CmdService

Firemedic · Jul 19, 2006

Greetings:
I, too have been infected with CmdService. Spybot S&D doesn't detect it, but ETrust Pest Patrol finds it every time, but can't remove it. The pop-ups are driving me crazy!
Thanks in advance for your help!

Logfile of HijackThis v1.99.1
Scan saved at 10:13:20 PM, on 7/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\AOL\1143601834\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\tloi\aaoa.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\common

files\aol\1143601834\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP

Scheduler.exe
c:\program files\common files\aol\1143601834\ee\aolsoftware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D}

- (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\xrser.exe
F2 - REG:system.ini:

UserInit=C:\WINDOWS\system32\userinit.exe,jmyidii.exe
O1 - Hosts: 207.68.176.250 auto.search.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1448C987-4B62-473F-BFE4-AB039AF91F82} - \
O2 - BHO: (no name) - {34C975ED-C01D-489C-BD10-34A20E4D027C} - \
O2 - BHO: (no name) - {4D0CF08B-94D5-442E-A7DC-EE9FC0987089} - \
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {66DE1212-5D63-4C4D-AF5F-317EC465094C} - \
O2 - BHO: (no name) - {73890AC0-74DF-4DED-B6D6-70C0DDCA42C6} -

C:\WINDOWS\evssl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7CFAA08A-03D0-47F7-BE3F-D715B00A238B} - \
O2 - BHO: (no name) - {84177E55-F876-4010-AC8F-BA259EE5FCE6} - \
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no

file)
O2 - BHO: (no name) - {95EC5B3C-92B0-EFA7-6AD5-E03F0DACAF9E} -

C:\WINDOWS\lvqjvigc.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class -

{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B6A56FC3-DD2D-4BD6-977B-BA1D5E3CFE43} - \
O2 - BHO: (no name) - {BA766099-E246-42F5-B808-44E2358D4614} - \
O2 - BHO: (no name) - {C48FA6F8-28C0-435F-B67E-9A9581233BDC} - \
O2 - BHO: (no name) - {CB018CBA-93EB-4691-96B9-97AD2E0F744B} - \
O2 - BHO: (no name) - {CD5AD1CB-EE38-45C0-A1DF-578C6887CAD6} - \
O2 - BHO: (no name) - {DCA45C1A-E36E-4EAC-5E24-24E1BD3DA4D9} -

C:\WINDOWS\ggrpffgcn.dll
O2 - BHO: (no name) - {EF58CC36-9D30-450B-B400-EBB80E812ED8} - \
O2 - BHO: (no name) - {F78095AA-FE9B-471F-B100-7D8E0EE323D6} - \
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common

Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD

Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program

Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common

Files\AOL\1143601834\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common

Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust

PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security

Monitor\ASMonitor.exe"
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Daoo] "C:\Program Files\tloi\aaoa.exe" -vt yazb
O4 - HKCU\..\Run: [VSL13.exe] C:\WINDOWS\system32\VSL13.exe
O4 - HKCU\..\Run: [ssqbn.exe] C:\WINDOWS\system32\ssqbn.exe
O4 - Global Startup: Microsoft Windows.hta
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program

Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search -

http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -

res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MyPoints - file://C:\Program

Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program

files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {16BF42FD-CA0A-4f48-819D-B0343254DD67}

- file://C:\Program

Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm (file

missing) (HKCU)
O9 - Extra button: Support - {62EF4423-BECA-48EC-8C45-E4089BE29079} -

http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26}

- file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm

(file missing) (HKCU)
O9 - Extra button: ComcastHSI - {74CAFAE0-EC4C-4CDA-87A2-03E2F152678C}

- http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {862F3131-9528-40ED-AD90-BFC4A7EFB6CC} -

http://www.comcast.net/memberservices/ (file missing) (HKCU)
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: Battle Phlinx by pogo -

http://game1.pogo.com/applet-6.5.3.37/battlephlinx/battlephlinx-en_US.c

ab
O16 - DPF: Canasta by pogo -

http://game1.pogo.com/applet-6.5.3.37/canasta/canasta-en_US.cab
O16 - DPF: First Class Solitaire by pogo -

http://game1.pogo.com/applet-6.5.2.33/firstclass2/firstclass2-en_US.cab
O16 - DPF: Lottso by pogo -

http://game1.pogo.com/applet-6.4.4.27/lottso/lottso-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo -

http://game1.pogo.com/applet-6.6.0.27/mahjong/mahjong-en_US.cab
O16 - DPF: Penguin Blocks by pogo -

http://game1.pogo.com/applet-6.4.4.34/penguins/penguins-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo -

http://game1.pogo.com/applet-6.5.3.37/waterwheel/waterwheel-en_US.cab
O16 - DPF: Phlinx by pogo -

http://game1.pogo.com/applet-6.5.3.37/flinger/flinger-en_US.cab
O16 - DPF: Ricochet by pogo -

http://game1.pogo.com/applet-6.4.4.34/ricochet/ricochet-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo -

http://game1.pogo.com/applet-6.5.3.37/spider/spider-en_US.cab
O16 - DPF: The Sims Pinball by pogo -

http://game1.pogo.com/applet-6.4.4.34/simball/simball-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo -

http://game1.pogo.com/applet-6.5.1.24/peaks/peaks-en_US.cab
O16 - DPF: World Class Solitaire by pogo -

http://game1.pogo.com/applet-6.5.3.37/worldclass/worldclass-en_US.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX

Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine

Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} -

http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload

Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)

-

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/w

uweb_site.cab?1124846663881
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

-

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client

/muweb_site.cab?1125707140830
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -

http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control)

- https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX

Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE

Class) -

http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload

Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} -

http://www.pcpowerscan.com/pcpowerscan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)

- http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{00B88359-B541-4DDE-AD9B-EE56367E32B8

}: NameServer = 85.255.116.134,85.255.112.210
O17 -

HKLM\System\CCS\Services\Tcpip\..\{4C858321-0B9D-493A-996C-F35748D720ED

}: NameServer = 85.255.116.134,85.255.112.210
O17 -

HKLM\System\CCS\Services\Tcpip\..\{6682E130-970D-4453-8268-39DBBE932D3B

}: NameServer = 85.255.116.134,85.255.112.210
O17 -

HKLM\System\CCS\Services\Tcpip\..\{B4DCE3FD-31D4-4D27-ACDE-ABEE084B6E37

}: NameServer = 85.255.116.134,85.255.112.210
O17 -

HKLM\System\CCS\Services\Tcpip\..\{C7A7F0C5-574F-418B-89D6-0E7DD30CB046

}: NameServer = 85.255.116.134,85.255.112.210
O17 -

HKLM\System\CCS\Services\Tcpip\..\{E4005009-5363-40C3-AA57-3F296D5262DE

}: NameServer = 85.255.116.134,85.255.112.210
O17 -

HKLM\System\CS1\Services\Tcpip\..\{00B88359-B541-4DDE-AD9B-EE56367E32B8

}: NameServer = 85.255.116.134,85.255.112.210
O20 - AppInit_DLLs: NVDESK32.DLL C:\WINDOWS\system32\winlogon.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online -

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America

Online, Inc - C:\Program Files\Common

Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec

Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) -

Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. -

C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: icservice - Unknown owner - C:\Program

Files\Ontrack\Internet Cleanup\Internet Cleanup\icserv.exe (file

missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc.

- C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec

AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program

Files\Symantec AntiVirus\Rtvscan.exe

And the online scan results:
eTrust Antivirus Web Scanner

07/18/06

Scan Results: 71628 files scanned. 19 viruses were detected.

File Infection Status Path
Microsoft Windows.hta VBS/Winshow.AR infected C:\Documentsand Settings\All Users\Start Menu\Programs\Startup\
ntdetect.hta VBS/Winshow.AR infected C:\
rotr.exe Win32/Clspring!generic infected C:\Program Files\unue\
A0137901.dll Win32/Clspring.EZ infected C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP417\
A0137983.exe Win32/Actux.A infected C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP417\
A0137984.exe Win32/Zquest.D infected C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP417\
A0138034.exe Win32/Actux.A infected C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP419\
A0138049.exe Win32/Zquest.D infected C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP419\
A0138173.exe Win32/Zquest.D infected C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP420\
A0140225.exe Win32/Zquest.D infected C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP421\
A0140322.exe Win32/Zquest.D infected C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP422\
A0140548.exe Win32/Actux.A infected C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP425\
A0140549.exe Win32/Zquest.D infected C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP425\
A0140605.exe Win32/Zquest.D infected C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP426\
A0140641.exe Win32/Actux.A infected C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP426\
A0140656.exe Win32/Zquest.D infected C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP426\
VSL.dl_ Win32/Zquest.D infected C:\
nfqde.dat Win32/Qoologic.AB infected C:\WINDOWS\system32\
v1201.exe Win32/Actux.A infected C:\WINDOWS\

LonnyRJones · Jul 22, 2006

Hi

Could you post a fresh log without the formating getting skatered please. might have to turn on or off wordwrap.

Firemedic · Jul 23, 2006

I turned off WordWrap in Notepad, but when I pasted it here, it took out all my formatting. So I put the numbers and dashes in to maintain the columns. Hope this helps. I don't know why Symantec doesn't detect all these. It is up to date, and I ran a scan with it after this one, and it found 0 infections.

eTrust Antivirus Web Scanner

07/18/06

Scan Results: 71628 files scanned. 19 viruses were detected.

1.File----------------------2.Infection--------------3.Status-------- 4.Path
1. Microsoft Windows.hta---2. VBS/Winshow.AR ------3. infected
4. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

1. ntdetect.hta------------2. VBS/Winshow.AR-------3.infected------4. C:\
1. rotr.exe-----------------2. Win32/Clspring!generic--3. infected
4. C:\Program Files\unue\

1. A0137901.dll------------2. Win32/Clspring.EZ------3. infected
4. C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP417\

1. A0137983.exe-----------2. Win32/Actux.A---------3. infected
4. C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP417\

1. A0137984.exe-----------2. Win32/Zquest.D--------3. infected
4. C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP417\

1. A0138034.exe-----------2. Win32/Actux.A---------3. infected
4. C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP419\

1. A0138049.exe-----------2. Win32/Zquest.D--------3. infected
4. C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP419\

1. A0138173.exe-----------2. Win32/Zquest.D--------3. infected
4. C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP420\

1. A0140225.exe-----------2. Win32/Zquest.D--------3. infected
4. C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP421\

1. A0140322.exe-----------2. Win32/Zquest.D--------3. infected
4. C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP422\

1. A0140548.exe-----------2. Win32/Actux.A---------3. infected
4. C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP425\

1. A0140549.exe-----------2. Win32/Zquest.D--------3. infected
4. C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP425\

1. A0140605.exe-----------2. Win32/Zquest.D--------3. infected
4. C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP426\

1. A0140641.exe-----------2. Win32/Actux.A----------3. infected
4. C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP426\

1. A0140656.exe-----------2. Win32/Zquest.D---------3. infected
4. C:\System Volume Information\_restore{8E6EA6AA-2089-4566-B953-1A58A6C08637}\RP426\

1. VSL.dl_-----------------2. Win32/Zquest.D----------3. infected----4. C:\

1. nfqde.dat---------------2. Win32/Qoologic.AB--------3. infected
4. C:\WINDOWS\system32\

1. v1201.exe---------------2. Win32/Actux.A-----------3. infected
4. C:\WINDOWS\

LonnyRJones · Jul 23, 2006

Go start run and copy then paste in
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
delete this file "Microsoft Windows.hta"
I need to see a new hijackthis log posted without its formating being re-aranged

Firemedic · Jul 24, 2006

Here ya go. I didn't do anything with the formatting. I just pasted it "as is". The only thing in Start Up was "Microsoft Windows", an html file (I didn't see a .hta). I deleted it.

Logfile of HijackThis v1.99.1
Scan saved at 8:44:20 PM, on 7/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Common Files\AOL\1143601834\ee\aolsoftware.exe
C:\Program Files\Winamp\winampa.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\tloi\aaoa.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
c:\program files\common files\aol\1143601834\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1143601834\ee\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\ssmypics.scr
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\?ssembly\n?lookup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\xrser.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jmyidii.exe
O1 - Hosts: 207.68.176.250 auto.search.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1448C987-4B62-473F-BFE4-AB039AF91F82} - \
O2 - BHO: (no name) - {34C975ED-C01D-489C-BD10-34A20E4D027C} - \
O2 - BHO: (no name) - {4D0CF08B-94D5-442E-A7DC-EE9FC0987089} - \
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5DE682A2-6268-4A27-8C01-2792C0AE8849} - \
O2 - BHO: (no name) - {66DE1212-5D63-4C4D-AF5F-317EC465094C} - \
O2 - BHO: (no name) - {73890AC0-74DF-4DED-B6D6-70C0DDCA42C6} - C:\WINDOWS\evssl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7CFAA08A-03D0-47F7-BE3F-D715B00A238B} - \
O2 - BHO: (no name) - {84177E55-F876-4010-AC8F-BA259EE5FCE6} - \
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
O2 - BHO: (no name) - {95EC5B3C-92B0-EFA7-6AD5-E03F0DACAF9E} - C:\WINDOWS\lvqjvigc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B6A56FC3-DD2D-4BD6-977B-BA1D5E3CFE43} - \
O2 - BHO: (no name) - {BA766099-E246-42F5-B808-44E2358D4614} - \
O2 - BHO: (no name) - {C48FA6F8-28C0-435F-B67E-9A9581233BDC} - \
O2 - BHO: (no name) - {CB018CBA-93EB-4691-96B9-97AD2E0F744B} - \
O2 - BHO: (no name) - {CD5AD1CB-EE38-45C0-A1DF-578C6887CAD6} - \
O2 - BHO: (no name) - {DCA45C1A-E36E-4EAC-5E24-24E1BD3DA4D9} - C:\WINDOWS\ggrpffgcn.dll
O2 - BHO: (no name) - {E0FD98AF-AD1F-44B3-919D-D836D64D7C02} - \
O2 - BHO: (no name) - {E3A7D452-7B8C-4DA4-8E78-BC117E659740} - \
O2 - BHO: (no name) - {EF58CC36-9D30-450B-B400-EBB80E812ED8} - \
O2 - BHO: (no name) - {EF62299D-F071-4364-B923-6A1EC40838C7} - \
O2 - BHO: (no name) - {F78095AA-FE9B-471F-B100-7D8E0EE323D6} - \
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143601834\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Daoo] "C:\Program Files\tloi\aaoa.exe" -vt yazb
O4 - HKCU\..\Run: [VSL13.exe] C:\WINDOWS\system32\VSL13.exe
O4 - HKCU\..\Run: [ssqbn.exe] C:\WINDOWS\system32\ssqbn.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [Ojuhsv] C:\Program Files\?ssembly\n?lookup.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm (file missing) (HKCU)
O9 - Extra button: Support - {62EF4423-BECA-48EC-8C45-E4089BE29079} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {74CAFAE0-EC4C-4CDA-87A2-03E2F152678C} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {862F3131-9528-40ED-AD90-BFC4A7EFB6CC} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: Battle Phlinx by pogo - http://game1.pogo.com/applet-6.5.3.37/battlephlinx/battlephlinx-en_US.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.5.3.37/canasta/canasta-en_US.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.5.2.33/firstclass2/firstclass2-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.4.4.27/lottso/lottso-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.6.0.27/mahjong/mahjong-en_US.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.4.4.34/penguins/penguins-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.5.3.37/waterwheel/waterwheel-en_US.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.5.3.37/flinger/flinger-en_US.cab
O16 - DPF: Ricochet by pogo - http://game1.pogo.com/applet-6.4.4.34/ricochet/ricochet-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.5.3.37/spider/spider-en_US.cab
O16 - DPF: The Sims Pinball by pogo - http://game1.pogo.com/applet-6.4.4.34/simball/simball-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.5.1.24/peaks/peaks-en_US.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.5.3.37/worldclass/worldclass-en_US.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124846663881
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125707140830
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{00B88359-B541-4DDE-AD9B-EE56367E32B8}: NameServer = 85.255.116.134,85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C858321-0B9D-493A-996C-F35748D720ED}: NameServer = 85.255.116.134,85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{6682E130-970D-4453-8268-39DBBE932D3B}: NameServer = 85.255.116.134,85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4DCE3FD-31D4-4D27-ACDE-ABEE084B6E37}: NameServer = 85.255.116.134,85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7A7F0C5-574F-418B-89D6-0E7DD30CB046}: NameServer = 85.255.116.134,85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4005009-5363-40C3-AA57-3F296D5262DE}: NameServer = 85.255.116.134,85.255.112.210
O17 - HKLM\System\CS1\Services\Tcpip\..\{00B88359-B541-4DDE-AD9B-EE56367E32B8}: NameServer = 85.255.116.134,85.255.112.210
O20 - AppInit_DLLs: NVDESK32.DLL C:\WINDOWS\system32\winlogon.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: icservice - Unknown owner - C:\Program Files\Ontrack\Internet Cleanup\Internet Cleanup\icserv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

LonnyRJones · Jul 24, 2006

Download and run this uninstaller: follow the instructions on the page.
http://www.outerinfo.com/howto.html

Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/qoofix.php

Unzip all files to a convenient location such as C:\Qoofix.
Go to the folder you unzipped all files and run Qoofix.exe.
Click Begin Removal and wait for the scan to finish.
If an infection has been found, select yes to restart your computer.

Start Hijackthis and place a check next to these items If there.
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 207.68.176.250 auto.search.msn.com
O2 - BHO: (no name) - {1448C987-4B62-473F-BFE4-AB039AF91F82} - \
O2 - BHO: (no name) - {34C975ED-C01D-489C-BD10-34A20E4D027C} - \
O2 - BHO: (no name) - {4D0CF08B-94D5-442E-A7DC-EE9FC0987089} - \
O2 - BHO: (no name) - {5DE682A2-6268-4A27-8C01-2792C0AE8849} - \
O2 - BHO: (no name) - {66DE1212-5D63-4C4D-AF5F-317EC465094C} - \
O2 - BHO: (no name) - {73890AC0-74DF-4DED-B6D6-70C0DDCA42C6} - C:\WINDOWS\evssl.dll
O2 - BHO: (no name) - {7CFAA08A-03D0-47F7-BE3F-D715B00A238B} - \
O2 - BHO: (no name) - {84177E55-F876-4010-AC8F-BA259EE5FCE6} - \
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
O2 - BHO: (no name) - {95EC5B3C-92B0-EFA7-6AD5-E03F0DACAF9E} - C:\WINDOWS\lvqjvigc.dll
O2 - BHO: (no name) - {B6A56FC3-DD2D-4BD6-977B-BA1D5E3CFE43} - \
O2 - BHO: (no name) - {BA766099-E246-42F5-B808-44E2358D4614} - \
O2 - BHO: (no name) - {C48FA6F8-28C0-435F-B67E-9A9581233BDC} - \
O2 - BHO: (no name) - {CB018CBA-93EB-4691-96B9-97AD2E0F744B} - \
O2 - BHO: (no name) - {CD5AD1CB-EE38-45C0-A1DF-578C6887CAD6} - \
O2 - BHO: (no name) - {DCA45C1A-E36E-4EAC-5E24-24E1BD3DA4D9} - C:\WINDOWS\ggrpffgcn.dll
O2 - BHO: (no name) - {E0FD98AF-AD1F-44B3-919D-D836D64D7C02} - \
O2 - BHO: (no name) - {E3A7D452-7B8C-4DA4-8E78-BC117E659740} - \
O2 - BHO: (no name) - {EF58CC36-9D30-450B-B400-EBB80E812ED8} - \
O2 - BHO: (no name) - {EF62299D-F071-4364-B923-6A1EC40838C7} - \
O2 - BHO: (no name) - {F78095AA-FE9B-471F-B100-7D8E0EE323D6} - \
O4 - HKCU\..\Run: [Daoo] "C:\Program Files\tloi\aaoa.exe" -vt yazb
O4 - HKCU\..\Run: [VSL13.exe] C:\WINDOWS\system32\VSL13.exe
O4 - HKCU\..\Run: [ssqbn.exe] C:\WINDOWS\system32\ssqbn.exe
O4 - HKCU\..\Run: [Ojuhsv] C:\Program Files\?ssembly\n?lookup.exe
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{00B88359-B541-4DDE-AD9B-EE56367E32B8}: NameServer = 85.255.116.134,85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C858321-0B9D-493A-996C-F35748D720ED}: NameServer = 85.255.116.134,85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{6682E130-970D-4453-8268-39DBBE932D3B}: NameServer = 85.255.116.134,85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{B4DCE3FD-31D4-4D27-ACDE-ABEE084B6E37}: NameServer = 85.255.116.134,85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7A7F0C5-574F-418B-89D6-0E7DD30CB046}: NameServer = 85.255.116.134,85.255.112.210
O17 - HKLM\System\CCS\Services\Tcpip\..\{E4005009-5363-40C3-AA57-3F296D5262DE}: NameServer = 85.255.116.134,85.255.112.210
O17 - HKLM\System\CS1\Services\Tcpip\..\{00B88359-B541-4DDE-AD9B-EE56367E32B8}: NameServer = 85.255.116.134,85.255.112.210

Optional fix's >
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
O9 - Extra button: Point Alert - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm (file missing) (HKCU)
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Finally post a new Hijack This log and the contents of the Qoofix logfile.

Note:
If You have connection problems or those 017's ~ 85.255.116.134,85.255.112.210, return >
Before doing this write down all the settings, Note that not all system/setups even have these settings, While some connection service's will require them.
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.

Do that for every conntection listed.

Firemedic · Jul 24, 2006

So far, so good...

Logfile of HijackThis v1.99.1
Scan saved at 12:35:42 AM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\AOL\1143601834\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\common files\aol\1143601834\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\program files\common files\aol\1143601834\ee\aolsoftware.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Hijack This\HijackThis.exe
C:\Program Files\CA\eTrust PestPatrol\PPV5Updater.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2407FBBE-B66D-61C3-17DF-05EFBE0FD06A} - C:\WINDOWS\klwavf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60892B69-A608-44D2-9CC5-FD4A708F353E} - \
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7B01A093-ECBB-84A0-CEBC-95DAFEECBD01} - C:\WINDOWS\gohh.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B1B2B2A5-33EA-4124-9639-9CB148532824} - \
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143601834\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {62EF4423-BECA-48EC-8C45-E4089BE29079} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {74CAFAE0-EC4C-4CDA-87A2-03E2F152678C} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {862F3131-9528-40ED-AD90-BFC4A7EFB6CC} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O16 - DPF: Battle Phlinx by pogo - http://game1.pogo.com/applet-6.5.3.37/battlephlinx/battlephlinx-en_US.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.5.3.37/canasta/canasta-en_US.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.5.2.33/firstclass2/firstclass2-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.4.4.27/lottso/lottso-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.6.0.27/mahjong/mahjong-en_US.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.4.4.34/penguins/penguins-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.5.3.37/waterwheel/waterwheel-en_US.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.5.3.37/flinger/flinger-en_US.cab
O16 - DPF: Ricochet by pogo - http://game1.pogo.com/applet-6.4.4.34/ricochet/ricochet-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.5.3.37/spider/spider-en_US.cab
O16 - DPF: The Sims Pinball by pogo - http://game1.pogo.com/applet-6.4.4.34/simball/simball-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.5.1.24/peaks/peaks-en_US.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.5.3.37/worldclass/worldclass-en_US.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124846663881
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125707140830
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O20 - AppInit_DLLs: NVDESK32.DLL C:\WINDOWS\system32\winlogon.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: icservice - Unknown owner - C:\Program Files\Ontrack\Internet Cleanup\Internet Cleanup\icserv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Qoofix v1.02 by http://www.malwarebytes.org
Scan started on [7/23/2006] at [11:44:50 PM]
-------------------------------------------------------------
Terminated module: opbajlt.dll found in Qoofix.exe (236)
Terminated module: opbajlt.dll found in iibard.exe (232)
Terminated module: opbajlt.dll found in explorer.exe (376)
Terminated module: opbajlt.dll found in xrser.exe (384)
Terminated module: opbajlt.dll found in xrser.exe (476)
Terminated module: opbajlt.dll found in xrser.exe (484)
Terminated module: opbajlt.dll found in ccApp.exe (628)
Terminated module: opbajlt.dll found in VPTray.exe (636)
Terminated module: opbajlt.dll found in AOLDial.exe (656)
Terminated module: opbajlt.dll found in Directcd.exe (664)
Terminated module: opbajlt.dll found in hpgs2wnd.exe (672)
Terminated module: opbajlt.dll found in aolsoftware.exe (712)
Terminated module: opbajlt.dll found in iTunesHelper.exe (800)
Terminated module: opbajlt.dll found in qttask.exe (932)
Terminated module: opbajlt.dll found in realsched.exe (1648)
Terminated module: opbajlt.dll found in PPActiveDetection.exe (1816)
Terminated module: opbajlt.dll found in hpgs2wnf.exe (1864)
Terminated module: opbajlt.dll found in winampa.exe (1876)
Terminated module: opbajlt.dll found in ASMonitor.exe (1900)
Terminated module: opbajlt.dll found in ctfmon.exe (1932)
Terminated module: opbajlt.dll found in waol.exe (244)
Terminated module: opbajlt.dll found in wscntfy.exe (3256)
Terminated module: opbajlt.dll found in AOLSP Scheduler.exe (3732)
Terminated module: opbajlt.dll found in aolsoftware.exe (3836)
Terminated module: opbajlt.dll found in shellmon.exe (2452)
Terminated module: opbajlt.dll found in WinRAR.exe (3808)
Terminated module: opbajlt.dll found in PPV5Updater.exe (4028)
-------------------------------------------------------------
C:\WINDOWS\system32\iibard.exe will be deleted on reboot!
C:\WINDOWS\system32\jmyidii.exe will be deleted on reboot!
C:\WINDOWS\system32\nfqde.dat will be deleted on reboot!
C:\WINDOWS\system32\opbajlt.dll will be deleted on reboot!
C:\WINDOWS\system32\xrser.exe will be deleted on reboot!
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\apnby.exe will be deleted on reboot!

User prompted YES to reboot, system now rebooting...
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [7/23/2006] at [11:48:18 PM]

Note: Some registry keys may have been removed.

LonnyRJones · Jul 24, 2006

Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-
"AppInit_DLLs"="NVDESK32.DLL"

Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Start Hijackthis and place a check next to these items If there.
O2 - BHO: (no name) - {2407FBBE-B66D-61C3-17DF-05EFBE0FD06A} - C:\WINDOWS\klwavf.dll
O2 - BHO: (no name) - {60892B69-A608-44D2-9CC5-FD4A708F353E} - \
O2 - BHO: (no name) - {7B01A093-ECBB-84A0-CEBC-95DAFEECBD01} - C:\WINDOWS\gohh.dll
O2 - BHO: (no name) - {B1B2B2A5-33EA-4124-9639-9CB148532824} - \

====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post a report from this tool if any FILES show
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.

Post a fresh hijackthis log please, be sure to mention any current problems.

Firemedic · Jul 25, 2006

Ok, I clicked "Run" not "save" on Blacklite. It found 0 problems. I didn't see any new txt near Blacklite that you asked for.

As for current problems, I am having FAR fewer pop-ups. I think I've had 1 in the last couple of days. In Internet Explorer, there is usually some sort of ad on the left side of the browser window. Don't know if that counts as a pop-up, but it didn't used to be there.

eTrust PestPatrol is still finding CmdService, but nothing else. It was finding things called "wallpap", "v1201", and trojans everytime I signed on. I would quarantine them everytime, but they would be back the next time I signed on. AOL's spyfinder has found CmdService before, but it found nothing when I signed on today. Spybot S&D didn't find anything, either. It gave me a green checkmark.

Logfile of HijackThis v1.99.1
Scan saved at 7:09:24 PM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\AOL\1143601834\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1143601834\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1143601834\ee\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Hijack This\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143601834\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {62EF4423-BECA-48EC-8C45-E4089BE29079} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {74CAFAE0-EC4C-4CDA-87A2-03E2F152678C} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {862F3131-9528-40ED-AD90-BFC4A7EFB6CC} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O16 - DPF: Battle Phlinx by pogo - http://game1.pogo.com/applet-6.5.3.37/battlephlinx/battlephlinx-en_US.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.5.3.37/canasta/canasta-en_US.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.5.2.33/firstclass2/firstclass2-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.4.4.27/lottso/lottso-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.6.0.27/mahjong/mahjong-en_US.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.4.4.34/penguins/penguins-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.5.3.37/waterwheel/waterwheel-en_US.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.5.3.37/flinger/flinger-en_US.cab
O16 - DPF: Ricochet by pogo - http://game1.pogo.com/applet-6.4.4.34/ricochet/ricochet-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.5.3.37/spider/spider-en_US.cab
O16 - DPF: The Sims Pinball by pogo - http://game1.pogo.com/applet-6.4.4.34/simball/simball-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.5.1.24/peaks/peaks-en_US.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.5.3.37/worldclass/worldclass-en_US.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124846663881
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125707140830
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: icservice - Unknown owner - C:\Program Files\Ontrack\Internet Cleanup\Internet Cleanup\icserv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

LonnyRJones · Jul 25, 2006

"Ok, I clicked "Run" not "save" on Blacklite."
Unless a program (or download/instructions) say's to select run or open always download, so download then run blacklite again please.

Keep an eye out for problems over the next few days and let us know if there are any or not.

Firemedic · Jul 25, 2006

Sorry, I was trying to follow your instructions exactly. So I clicked "download", then Run on the first security box that came up. Anyway, I think I got it right. Is this what you are looking for?

07/25/06 09:34:30 [Info]: BlackLight Engine 1.0.42 initialized
07/25/06 09:34:30 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/25/06 09:34:32 [Note]: 7019 4
07/25/06 09:34:32 [Note]: 7005 0
07/25/06 09:34:38 [Note]: 7006 0
07/25/06 09:34:38 [Note]: 7011 1912
07/25/06 09:34:39 [Note]: 7026 0
07/25/06 09:34:39 [Note]: 7026 0
07/25/06 09:34:59 [Note]: FSRAW library version 1.7.1019
07/25/06 09:50:52 [Note]: 7007 0

Logfile of HijackThis v1.99.1
Scan saved at 9:57:27 AM, on 7/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\AOL\1143601834\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1143601834\ee\services\antiSpywareApp\ver2_0_27_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1143601834\ee\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143601834\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {62EF4423-BECA-48EC-8C45-E4089BE29079} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {74CAFAE0-EC4C-4CDA-87A2-03E2F152678C} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {862F3131-9528-40ED-AD90-BFC4A7EFB6CC} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O16 - DPF: Battle Phlinx by pogo - http://game1.pogo.com/applet-6.5.3.37/battlephlinx/battlephlinx-en_US.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.5.3.37/canasta/canasta-en_US.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-6.5.2.33/firstclass2/firstclass2-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.4.4.27/lottso/lottso-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.6.0.27/mahjong/mahjong-en_US.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.4.4.34/penguins/penguins-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.5.3.37/waterwheel/waterwheel-en_US.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.5.3.37/flinger/flinger-en_US.cab
O16 - DPF: Ricochet by pogo - http://game1.pogo.com/applet-6.4.4.34/ricochet/ricochet-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.5.3.37/spider/spider-en_US.cab
O16 - DPF: The Sims Pinball by pogo - http://game1.pogo.com/applet-6.4.4.34/simball/simball-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.5.1.24/peaks/peaks-en_US.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-6.5.3.37/worldclass/worldclass-en_US.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124846663881
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125707140830
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: icservice - Unknown owner - C:\Program Files\Ontrack\Internet Cleanup\Internet Cleanup\icserv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

LonnyRJones · Jul 25, 2006

Those logs look fine

Post back in a few days and let us know how that PC is, in the meantime >
Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

Firemedic · Jul 29, 2006

Still no new problems. No pop-ups. Pest Patrol and AOL Active Spyware Protection are still saying CmdService is still there.

The only other problem with my PC is: when trying to load certain websites, I get an error message that says something like, "A runtime error has occured. Do you want to Debug? Item expected: Line __" I sometimes have to click No 5 or 6 times to get the page to load.

LonnyRJones · Jul 29, 2006

Debug errors when using the aol browser ?
You need to check AOL's website FAQ's for that, for internet explorer that setting would be in internet options > advanced > [x]check disable script debugging

Im seeing several others who reports cmdservice that use pest patrol and aol.

tashi · Aug 2, 2006

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.

CmdService

Firemedic

New member

LonnyRJones

Security Expert-Emeritus

Firemedic

New member

LonnyRJones

Security Expert-Emeritus

Firemedic

New member

LonnyRJones

Security Expert-Emeritus

Firemedic

New member

LonnyRJones

Security Expert-Emeritus

Firemedic

New member

LonnyRJones

Security Expert-Emeritus

Firemedic

New member

LonnyRJones

Security Expert-Emeritus

Firemedic

New member

LonnyRJones

Security Expert-Emeritus

tashi

Member of Team Spybot