PDA

View Full Version : Need help, way beyond my skills



kelset
2006-11-10, 18:21
I had a friend bring me his computer that had no stop popups.
I ran spybot and it removed everything but 2 command service items, that continued to come back after multiple reboots and cleanings.

Any help would be appreciated.

here are the requested logs from hijackthis and pandasoft

Logfile of HijackThis v1.99.1
Scan saved at 7:25:41 PM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Cherry\CDI\CDI.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\?racle\d?xplore.exe
C:\PROGRA~1\COMMON~1\FNTS~1\alg.exe
C:\Program Files\Imagistics\Printer Status Monitor\Smon.exe
C:\PROGRA~1\BOOK4G~1\_tomsagn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack\HijakThs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.winnipegweather.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
R3 - URLSearchHook: (no name) - {D1BD559E-BF5B-ED81-2D70-BE89195563C0} - C:\WINDOWS\system32\jnouvhr.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {D1BD559E-BF5B-ED81-2D70-BE89195563C0} - C:\WINDOWS\system32\jnouvhr.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [StartAgent] C:\Program Files\Book4golf\StartHost.exe
O4 - HKLM\..\Run: [{96-6E-E3-3B-ZN}] C:\windows\system32\omdsregl.exe GEN001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\nwinnpex.exe GEN001
O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Microsoft Windows System] syshost.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Cfrhhhvt] C:\WINDOWS\?racle\d?xplore.exe
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\Run: [Cshb] "C:\PROGRA~1\COMMON~1\FNTS~1\alg.exe" -vt ndrv
O4 - Startup: Shortcut to Listener.exe.lnk = C:\Program Files\Book4golf\Listener.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Printer Status Monitor.lnk = C:\Program Files\Imagistics\Printer Status Monitor\Smon.exe
O8 - Extra context menu item: Send to Keyman - C:\Program Files\Cherry\KeyMan\IEMenuExtKeyman.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00000000-0709-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int21.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DAD7A6E-6207-4E54-BF11-646707A692A0}: NameServer = 192.168.0.1
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\nalanui.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Cherry Device Interface - Cherry Gmbh, Auerbach Germany, www.cherry.de - C:\Program Files\Cherry\CDI\CDI.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

kelset
2006-11-10, 18:24
Incident Status Location

Adware:Adware/PurityScan Not disinfected c:\progra~1\common~1\fnts~1\alg.exe
Adware:adware/mediatickets Not disinfected C:\WINDOWS\system32\oins.exe
Adware:adware/mirar Not disinfected c:\windows\system32\WinNB58.dll
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat
Adware:adware/look2me Not disinfected Windows Registry
Adware:adware/commad Not disinfected Windows Registry
Dialer:dialer.asl Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}
Adware:adware/searchexe Not disinfected Windows Registry
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@2o7[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@ads.pointroll[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@adtech[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@as-eu.falkag[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@atwola[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@bravenet[2].txt
Spyware:Cookie/Casinotropez Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@casinotropez[2].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@citi.bridgetrack[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@drivecleaner[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@go[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@perf.overture[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@qksrv[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@realmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@serving-sys[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@stats1.reliablestats[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@tribalfusion[1].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@www.advnt01[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Elmhurst\Cookies\elmhurst@www.burstbeacon[1].txt
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\!update.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@atdmt[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@banners.searchingbooth[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@com[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@errorsafe[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@kmpads[1].txt
Spyware:Cookie/Diglnk Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@mbop[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@mediaplex[1].txt

kelset
2006-11-10, 18:25
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@microsofteup.112.2o7[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@revenue[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@searchportal.information[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@stats1.reliablestats[2].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@targetnet[1].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@targetsaver[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@winantivirus[2].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@www.advnt01[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@www.drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@www.errorsafe[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@www.systemdoctor[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Cookies\elmhurst@www.winantivirus[2].txt
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\da827.tmp
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\mit7F7.tmp[NNBar_VCSetup_876075.exe]
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\mit7F7.tmp.cab[NNBar_VCSetup_876075.exe]
Spyware:Spyware/Media-motor Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\mmxsnet.exe
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\NNBar_VCSetup_876075.exe
Potentially unwanted tool:Application/SystemDoctor2006 Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\SystemDoctor2006FreeInstall.exe
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\temp.frD9B1
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LAB0PQ3\popup[10].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LAB0PQ3\popup[11].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LAB0PQ3\popup[12].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LAB0PQ3\popup[13].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LAB0PQ3\popup[3].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LAB0PQ3\popup[4].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\8LAB0PQ3\popup[5].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\C1ANKX2F\popup[12].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\C1ANKX2F\popup[3].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\C1ANKX2F\popup[6].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\CPERGH67\popup[10].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\CPERGH67\popup[11].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\CPERGH67\popup[5].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\CPERGH67\popup[6].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\CPERGH67\popup[7].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\G163WTAV\popup[1].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\G163WTAV\popup[2].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\G163WTAV\popup[4].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\G163WTAV\popup[5].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT2FS5ER\popup[13].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT2FS5ER\popup[1].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT2FS5ER\popup[2].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT2FS5ER\popup[4].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT2FS5ER\popup[5].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT67KLAN\popup[10].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT67KLAN\popup[11].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT67KLAN\popup[17].htm

kelset
2006-11-10, 18:26
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT67KLAN\popup[19].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT67KLAN\popup[20].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT67KLAN\popup[21].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT67KLAN\popup[4].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\GT67KLAN\popup[7].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\KF7FQC23\popup[19].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\KF7FQC23\popup[1].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\KF7FQC23\popup[2].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\KF7FQC23\popup[3].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\KF7FQC23\popup[4].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\O52VWD2R\popup[19].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\O52VWD2R\popup[4].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\O52VWD2R\popup[6].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\O52VWD2R\popup[7].htm
Adware:Adware/Gmter Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temp\Temporary Internet Files\Content.IE5\O52VWD2R\popup[9].htm
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temporary Internet Files\Content.IE5\79EXBXTO\!update-4295[1].0000
Adware:Adware/PurityScan Not disinfected C:\Program Files\Common Files\F?nts\alg.exe
Virus:Trj/PayClicker.EC Not disinfected C:\WINDOWS\Eim03.exe[²νΗ]
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\mtuninst.exe
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\lvp0097me.dll
Virus:Trj/PayClicker.EC Disinfected C:\WINDOWS\system32\nsw7F5.dll
Spyware:Cookie/888 Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@888[1].txt
Spyware:Cookie/888 Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@888[2].txt
Spyware:Cookie/Enhance Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@c.enhance[1].txt
Spyware:Cookie/Cassava Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@cassava[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@drivecleaner[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@errorsafe[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@kmpads[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@mediaplex[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@stats1.reliablestats[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@winantivirus[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@www.errorsafe[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\WINDOWS\Temp\Cookies\elmhurst@www.winantivirus[1].txt
Adware:Adware/Gmter Not disinfected C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\T4O4GVRY\popup[1].htm
Possible Virus. Renamed C:\WINDOWS\?racle\d?xplore.exe

tashi
2006-11-14, 18:09
Hello and sorry for the wait.

If you have not resolved the problem, we do have this sticky topic:

If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

pskelley
2006-11-14, 20:24
Welcome to the forum, you friend has a pretty good mess here. It is not a good idea to do third party fixes like this, we find many of them get archived for lack of response.
Advise your friend to keep the computer offline as much as possible until it is clean. Make sure you tell them about cleaning out temp Internet files and cookies. Let's use a couple of tools to help us.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

2) Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


(save those logs until the instructions are finished)

3) Thanks to sUBs and anyone who helped with this fix.

1. Download ComboFix.exe using either of these links:

* bleepingcomputer.com
http://download.bleepingcomputer.com/sUBs/combofix.exe
* techsupportforum.com
http://www.techsupportforum.com/sectools/combofix.exe
2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

If the log is large You might need to post half in one reply half in another.

3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the Report.txt from SDFix, the log from combofix and a new Panda scan log.

Thanks

kelset
2006-11-14, 23:16
I will do all this on Friday for them, since that is when I will be able to get to his place again. I have told him to avoid using the internet till then.

I should have the info posted friday evening for review.

pskelley
2006-11-14, 23:21
No problem, thanks for letting us know.

Phil

kelset
2006-11-14, 23:22
when extracting SDFix I recieve this error from WinRAR

! C:\Documents and Settings\Kelset\Desktop\Files for Fix\SDFix.exe: CRC failed in SDFix\apps\unzip.exe. The file is corrupt
! C:\Documents and Settings\Kelset\Desktop\Files for Fix\SDFix.exe: Unexpected end of archive

any suggestions welcome.

kelset
2006-11-14, 23:25
And when running the program, it starts to extract files then I recieve error:

CRC failed in SDFix\apps\unzip.exe
Unexpected end of archive

pskelley
2006-11-14, 23:27
There is nothing wrong with that file, I use it all of the time. You need to wait until you can download it to the Desktop of the computer you are going to run it on. I have no idea what will happen if you try to copy to a CD or other media.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Thanks

pskelley
2006-11-14, 23:43
The most important part of this fix if we are to be successful, and a remote repair is hard to do, will be your ability to follow exactly the instructions I post for you. If you are not going to take the time to read and follow the directions, perhaps we should not continue with this repair. Thanks

kelset
2006-11-14, 23:47
Just figured I would download put the files onto a USB stick and take to the infected computer insted of going on the internet on it again.

Ill post the info on friday and do nothing till I'm at the computer.

kelset
2006-11-18, 02:22
Report.txt 1/1

SDFix: Version 1.40
-------------------

Scan run on:
Fri 11/17/2006

Time:
05:36 PM

Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Elmhurst\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----

Path:
----


Repairing Registry...


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------


Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Files:
------


Any files removed are saved to the SDFix\backups Folder

FINISHED

kelset
2006-11-18, 02:23
HijackThis log 1/1

Logfile of HijackThis v1.99.1
Scan saved at 5:47:02 PM, on 11/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Cherry\CDI\CDI.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Imagistics\Printer Status Monitor\Smon.exe
C:\PROGRA~1\BOOK4G~1\_tomsagn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\hijack\HijakThs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.winnipegweather.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
R3 - URLSearchHook: (no name) - {5F9B76CE-9F02-C58E-7D25-CBCE6DB2BAC2} - C:\WINDOWS\system32\oimz.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5F9B76CE-9F02-C58E-7D25-CBCE6DB2BAC2} - C:\WINDOWS\system32\oimz.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [StartAgent] C:\Program Files\Book4golf\StartHost.exe
O4 - HKLM\..\Run: [{96-6E-E3-3B-ZN}] C:\windows\system32\omdsregl.exe GEN001
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Cfrhhhvt] C:\WINDOWS\?racle\d?xplore.exe
O4 - HKCU\..\Run: [Cshb] "C:\PROGRA~1\COMMON~1\FNTS~1\alg.exe" -vt ndrv
O4 - Startup: Shortcut to Listener.exe.lnk = C:\Program Files\Book4golf\Listener.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Printer Status Monitor.lnk = C:\Program Files\Imagistics\Printer Status Monitor\Smon.exe
O8 - Extra context menu item: Send to Keyman - C:\Program Files\Cherry\KeyMan\IEMenuExtKeyman.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00000000-0709-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int21.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DAD7A6E-6207-4E54-BF11-646707A692A0}: NameServer = 192.168.0.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Cherry Device Interface - Cherry Gmbh, Auerbach Germany, www.cherry.de - C:\Program Files\Cherry\CDI\CDI.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

kelset
2006-11-18, 02:24
Combofix.txt 1/1

Elmhurst - 06-11-17 17:41:39.76 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Elmhurst\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{C287DDFB-005E-496F-A405-AD642E779B03}]
@=""

[HKEY_CLASSES_ROOT\clsid\{C287DDFB-005E-496F-A405-AD642E779B03}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{C287DDFB-005E-496F-A405-AD642E779B03}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{C287DDFB-005E-496F-A405-AD642E779B03}\InprocServer32]
@="C:\\WINDOWS\\system32\\MEIMUSIC.DLL"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{BDE68454-4D8D-4239-A0DC-D81AE8C553AC}]
@=""

[HKEY_CLASSES_ROOT\clsid\{BDE68454-4D8D-4239-A0DC-D81AE8C553AC}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{BDE68454-4D8D-4239-A0DC-D81AE8C553AC}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{BDE68454-4D8D-4239-A0DC-D81AE8C553AC}\InprocServer32]
@="C:\\WINDOWS\\system32\\nalanui.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\lvp0097me.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Elmhurst\Application Data\Sskdmns.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\Eim03.exe
C:\WINDOWS\system32\WinNB58.dll

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Elmhurst\Application Data\STEM~1
C:\QooBox\Purity\Documents and Settings\Elmhurst\My Documents\DOBE~1
C:\QooBox\Purity\Program Files\ICROSO~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1\alg.exe
C:\QooBox\Purity\Program Files\Common Files\FNTS~1\FNTS~1
C:\QooBox\Purity\WINDOWS\RACLE~1
C:\QooBox\Purity\WINDOWS\RACLE~1\37F.tmp
C:\QooBox\Purity\WINDOWS\RACLE~1\d?xplore.exe
C:\QooBox\Purity\WINDOWS\RACLE~1\d?xplore_exe.vir


((((((((((((((((((((((((((((((( Files Created from 2006-10-17 to 2006-11-17 ))))))))))))))))))))))))))))))))))


2006-11-09 18:43 131,072 --a------ C:\WINDOWS\system32\oimz.dll
2006-10-24 12:23 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-10-24 12:23 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-10-24 12:23 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-10-24 12:23 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-10-24 12:23 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-10-24 12:23 5,632 --a------ C:\WINDOWS\system32\kbd103.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-17 17:41 -------- d-------- C:\Program Files\Common Files
2006-11-17 17:40 -------- d-------- C:\Program Files\Book4golf
2006-11-17 12:41 -------- d-------- C:\Program Files\Fore! Reservations
2006-11-15 03:00 -------- d-------- C:\Program Files\Internet Explorer
2006-11-09 18:43 2 --a------ C:\WINDOWS\system32\wtstr.exe
2006-11-08 19:45 -------- d-------- C:\Program Files\QuickTime
2006-11-08 19:43 -------- d-------- C:\Program Files\Dell Support
2006-11-08 18:23 -------- d-------- C:\Documents and Settings\Elmhurst\Application Data\Lavasoft
2006-11-08 18:22 -------- d-------- C:\Program Files\MSN
2006-10-30 19:05 -------- d-------- C:\Program Files\Google
2006-10-30 18:56 -------- d-------- C:\Program Files\Common Files\Real
2006-10-30 18:55 -------- d-------- C:\Program Files\Yahoo!
2006-10-30 18:55 -------- d-------- C:\Documents and Settings\Elmhurst\Application Data\Real
2006-10-30 18:54 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-13 14:42 -------- d-------- C:\Documents and Settings\Elmhurst\Application Data\Google
2006-10-13 06:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 06:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 04:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-05 15:19 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-12 23:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 09:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 13:39 39424 --a------ C:\WINDOWS\mtuninst.exe
2006-08-24 13:39 155136 --a------ C:\WINDOWS\system32\oins.exe
2006-08-24 13:33 838 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-08-24 13:33 1233 --a------ C:\WINDOWS\system32\vrq7eb3a.sys
2006-08-24 13:32 507904 --a------ C:\814.exe
2006-08-24 13:32 214749 --a------ C:\WINDOWS\srvpbjwbvv.exe
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-17 06:28 721920 --a------ C:\WINDOWS\system32\lsasrv.dll
2006-08-17 06:28 132096 --a------ C:\WINDOWS\system32\wkssvc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Cfrhhhvt"="C:\\WINDOWS\\?racle\\d?xplore.exe"
"Cshb"="\"C:\\PROGRA~1\\COMMON~1\\FNTS~1\\alg.exe\" -vt ndrv"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"StartAgent"="C:\\Program Files\\Book4golf\\StartHost.exe"
"{96-6E-E3-3B-ZN}"="C:\\windows\\system32\\omdsregl.exe GEN001"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\NetMeeting\\pononuca.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Internet Explorer\\mele.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-17 17:43:43.68
C:\ComboFix.txt ... 06-11-17 17:43

kelset
2006-11-18, 02:25
Panda log 1/1

Incident Status Location

Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\oimz.dll
Adware:adware/mediatickets Not disinfected C:\WINDOWS\system32\oins.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Elmhurst\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat
Adware:adware/commad Not disinfected Windows Registry
Dialer:dialer.asl Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}
Adware:adware/searchexe Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Elmhurst\Desktop\SDFix\apps\Process.exe
Possible Virus. Not disinfected C:\Documents and Settings\Elmhurst\Desktop\SDFix\apps\swsc.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Elmhurst\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Possible Virus. Not disinfected C:\Documents and Settings\Elmhurst\Desktop\SDFix.exe[SDFix\apps\swsc.exe]
Adware:Adware/PurityScan Not disinfected C:\QooBox\Purity\Program Files\Common Files\FNTS~1\alg.exe
Possible Virus. Not disinfected C:\QooBox\Purity\WINDOWS\RACLE~1\37F.tmp
Possible Virus. Renamed C:\QooBox\Purity\WINDOWS\RACLE~1\d?xplore.exe
Possible Virus. Renamed C:\QooBox\Purity\WINDOWS\RACLE~1\d?xplore_exe.vir
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\mtuninst.exe

kelset
2006-11-18, 02:29
4 Logs posted above from ATF-cleaner, SDFix, Combofix and Panda Online Scan.

No other scans have been done.

pskelley
2006-11-18, 03:41
Thanks for returning the information, the tools did a good job and removed a lot of junk. Let's do this now.

Please scan these files with one or more of these free online scans and delete the ones that scan bad. Please leave them in the recycle bin for a few days to be safe. This means if you use ATF-Cleaner, remove the check from in front of Recycle Bin.

C:\WINDOWS\system32\oimz.dll
C:\WINDOWS\system32\wtstr.exe
C:\WINDOWS\mtuninst.exe
C:\WINDOWS\system32\oins.exe
C:\WINDOWS\system32\winpfg32.sys
C:\WINDOWS\system32\vrq7eb3a.sys
C:\814.exe
C:\WINDOWS\srvpbjwbvv.exe

scanners
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
_______________________________________________________

The Java program is badly out of date and a security risk, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_03\ <<< out of date, please uninstall all old version and update the program.
_________________________________________________________

Start > Control Panel > Add Remove programs and uninstall PuritySCAN By OIN, OIN or OuterInfo or any variation of that. Have your friend look and also uninstall any program they know does not belong there.

After that is done, then do this:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

________________________________________________________


How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - URLSearchHook: (no name) - {5F9B76CE-9F02-C58E-7D25-CBCE6DB2BAC2} - C:\WINDOWS\system32\oimz.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {5F9B76CE-9F02-C58E-7D25-CBCE6DB2BAC2} - C:\WINDOWS\system32\oimz.dll
O4 - HKLM\..\Run: [{96-6E-E3-3B-ZN}] C:\windows\system32\omdsregl.exe GEN001
O4 - HKCU\..\Run: [Cfrhhhvt] C:\WINDOWS\?racle\d?xplore.exe
O4 - HKCU\..\Run: [Cshb] "C:\PROGRA~1\COMMON~1\FNTS~1\alg.exe" -vt ndrv
O16 - DPF: {00000000-0709-0000-0000-000330050660} - http://207.234.185.217/aboxinst_int21.exe
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

(these may be gone, just do not miss them)

C:\windows\system32\omdsregl.exe <<< delete that file

C:\WINDOWS\?racle\ <<< delete that folder

C:\PROGRA~1\COMMON~1\FNTS~1\ delete that folder

Run ATF-Cleaner but do not check the Recycle Bin or Prefetch.
Restart the computer and post the uninstall list from earlier and a new HJT log.

As soon as those logs are posted, the follow the instructions in this link:
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/
Thanks to John McKenna for the tutorial
Please make sure you follow the directions carefully, delete or at least quarantine anything located and make sure to save the Report-Scan.txt. Post that scan as soon as you have it. Let me know how the computer is running.

Thanks

kelset
2006-11-19, 19:28
Uninstall list 1/1

Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9
Adobe Reader 7.0.7
APC PowerChute Personal Edition
Book4golf.com
Cherry OPOS Support (local edition) V3.0 Build 8
Cherry Tools V4.1 Rev.6 Build 2
Dell Driver Reset Tool
Dell Support 3.1
Fore! Reservations 2006
Fore! Reservations 2006
Fore! Reservations 2006
HijackThis 1.99.1
IIS UrlScan Tool 2.0 (Uninstall)
im3510 PCL6
Imagistics PC-FAX driver
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 9
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office 2000 Professional
Panda ActiveScan
Printer Administration Utility3.2
Printer Status Monitor Version 3.2
PS-Utility
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Spybot - Search & Destroy 1.4
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781

kelset
2006-11-19, 19:29
Hijackthis 1/1

Logfile of HijackThis v1.99.1
Scan saved at 11:15:21 AM, on 11/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Cherry\CDI\CDI.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Imagistics\Printer Status Monitor\Smon.exe
C:\PROGRA~1\BOOK4G~1\_tomsagn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\hijack\HijakThs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.winnipegweather.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [StartAgent] C:\Program Files\Book4golf\StartHost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Shortcut to Listener.exe.lnk = C:\Program Files\Book4golf\Listener.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Printer Status Monitor.lnk = C:\Program Files\Imagistics\Printer Status Monitor\Smon.exe
O8 - Extra context menu item: Send to Keyman - C:\Program Files\Cherry\KeyMan\IEMenuExtKeyman.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DAD7A6E-6207-4E54-BF11-646707A692A0}: NameServer = 192.168.0.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Cherry Device Interface - Cherry Gmbh, Auerbach Germany, www.cherry.de - C:\Program Files\Cherry\CDI\CDI.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

kelset
2006-11-19, 19:32
Info from instructions

bad C:\WINDOWS\system32\oimz.dll
bad C:\WINDOWS\system32\wtstr.exe
bad C:\WINDOWS\mtuninst.exe
bad C:\WINDOWS\system32\oins.exe
good C:\WINDOWS\system32\winpfg32.sys
good C:\WINDOWS\system32\vrq7eb3a.sys
bad C:\814.exe
bad C:\WINDOWS\srvpbjwbvv.exe

was unable to find 'PuritySCAN By OIN, OIN or OuterInfo or any variation of that'

couldnt find these, so must assume they were removed
C:\windows\system32\omdsregl.exe <<< delete that file
C:\WINDOWS\?racle\ <<< delete that folder
C:\PROGRA~1\COMMON~1\FNTS~1\ delete that folder

kelset
2006-11-19, 20:34
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:31:25 PM 11/19/2006

+ Scan result:



C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP132\A0006332.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP205\A0009835.dll -> Adware.EZula : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006109.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006115.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006135.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006139.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP214\A0009997.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005822.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005823.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005832.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005840.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP135\A0006484.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3831158022-483468862-693128569-1006\Dc4.exe -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP214\A0009975.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3831158022-483468862-693128569-1006\Dc1.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP132\A0006331.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP205\A0009820.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP205\A0009821.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0009849.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP135\A0006481.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005962.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0006005.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006027.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006045.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006060.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006090.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006104.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006129.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006195.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006230.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP135\A0006476.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006052.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006077.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006080.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006081.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005831.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005941.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005943.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005950.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005953.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005976.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006172.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006199.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006202.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3831158022-483468862-693128569-1006\Dc6.exe -> Downloader.Dyfuca.fb : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3831158022-483468862-693128569-1006\Dc3.exe -> Downloader.PurityScan.bl : Cleaned with backup (quarantined).
C:\QooBox\Purity\Program Files\Common Files\FNTS~1\alg.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\Program Files\Common Files\wiik\wiikd\vocabulary -> Downloader.TSUpdate.j : Cleaned with backup (quarantined).


::Report end

pskelley
2006-11-19, 21:05
The HJT log looks good, let's clean the System Restore files.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


Can you look at these again with the scanners
C:\WINDOWS\system32\winpfg32.sys
Everything I see says it should be bad:
http://research.sunbelt-software.com/threatdisplay.aspx?name=Zenotecnico&threatid=41139
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=winpfg32%2esys

C:\WINDOWS\system32\vrq7eb3a.sys
This one appears only once on Google, in this log.
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=vrq7eb3a%2esys

Please use all three scans, if they are not bad we don't want to remove them, but they sure appear to be.

How is the computer running now?

Thanks

kelset
2006-11-22, 02:51
Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: vrq7eb3a.sys
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 a7db777915905f724274963d691e37ca
Packers detected: -


Kaspersky File Scanner

You're clean!
Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

However, only a fully-functional antivirus solution with regularly updated virus definitions can ensure comprehensive protection against malware. If you do not have an antivirus solution installed, you may wish to consider purchasing one today.

Download a trial version of Kaspersky Anti-Virus
Purchase Kaspersky Anti-Virus in our E-Store
Purchase Kaspersky Anti-Virus from a certified partner

Scanned file: vrq7eb3a.sys


STATUS: FINISHEDComplete scanning result of "vrq7eb3a.sys", received in VirusTotal at 11.22.2006, 00:31:55 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.44 11.21.2006 no virus found
Authentium 4.93.8 11.20.2006 no virus found
Avast 4.7.892.0 11.20.2006 no virus found
AVG 386 11.20.2006 no virus found
BitDefender 7.2 11.22.2006 no virus found
CAT-QuickHeal 8.00 11.21.2006 no virus found
ClamAV devel-20060426 11.21.2006 no virus found
DrWeb 4.33 11.21.2006 no virus found
eSafe 7.0.14.0 11.20.2006 no virus found
eTrust-InoculateIT 23.73.62 11.21.2006 no virus found
eTrust-Vet 30.3.3205 11.21.2006 no virus found
Ewido 4.0 11.21.2006 no virus found
Fortinet 2.82.0.0 11.21.2006 no virus found
F-Prot 3.16f 11.22.2006 no virus found
F-Prot4 4.2.1.29 11.20.2006 no virus found
Ikarus 0.2.65.0 11.21.2006 no virus found
Kaspersky 4.0.2.24 11.21.2006 no virus found
McAfee 4901 11.21.2006 no virus found
Microsoft 1.1804 11.21.2006 no virus found
NOD32v2 1876 11.21.2006 no virus found
Norman 5.80.02 11.21.2006 no virus found
Panda 9.0.0.4 11.21.2006 no virus found
Prevx1 V2 11.22.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.122 11.21.2006 no virus found
UNA 1.83 11.21.2006 no virus found
VBA32 3.11.1 11.21.2006 no virus found
VirusBuster 4.3.15:9 11.21.2006 no virus found

kelset
2006-11-22, 02:51
Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: winpfg32.sys
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 f75d1ecf194dae46a1e3142ed26c4037
Packers detected: -


Kaspersky File Scanner

You're clean!
Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

However, only a fully-functional antivirus solution with regularly updated virus definitions can ensure comprehensive protection against malware. If you do not have an antivirus solution installed, you may wish to consider purchasing one today.

Download a trial version of Kaspersky Anti-Virus
Purchase Kaspersky Anti-Virus in our E-Store
Purchase Kaspersky Anti-Virus from a certified partner

Scanned file: winpfg32.sys


STATUS: FINISHEDComplete scanning result of "winpfg32.sys", received in VirusTotal at 11.22.2006, 00:28:03 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.44 11.21.2006 no virus found
Authentium 4.93.8 11.20.2006 no virus found
Avast 4.7.892.0 11.20.2006 no virus found
AVG 386 11.20.2006 no virus found
BitDefender 7.2 11.22.2006 no virus found
CAT-QuickHeal 8.00 11.21.2006 no virus found
ClamAV devel-20060426 11.21.2006 no virus found
DrWeb 4.33 11.21.2006 no virus found
eSafe 7.0.14.0 11.20.2006 no virus found
eTrust-InoculateIT 23.73.62 11.21.2006 no virus found
eTrust-Vet 30.3.3205 11.21.2006 no virus found
Ewido 4.0 11.21.2006 no virus found
Fortinet 2.82.0.0 11.21.2006 no virus found
F-Prot 3.16f 11.22.2006 no virus found
F-Prot4 4.2.1.29 11.20.2006 no virus found
Ikarus 0.2.65.0 11.21.2006 no virus found
Kaspersky 4.0.2.24 11.21.2006 no virus found
McAfee 4901 11.21.2006 no virus found
Microsoft 1.1804 11.21.2006 no virus found
NOD32v2 1876 11.21.2006 no virus found
Norman 5.80.02 11.21.2006 no virus found
Panda 9.0.0.4 11.21.2006 no virus found
Prevx1 V2 11.22.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.122 11.21.2006 no virus found
UNA 1.83 11.21.2006 no virus found
VBA32 3.11.1 11.21.2006 no virus found
VirusBuster 4.3.15:9 11.21.2006 no virus found

kelset
2006-11-22, 02:53
Spybot Log

Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-11-08 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-11-17 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-11-17 Includes\DialerC.sbi (*)
2006-11-03 Includes\Hijackers.sbi (*)
2006-11-17 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-11-17 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-11-17 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-11-17 Includes\PUPSC.sbi (*)
2006-11-17 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-11-17 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-11-17 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-11-17 Includes\Trojans.sbi (*)
2006-11-17 Includes\TrojansC.sbi (*)

kelset
2006-11-22, 02:53
Logfile of HijackThis v1.99.1
Scan saved at 6:53:22 PM, on 11/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cherry\CDI\CDI.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Imagistics\Printer Status Monitor\Smon.exe
C:\PROGRA~1\BOOK4G~1\_tomsagn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijack\HijakThs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.winnipegweather.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [StartAgent] C:\Program Files\Book4golf\StartHost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Shortcut to Listener.exe.lnk = C:\Program Files\Book4golf\Listener.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Printer Status Monitor.lnk = C:\Program Files\Imagistics\Printer Status Monitor\Smon.exe
O8 - Extra context menu item: Send to Keyman - C:\Program Files\Cherry\KeyMan\IEMenuExtKeyman.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DAD7A6E-6207-4E54-BF11-646707A692A0}: NameServer = 192.168.0.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cherry Device Interface - Cherry Gmbh, Auerbach Germany, www.cherry.de - C:\Program Files\Cherry\CDI\CDI.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

kelset
2006-11-22, 02:57
system seems to be running better. posted scan logs from the 3 sites you gave me for the 2 files, according to them the files are clean.

Did a scan with Spybot and there was 13 items found, and all but the command ones were removed, posted the report.

Scan from AVG showed nothing left.

And the system restore was turned off then back on as requested.

This sytem is hooked to a Dlink router. should I install some firewall software on this system or should the Dlink handle that and just run an antivirus on the computer ?

Thanks for all the help so far.

pskelley
2006-11-22, 03:58
Did a scan with Spybot and there was 13 items found, and all but the command ones were removed, posted the report.If we covered this before, I apologize. These command.exe items are leftovers as a results of a poor removal by another program (possible Ad-aware). If this is the case then update Ad-aware (seems it is supposed to remove the leftovers now) and run it to see. If this does not work, let me know and I will post a solution for you. I am interested in the other items, were they cookies? If you need information to help you stop getting unwanted cookies, let me know.

Thanks for the feedback about those files, I appreciate you re-checking them, and suggest you leave them alone.

Dlink router: I would ask that question to support: http://support.dlink.com/chooseCountry.asp I have no experience with that router. I can tell you I run a Linksys with a firewall and still run Zone Alarm free because I do not feel the SP2 gives me the protection I want. I understand you can run a hardware firewall and a software firewall at the same time, but I would still prefer you get that information from the manufacturer.

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Safe surfing...tashi:) will close your topic in a few days.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

kelset
2006-11-22, 07:11
I'll post more info in next 2 or 3 days on the command issue as well as the items that were removed by spybot, think they were registry enterys, but not positive.

kelset
2006-11-23, 02:26
Installed Ad-aware, did updates and 1 scan then removed it via Add Remove programs, and spybot still finds the 3 command items. Thought I had a log with the other issues spybot found but I cant seem to find it now.

So any info on how to remove the command items so spybot wont keep detecting them on future scans would be welcome.

Thanks

pskelley
2006-11-23, 02:31
Please download and unzip Ren-cmdservice to your Desktop.
It will only work correctly if the folder is placed on your Desktop and extracted !!.

http://www.bleepingcomputer.com/files/lonny/ren-cmdservice.zip
http://downloads.subratam.org/Lon/ren-cmdservice.zip

Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.

Thanks

tashi
2006-11-27, 21:54
kelset, still with us?

tashi
2006-12-04, 10:20
This topic is closed due to lack of a response. :spider:

If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.