.BMP - Deleted
C:\WINNT\SYSTEM32\LORMHO~1.BMP - Deleted
C:\WINNT\SYSTEM32\LSNATSF.BMP - Deleted
C:\WINNT\SYSTEM32\MHKREH~1.BMP - Deleted
C:\WINNT\SYSTEM32\MPGFML~1.BMP - Deleted
C:\WINNT\SYSTEM32\MTGRML.BMP - Deleted
C:\WINNT\SYSTEM32\MTKFAL~1.BMP - Deleted
C:\WINNT\SYSTEM32\NALKNQ~1.BMP - Deleted
C:\WINNT\SYSTEM32\NELGJQ~1.BMP - Deleted
C:\WINNT\SYSTEM32\NIDSFI~1.BMP - Deleted
C:\WINNT\SYSTEM32\NITGJA~1.BMP - Deleted
C:\WINNT\SYSTEM32\NMPCJQ~1.BMP - Deleted
C:\WINNT\SYSTEM32\NQPKF.BMP - Deleted
C:\WINNT\SYSTEM32\NQTKBM~1.BMP - Deleted
C:\WINNT\SYSTEM32\OBAHGN.BMP - Deleted
C:\WINNT\SYSTEM32\OBQPGR~1.BMP - Deleted
C:\WINNT\SYSTEM32\OFAHON.BMP - Deleted
C:\WINNT\SYSTEM32\OFILCRMT.BMP - Deleted
C:\WINNT\SYSTEM32\OFMHKJET.BMP - Deleted
C:\WINNT\SYSTEM32\OJQTCFAH.BMP - Deleted
C:\WINNT\SYSTEM32\ONIPSN~1.BMP - Deleted
C:\WINNT\SYSTEM32\ONQDGN~1.BMP - Deleted
C:\WINNT\SYSTEM32\PCNEHG~1.BMP - Deleted
C:\WINNT\SYSTEM32\PGFADC~1.BMP - Deleted
C:\WINNT\SYSTEM32\PGNQLO~1.BMP - Deleted
C:\WINNT\SYSTEM32\PKBQTS~1.BMP - Deleted
C:\WINNT\SYSTEM32\POJMTK~1.BMP - Deleted
C:\WINNT\SYSTEM32\PONIPC~1.BMP - Deleted
C:\WINNT\SYSTEM32\QHCNMH~1.BMP - Deleted
C:\WINNT\SYSTEM32\QLGBMD~1.BMP - Deleted
C:\WINNT\SYSTEM32\QLONQL~1.BMP - Deleted
C:\WINNT\SYSTEM32\QLSFEP~1.BMP - Deleted
C:\WINNT\SYSTEM32\QPKFIP~1.BMP - Deleted
C:\WINNT\SYSTEM32\QPSJQT.BMP - Deleted
C:\WINNT\SYSTEM32\REDKNMT.BMP - Deleted
C:\WINNT\SYSTEM32\REPKBE~1.BMP - Deleted
C:\WINNT\SYSTEM32\SBEPSR~1.BMP - Deleted
C:\WINNT\SYSTEM32\SBITCN~1.BMP - Deleted
C:\WINNT\SYSTEM32\SBQPOJ~1.BMP - Deleted
C:\WINNT\SYSTEM32\SFELSF~1.BMP - Deleted
C:\WINNT\SYSTEM32\SFMDGB~1.BMP - Deleted
C:\WINNT\SYSTEM32\SJIPGR.BMP - Deleted
C:\WINNT\SYSTEM32\SNEDSF~1.BMP - Deleted
C:\WINNT\SYSTEM32\SNIPOJ.BMP - Deleted
C:\WINNT\SYSTEM32\SNQTKB.BMP - Deleted
C:\WINNT\SYSTEM32\SRAHSFQT.BMP - Deleted
C:\WINNT\SYSTEM32\SRAPCF~1.BMP - Deleted
C:\WINNT\SYSTEM32\SRATCB~1.BMP - Deleted
C:\WINNT\SYSTEM32\SRELKN~1.BMP - Deleted
C:\WINNT\SYSTEM32\SRITGFED.BMP - Deleted
C:\WINNT\SYSTEM32\TCNILG~1.BMP - Deleted
C:\WINNT\SYSTEM32\TGNQLK~1.BMP - Deleted
C:\WINNT\SYSTEM32\TKBILSB.BMP - Deleted
C:\WINNT\system32\m1ax1d12132116143v.exe - Deleted
C:\WINNT\default.htm - Deleted
C:\WINNT\system32\sbwltbxa.exe - Deleted
C:\WINNT\system32\wscmp.dll - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 20:48:38
Windows 5.0.2195 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
"StateIndex"=dword:00000000

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Remaining Files :


File Backups: - C:\sdfix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Fri 8 Feb 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 8 Feb 2008 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Thu 2 Sep 2004 27,264 A..HR --- "C:\WINNT\system32\drivers\rndismpk.sys"
Thu 2 Sep 2004 11,136 A..HR --- "C:\WINNT\system32\drivers\usb8023k.sys"
Mon 31 Mar 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\10f9b0470cf508a7857e3724663c5cd8\BIT36.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\11f7069d345200b0242f6a9b1df0e627\BIT107.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\11f7069d345200b0242f6a9b1df0e627\BIT5.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\11f7069d345200b0242f6a9b1df0e627\BITB.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\17b4a9d810be3a94c0d5c16957fc22ca\BIT38.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\227367a1c06b0b0e3a710a19ecabf866\BIT4.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\227367a1c06b0b0e3a710a19ecabf866\BIT9.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\2318c5baf63ca5d2266c07c0a678f33b\BIT92.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\4c95216461b151a800c0b0d05983e92d\BIT6.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\4c95216461b151a800c0b0d05983e92d\BITA.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\4fd67578ef9ff83de7b13e9005436f80\BIT105.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\4fd67578ef9ff83de7b13e9005436f80\BIT5.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\5b53a5d73a2c9002a50d3203765d2757\BIT1BB.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\6361da5124a769c641617ca08e8dfcaa\BIT4.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\6361da5124a769c641617ca08e8dfcaa\BIT8F.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\6361da5124a769c641617ca08e8dfcaa\BITA.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\6f404afeb4b5d98e32aaf1f32c8c6d3a\BIT9.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\800dd43eb595ee5ac8fe05f1ffb84652\BIT3B.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\81d14963a0a289892ba4b9aa6a0ddcbc\BIT6.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\81d14963a0a289892ba4b9aa6a0ddcbc\BIT94.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\81d14963a0a289892ba4b9aa6a0ddcbc\BITD.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\89ebc7efb639504b56fcd6bc171624d6\BIT12.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\89ebc7efb639504b56fcd6bc171624d6\BITD.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\8efdf9cca1b7ec575f97ca80b743a4a0\BIT1BA.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\8efdf9cca1b7ec575f97ca80b743a4a0\BIT3.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\a101ba62bfb9b0414be140478baf4876\BITC.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\b8a2260365ccf5aa4222c799e475f860\BIT7.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\b8a2260365ccf5aa4222c799e475f860\BITB.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\c30c4d8ceb3146f8172f1ae1253b2bd5\BIT1BF.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\c30c4d8ceb3146f8172f1ae1253b2bd5\BIT7.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\c30c4d8ceb3146f8172f1ae1253b2bd5\BITE.tmp"
Mon 31 Mar 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\c7c2169ab31fe32e0f5b769bca094c73\BIT37.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\d515bc732c0baab00795eb6c5fb89cff\BIT4.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\d515bc732c0baab00795eb6c5fb89cff\BIT93.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\e04d9f5115a7e5a37300efda5eb999fa\BIT10.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\e04d9f5115a7e5a37300efda5eb999fa\BIT1C0.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINNT\SoftwareDistribution\Download\e04d9f5115a7e5a37300efda5eb999fa\BIT8.tmp"
Fri 8 Feb 2008 4,348 ...H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv1key.bak"
Thu 6 Mar 2008 401 A..H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv1lic.bak"
Fri 8 Feb 2008 312 ...H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv2key.bak"
Thu 6 Mar 2008 1,536 A..H. --- "C:\Documents and Settings\Administrator\My Documents\My Music\License Backup\drmv2lic.bak"

Finished!
myspotts
2008-04-05, 04:12
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:04 PM, on 4/4/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\TIREMOTE\TIRemoteService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\cidaemon.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: &Search - ?p=ZK
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlttiffCtl Class) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204448245437
O16 - DPF: {6963E8DD-A2ED-4672-B950-23A571EE8684} (ClivalX.Clival) - https://www.lexis.com/ri/Clival.CAB
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Blue Ocean Software, Inc. - C:\WINNT\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Remote (TIRmtSvc) - Blue Ocean Software, Inc. - C:\WINNT\TIREMOTE\TIRemoteService.exe

--
End of file - 3827 bytes
myspotts
2008-04-05, 04:19
I am sorry I forgot to check three of the boxes you said to and I caught it too late so I went back and did that and heres the newest log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:17:47 PM, on 4/4/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\TIREMOTE\TIRemoteService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\cidaemon.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: &Search - ?p=ZK
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlttiffCtl Class) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204448245437
O16 - DPF: {6963E8DD-A2ED-4672-B950-23A571EE8684} (ClivalX.Clival) - https://www.lexis.com/ri/Clival.CAB
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Track-It! Remote Control (TIRmtCtl) - Blue Ocean Software, Inc. - C:\WINNT\TIREMOTE\wuser32.exe
O23 - Service: Track-It! Remote (TIRmtSvc) - Blue Ocean Software, Inc. - C:\WINNT\TIREMOTE\TIRemoteService.exe

--
End of file - 3635 bytes
pskelley
2008-04-05, 12:31
Thanks for returning your information, while I think about it, you need to create a folder for HJT if you are going to run it from the Desktop.
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe <<< right click a blank spot on the Desktop and make a new Folder, call it HJT. Open the folder and drag and drop or copy and paste the HJT.exe, backup file and HJT log into that folder for safety. Looks like this:
C:\Documents and Settings\Administrator\Desktop\HJT\HiJackThis.exe

This HJT log looks good to this morning, how is the computer running? Let's have Kaspersky look to make sure nothing bad was missed, remove Smitfraudfix and SDFix from your computer before you scan. The scan will take a while:

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks
myspotts
2008-04-05, 22:34
okay here it is,after we are done mabey you could give me some pointers on how to set my spybot to detect this in the future?Or another protection device?And thank you for your time it is appreciated.You asked how my comp is running and it looks alot better without the annoying screensaver and popup boxes.





KASPERSKY ONLINE SCANNER REPORT
Saturday, April 05, 2008 3:32:19 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 3 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/04/2008
Kaspersky Anti-Virus database records: 615185
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 20335
Number of viruses found: 5
Number of infected objects: 5
Number of suspicious objects: 30
Duration of the scan process: 00:36:30

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\LimeWire\Saved\nickia.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader.zip/stcloader.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader1.zip/stcloader.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC40.zip/updatetc.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC40.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango2.zip/zango.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango5.zip/zango.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango5.zip ZIP: suspicious - 1 skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\RECYCLER\NPROTECT\00004144.ZIP/stcloader.exe Suspicious: Password-protected-EXE skipped
C:\RECYCLER\NPROTECT\00004144.ZIP ZIP: suspicious - 1 skipped
C:\RECYCLER\NPROTECT\00004228.ZIP/updatetc.exe Suspicious: Password-protected-EXE skipped
C:\RECYCLER\NPROTECT\00004228.ZIP ZIP: suspicious - 1 skipped
C:\RECYCLER\NPROTECT\00004254.ZIP/ctfmona.exe Suspicious: Password-protected-EXE skipped
C:\RECYCLER\NPROTECT\00004254.ZIP ZIP: suspicious - 1 skipped
C:\RECYCLER\NPROTECT\00004284.ZIP/saap.exe Suspicious: Password-protected-EXE skipped
C:\RECYCLER\NPROTECT\00004284.ZIP ZIP: suspicious - 1 skipped
C:\RECYCLER\NPROTECT\00004286.ZIP/180ax.exe Suspicious: Password-protected-EXE skipped
C:\RECYCLER\NPROTECT\00004286.ZIP ZIP: suspicious - 1 skipped
C:\RECYCLER\NPROTECT\00004288.ZIP/sais.exe Suspicious: Password-protected-EXE skipped
C:\RECYCLER\NPROTECT\00004288.ZIP ZIP: suspicious - 1 skipped
C:\RECYCLER\NPROTECT\00004290.ZIP/180ax.exe Suspicious: Password-protected-EXE skipped
C:\RECYCLER\NPROTECT\00004290.ZIP ZIP: suspicious - 1 skipped
C:\RECYCLER\NPROTECT\00004306.ZIP/sais.exe Suspicious: Password-protected-EXE skipped
C:\RECYCLER\NPROTECT\00004306.ZIP ZIP: suspicious - 1 skipped
C:\RECYCLER\NPROTECT\00004340.zip/zango.exe Suspicious: Password-protected-EXE skipped
C:\RECYCLER\NPROTECT\00004340.zip ZIP: suspicious - 1 skipped
C:\RECYCLER\NPROTECT\00004344.zip/zango.exe Suspicious: Password-protected-EXE skipped
C:\RECYCLER\NPROTECT\00004344.zip ZIP: suspicious - 1 skipped
C:\sdfix\backups\backups.zip/backups/default.htm Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\sdfix\backups\backups.zip/backups/sbwltbxa.exe Infected: not-virus:Hoax.Win32.Renos.bio skipped
C:\sdfix\backups\backups.zip ZIP: infected - 2 skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010004.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\Antivirus.Evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\ntload.dll Infected: not-virus:Hoax.Win32.Renos.bja skipped
C:\WINNT\system32\Perflib_Perfdata_20c.dat Object is locked skipped
C:\WINNT\Temp\Buf2.tmp Object is locked skipped
C:\WINNT\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.
pskelley
2008-04-05, 23:09
Thanks for returning your information, let's proceed like this.

1) C:\Documents and Settings\Administrator\My Documents\LimeWire\Saved\nickia.mp3 <<< delete that music file
Trojan-Downloader.WMA.Wimad.n <<< careful where you download from

2) C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete the contents of the folder in red
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1

3) C:\RECYCLER\NPROTECT\ <<< delete the contents of the NPROTECT recycle bin
http://service1.symantec.com/support/nsw.nsf/ba62122e5d142a6588256d87006b22be/831aa5c6ef0d750685256c370048ad89?OpenDocument&src=bar_sch_nam

4) C:\sdfix\backups\ <<< delete sdfix from your computer (second request)

5) C:\WINNT\system32\ntload.dll <<< delete that file (active infection)

The next KOS should be clean, I do not need to see a clean scan. I will post this information for you now, once you review it, if you still have questions, post them.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.