PDA

View Full Version : trojan removal



lilrascal
2006-08-22, 08:51
I downloaded a trojan (?),as far as I can tell. I had not installed a virus scan program on new laptop and was being careless and downloaded what I thought was a ringtone generating program. I had windows firewall running but that was all.

I immediately did an online pc scan at trend micro and panda. Both found files. I then downloaded Trend Micro Pc-cillian. It found and "healed" many files. I then downloaded Prevx1 (malware removal/protection) It found even more files. All programs said they removed or healed the infected files.

After I thought I was all cleaned up a day later, I opened MSN Messenger, and my "sharing folder" that is shared with one contact began to fill up immediately....with over 1000 files. I shut down my internet connection (wireless network) and deleted the sharing folders, ran all the above programs again and they all found more files.

Then I found this forum.

After reading your "first step" message, I downloaded spybot and ran it. I followed all of the steps in that post. It found a lot of problems, but two findings could not be removed.

My HJT log is below. Please let me know if I can provide any further information. I saved some logs of during the process with the other programs, so I can find specific files that have already been "healed".

Thank you for your time and help.

Logfile of HijackThis v1.99.1
Scan saved at 10:25:04 PM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Backup995\res\ntservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\o2flash.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PhnxCDSvr.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 69.18.218.13:80
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {F6B41D58-2CDE-4968-8F48-84D4D7A5A27F} - C:\Program Files\Messenger\quzo.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [lgf34444] RUNDLL32.EXE w0409dcf.dll,n 00334441000000030409dcf
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1150798476425
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\srrmfilt.dll (file missing)
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\vyxml.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Backup995 Automatic Backup - Unknown owner - C:\Program Files\Backup995\res\ntservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

spybot report:

Command Service: System Service (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

CoolWWWSearch: IE Search page (Registry change, nothing done)

HKEY_USERSS-1-5-21-3574495015-3637309456-1543869909-1004\Software\Microsoft\Internet Explorer\Search\SearchAssistant Explorer\Main\Default_Search_URL=abo
ut:blank

CAS-Client: Data (File, nothing done)
C:\WINDOWS\jptc.dat

CAS-Client: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\OvMon

CAS-Client: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon

Command Service: Data (File, nothing done)
C:\windows\newname.dat

Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Smitfraud-C.: Program directory (Directory, nothing done)
C:\Program Files\InetGet2\

Smitfraud-C.: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

Smitfraud-C.: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\{645FF040-5081-101B-9F08-00AA002F954E}

Smitfraud-C.Toolbar888: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}

Smitfraud-C.Toolbar888: IE toolbar (Registry value, nothing done)

HKEY_USERS\S-1-5-21-3574495015-3637309456-1543869909-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{CBCC61FA-02 21-4CCC-B409-CEE865CAC
A3A}

SurfSideKick: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks\{02EE5B04-F144-47BB-83FB-A60BD91B74A9}

SurfSideKick: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-3574495015-3637309456-1543869909-1004\Software\SurfSideKick3

SurfSideKick: User settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\SurfSideKick3

SurfSideKick: User settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-3574495015-3637309456-1543869909-1004\Software\Microsoft\Internet Explorer\URLSearchHooks\{02EE5B04-F144-4 7BB-83FB-A60BD91B74A9}

Web-Nexus: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\qstat

Network Monitor: Data (File, nothing done)
C:\WINDOWS\uninstall_nmon.vbs

Network Monitor: Program directory (Directory, nothing done)
C:\Documents and Settings\LocalService\Application Data\NetMon\

Network Monitor: Program directory (Directory, nothing done)
C:\Program Files\Network Monitor\

Windows.Security.InternetExplorer: Settings (Registry change, nothing done)

HKEY_USERS\S-1-5-21-3574495015-3637309456-1543869909-1004\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\ie
xplore.exe!=W=1

Downloader.Tsupdate.L: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-3574495015-3637309456-1543869909-1004\Software\Microsoft\Internet Explorer\New Windows\Allow\www.adnet-plus.com

Downloader.Tsupdate.L: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-3574495015-3637309456-1543869909-1004\Software\Microsoft\Internet Explorer\New Windows\Allow\www.firstgood search.com

DoubleClick: Tracking cookie (Internet Explorer: Jennifer) (Cookie, nothing done)

Advertising.com: Tracking cookie (Internet Explorer: Jennifer) (Cookie, nothing done)


Avenue A, Inc.: Tracking cookie (Internet Explorer: Jennifer) (Cookie, nothing done)

--- Spybot - Search & Destroy version: 1.4

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-08-21 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-08-18 Includes\Cookies.sbi (*)
2006-08-18 Includes\Dialer.sbi (*)
2006-08-18 Includes\Hijackers.sbi (*)
2006-08-18 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-08-18 Includes\Malware.sbi (*)
2006-08-18 Includes\PUPS.sbi (*)
2006-08-18 Includes\Revision.sbi (*)
2006-08-18 Includes\Security.sbi (*)
2006-08-18 Includes\Spybots.sbi (*)
2005-02-16 Includes\Tracks.uti
2006-08-18 Includes\Trojans.sbi (*)

(build: 20050523) ---

lilrascal
2006-08-23, 17:45
I read thru more posts and found that I had neglected to do a few things in my original post. I've rerun my scans and am including new logs. I changed my startup to normal rather than selective. I've also included the online scan report. I used Panda. I've tried Housecall several times, I can see that it is finding a lot of things that Panda isn't, but before it finishes the scan it closes the browser and disappears. I've tried over and over but same results.

Panda Scan

Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Jennifer\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/look2me Not disinfected Windows Registry
Adware:adware/commad Not disinfected Windows Registry
Adware:adware/ucmore Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@2o7[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@ads.pointroll[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@atwola[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@burstnet[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@questionmarket[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@zedo[2].txt

Logfile of HijackThis v1.99.1
Scan saved at 7:19:45 AM, on 8/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Backup995\res\ntservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\o2flash.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\PhnxCDSvr.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\SkyTel.EXE
C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
C:\Program Files\ePad995\ePad995.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\hijack this\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {F6B41D58-2CDE-4968-8F48-84D4D7A5A27F} - C:\Program Files\Messenger\quzo.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [lgf34444] RUNDLL32.EXE w0409dcf.dll,n 00334441000000030409dcf
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ePad995.lnk = C:\Program Files\ePad995\ePad995.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\srrmfilt.dll (file missing)
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\vyxml.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Backup995 Automatic Backup - Unknown owner - C:\Program Files\Backup995\res\ntservice.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

LonnyRJones
2006-08-24, 15:09
Welcome lilrascal

First things first, I see you have both avg and trend antivirus, uninstall one.
having more than one antivirus running or even installed can couse both to be inefective.


Start Hijackthis and place a check next to these items If there.
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {F6B41D58-2CDE-4968-8F48-84D4D7A5A27F} - C:\Program Files\Messenger\quzo.dll (file missing)
O4 - HKLM\..\Run: [lgf34444] RUNDLL32.EXE w0409dcf.dll,n 00334441000000030409dcf
O4 - HKCU\..\Run: [PSLister] "C:\Program Files\PSLister\PSLister.exe"
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\srrmfilt.dll (file missing)
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\vyxml.dll (file missing)

====================================
Hit fix checked and close Hijackthis.

Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Although the look2me infection looks inactive
Download and run Look2Me-Destroyer.exe
plcae it in root (c:\Look2Me-Destroyer.exe)
http://www.atribune.org/content/view/28/

Check for problems with SpyBot and fix this time, then do so again when its finished right click and choose copy results (not full report) to clipboard and past that back here please.

lilrascal
2006-08-24, 18:37
Congratulations!: No immediate threats were found. ()



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-08-21 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-08-18 Includes\Cookies.sbi (*)
2006-08-18 Includes\Dialer.sbi (*)
2006-08-18 Includes\Hijackers.sbi (*)
2006-08-18 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-08-18 Includes\Malware.sbi (*)
2006-08-18 Includes\PUPS.sbi (*)
2006-08-18 Includes\Revision.sbi (*)
2006-08-18 Includes\Security.sbi (*)
2006-08-18 Includes\Spybots.sbi (*)
2005-02-16 Includes\Tracks.uti
2006-08-18 Includes\Trojans.sbi (*)





I had run Windows Live OnceCare early this morning. Prior to that, I was getting the CmdService findings on the spybot scan, but windows live onecare fixed them. I ran the Look2MeDestroyer as you stated, and it found nothing. THANK YOU so much! I hope I am clean, I get a clean spybot, clean panda scan, clean Pc-cillian and clean windows live onecare.

LonnyRJones
2006-08-25, 05:57
Great
I would like to see a log from this tool
Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

lilrascal
2006-08-25, 06:58
Jennifer - 06-08-24 20:42:36.60
ComboFix 06.08.24 - Running from: C:\Documents and Settings\Jennifer\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32ghynf.exe
C:\Program Files\Deskbar
C:\Program Files\outlook
C:\Program Files\Common Files\{18086FA3-0647-1033-0621-060530060001}


((((((((((((((((((((((((((((((( Files Created from 2006-07-24 to 2006-08-24 ))))))))))))))))))))))))))))))))))


2006-08-19 20:57 34,816 -ra------ C:\WINDOWS\EYEQsetup.exe
2006-08-19 20:57 3,584 -ra------ C:\WINDOWS\eprm16.exe
2006-08-19 20:32 59,904 -ra------ C:\WINDOWS\system32\AoxSTIAp.exe
2006-08-19 20:32 59,904 -ra------ C:\WINDOWS\system32\AoxAMCap.exe
2006-08-19 20:32 21,124 -ra------ C:\WINDOWS\system32\aoxusd.dll
2006-08-18 19:39 1,167 --a------ C:\WINDOWS\system32\lgf34444.sys
2006-08-18 19:37 0 ---hs---- C:\WINDOWS\system32\tasklist.com
2006-08-16 23:38 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2006-08-16 23:38 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2006-08-16 23:38 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2006-08-16 23:38 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2006-08-16 23:38 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2006-08-16 23:38 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2006-08-16 23:38 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2006-08-16 23:38 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2006-08-16 21:14 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2006-08-16 21:14 249,856 --------- C:\WINDOWS\Setup1.exe
2006-08-10 21:32 6,144 --a------ C:\WINDOWS\system32\W95FIBER.DLL
2006-08-10 21:32 53,760 --a------ C:\WINDOWS\PTPICK32.DLL
2006-08-10 21:32 33,424 --a------ C:\WINDOWS\system32\URLCACHE.DLL
2006-08-10 21:32 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2006-08-10 21:32 210,944 --a------ C:\WINDOWS\system32\MSVCRT10.DLL
2006-08-10 21:32 164,352 --a------ C:\WINDOWS\SPROF32.DLL
2006-08-10 21:27 298,496 --a------ C:\WINDOWS\uninst.exe
2006-08-07 13:09 278,528 C:\WINDOWSComcast PhotoShow.scr
2006-07-31 10:09 306,688 --a------ C:\WINDOWS\IsUninst.exe
2006-07-26 18:59 51,716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2006-07-26 18:59 118,784 --a------ C:\WINDOWS\system32\pdfmona.dll
2006-07-26 18:55 176,235 --a------ C:\WINDOWS\system32\Primomonnt.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-24 20:48 -------- d-------- C:\Program Files\Prevx1
2006-08-24 20:44 -------- d-------- C:\Program Files\Common Files
2006-08-24 09:27 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\AVG7
2006-08-24 08:02 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-23 22:39 -------- d---s---- C:\Documents and Settings\Jennifer\Application Data\Microsoft
2006-08-23 22:39 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\Windows Live Safety Center
2006-08-23 22:02 -------- d-------- C:\Program Files\Windows Live Safety Center
2006-08-23 21:46 -------- d-------- C:\Program Files\QuickTime
2006-08-23 21:46 -------- d-------- C:\Program Files\palmOne
2006-08-23 21:46 -------- d-------- C:\Program Files\MSN Messenger
2006-08-23 21:46 -------- d-------- C:\Program Files\JetAudio
2006-08-23 21:46 -------- d-------- C:\Program Files\iTunes
2006-08-23 21:46 -------- d-------- C:\Program Files\Internet Explorer
2006-08-23 21:46 -------- d-------- C:\Program Files\Google
2006-08-23 21:46 -------- d-------- C:\Program Files\ePad995
2006-08-23 21:09 -------- d-------- C:\Program Files\CleanUp!
2006-08-23 18:30 -------- d-------- C:\Program Files\Messenger
2006-08-22 15:24 -------- d-------- C:\Program Files\Java
2006-08-22 14:48 -------- d-------- C:\Program Files\Messenger Plus! Live
2006-08-22 14:48 -------- d-------- C:\Program Files\DjToneXpress
2006-08-21 20:57 -------- d-------- C:\Program Files\Common Files\Services
2006-08-19 16:50 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\Prevx
2006-08-18 23:41 -------- d-------- C:\Program Files\Windows Plus
2006-08-18 23:41 -------- d-------- C:\Program Files\Online Services
2006-08-18 23:28 -------- d-------- C:\Program Files\Trend Micro
2006-08-18 21:59 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-18 21:59 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-08-18 21:59 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-08-18 21:59 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-18 21:59 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-08-18 21:59 -------- d-------- C:\Program Files\Grisoft
2006-08-18 21:58 -------- d-------- C:\Program Files\Lavasoft
2006-08-18 21:58 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\Lavasoft
2006-08-18 21:21 108032 --a------ C:\WINDOWS\system32\services.exe
2006-08-16 21:29 -------- d-------- C:\Program Files\GCDCreator
2006-08-16 21:23 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-16 21:23 -------- d-------- C:\Program Files\Common Files\COWON
2006-08-16 21:23 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\COWON
2006-08-12 03:06 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\Hamachi
2006-08-10 21:59 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-10 21:47 -------- d-------- C:\Program Files\Adobe
2006-08-10 18:47 7552 --a------ C:\WINDOWS\system32\drivers\pxcom.sys
2006-08-10 18:47 265472 --a------ C:\WINDOWS\system32\drivers\pxfsf.sys
2006-08-10 18:47 18432 --a------ C:\WINDOWS\system32\drivers\pxtdi.sys
2006-08-10 18:47 11648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-08-10 18:47 100864 --a------ C:\WINDOWS\system32\drivers\PxEmu.sys
2006-08-08 11:10 10578 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2006-08-08 11:10 -------- d-------- C:\Program Files\Hamachi
2006-08-07 17:03 -------- d-------- C:\Program Files\PokerStars
2006-08-07 13:10 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\Comcast
2006-08-07 13:08 -------- d-------- C:\Program Files\Common Files\Simple Star Shared
2006-08-07 13:08 -------- d-------- C:\Program Files\Comcast
2006-08-03 08:02 -------- d-------- C:\Program Files\Hand-Crafted Software
2006-08-02 22:00 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\CyberLink
2006-08-01 11:00 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-31 10:18 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\Adobe
2006-07-27 15:48 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\Sun
2006-07-27 15:46 -------- d-------- C:\Program Files\Common Files\Java
2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 21:34 -------- d-------- C:\Program Files\Backup995
2006-07-26 20:57 -------- d-------- C:\Program Files\pdf995
2006-07-26 20:54 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\pdf995
2006-07-26 18:55 -------- d-------- C:\Program Files\activePDF
2006-07-26 18:53 1063 --a------ C:\Documents and Settings\Jennifer\Application Data\AdobeDLM.log
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-20 22:58 -------- d-------- C:\Program Files\Yahoo!
2006-07-20 22:58 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\Yahoo!
2006-07-20 20:11 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\Snapfish
2006-07-20 19:52 -------- d-------- C:\Program Files\Costco
2006-07-20 19:52 -------- d-------- C:\Program Files\Common Files\HP
2006-07-20 19:52 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\Costco Photo Organizer
2006-07-20 19:13 -------- d-------- C:\Program Files\Picasa2
2006-07-20 14:49 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\Apple Computer
2006-07-20 14:47 -------- d-------- C:\Program Files\iPod
2006-07-19 00:06 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\Arcsoft
2006-07-17 22:52 -------- d-------- C:\Program Files\InterActual
2006-07-10 20:32 -------- d-------- C:\Program Files\Setup NetZero
2006-07-10 20:32 -------- d-------- C:\Program Files\MSN
2006-07-07 17:38 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\AdobeUM
2006-07-07 16:34 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\Macromedia
2006-07-07 01:01 -------- d-------- C:\Documents and Settings\Jennifer\Application Data\Help
2006-06-20 03:17 0 --a------ C:\Documents and Settings\Jennifer\Application Data\dm.ini
2006-06-20 02:20 0 -rahs---- C:\MSDOS.SYS
2006-06-20 02:20 0 -rahs---- C:\IO.SYS
2006-06-20 02:20 0 --a------ C:\CONFIG.SYS
2006-06-20 02:20 0 --a------ C:\AUTOEXEC.BAT
2006-06-19 19:10 62 --a------ C:\Documents and Settings\Jennifer\Application Data\desktop.ini
2006-06-16 14:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-05-25 01:22 53248 --a------ C:\WINDOWS\bdoscandel.exe

lilrascal
2006-08-25, 06:59
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"AGRSMMSG"="AGRSMMSG.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"PrevxOne"="C:\\Program Files\\Prevx1\\PXConsole.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SkyTel"="SkyTel.EXE"
"RestoreIT!"="\"C:\\Program Files\\Phoenix Technologies\\cME\\RPro\\ XP\\VBPTASK.EXE\" VBStart"
"nwiz"="nwiz.exe /install"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Guard"="\"C:\\Program Files\\Phoenix Technologies\\cME\\Guard\\Guard.exe\" /background"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"Power2GoExpress"="\"C:\\Program Files\\CyberLink\\Power2Go\\Power2GoExpress.exe\" /Startup"
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Comcast\\COMCAS~1\\data\\Xtras\\mssysmgr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,62,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Completion time: Thu 08/24/2006 20:54:28.93
ComboFix.txt

LonnyRJones
2006-08-25, 07:52
Set windows to show hidden extensions file's and folder's.
click for> instructions. (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

C:\WINDOWS\system32\tasklist.com < delete that file

Are there any current problems ?

lilrascal
2006-08-25, 08:27
I changed the file view, but I cannot open the windows/system32 folder....it just lags and eventually says "not responding" in the upper title bar.

I did a search for the file, but it doesn't find it.

No problems I can specify....other than not being able to open the windows folder....but I am not doing much at all on the computer. I've shut down email and have basically only been reading posts and running scans etc.

Ill continue to try to get this folder to open. anything else I should try?

LonnyRJones
2006-08-25, 12:38
Run Hijackthis click >"config" then "misc tools" >"delete file on reboot"
(exact spelling counts!!! so dont browse)
Copy/Paste the bolded line below into the File name box then click Open,
C:\WINDOWS\system32\tasklist.com
Answer yes to the prompt to reboot the PC

check if you can open windows and windows\system32 folders now ?

lilrascal
2006-08-25, 16:57
Ok, file deleted. And I can open the folder, but it takes a very long time.

Should I run anything else?

LonnyRJones
2006-08-25, 17:15
Another opinion would be good to
Computer Associates eTrust AV Web Scanner: http://www3.ca.com/virusinfo/virusscan.aspx
select all drives, scan, Try to cure/repair, if it cannot choose delete! If it cannot delete tell us the files names and locations.

Have you ran SpyBot, prevx and your antivirus program while the PC is in safe mode yet ?

lilrascal
2006-08-25, 17:59
I've run spybot in safe mode. Everything else has been in regular mode. I'm going to run the link you gave me. then i'll run those programs in safe mode. if everything comes out clean, am i good to go? Or should I post logs here?

lilrascal
2006-08-25, 20:45
I did scans in this order:

1) safe mode- AVG---clean report

2) safe mode- Spybot---clean report

3) couldnt run Prevx in safe mode

4) safe mode- hijack this--saved report

5) regular mode--prevx--clean report

6) regular mode--Panda online scan----18 spyware files report below




Incident Status Location

Adware:adware/ucmore Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@2o7[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@adrevolver[2].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@ads.addynamix[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@ads.pointroll[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@belnk[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@bravenet[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@burstnet[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@burstnet[3].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@dist.belnk[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@questionmarket[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@tribalfusion[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@www.burstbeacon[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Jennifer\Cookies\jennifer@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected

LonnyRJones
2006-08-26, 05:01
Hopefully that symptom will go away after the PC has been restarted a few time.

Post back in a few days, in the meantime >
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

tashi
2006-08-31, 07:01
As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Glad we could help, thank you Lonny.