Need help, way beyond my skills

Hijackthis 1/1

Logfile of HijackThis v1.99.1
Scan saved at 11:15:21 AM, on 11/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Cherry\CDI\CDI.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Imagistics\Printer Status Monitor\Smon.exe
C:\PROGRA~1\BOOK4G~1\_tomsagn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\hijack\HijakThs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.winnipegweather.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [StartAgent] C:\Program Files\Book4golf\StartHost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Shortcut to Listener.exe.lnk = C:\Program Files\Book4golf\Listener.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Printer Status Monitor.lnk = C:\Program Files\Imagistics\Printer Status Monitor\Smon.exe
O8 - Extra context menu item: Send to Keyman - C:\Program Files\Cherry\KeyMan\IEMenuExtKeyman.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DAD7A6E-6207-4E54-BF11-646707A692A0}: NameServer = 192.168.0.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Cherry Device Interface - Cherry Gmbh, Auerbach Germany, www.cherry.de - C:\Program Files\Cherry\CDI\CDI.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
 
Info from instructions

bad C:\WINDOWS\system32\oimz.dll
bad C:\WINDOWS\system32\wtstr.exe
bad C:\WINDOWS\mtuninst.exe
bad C:\WINDOWS\system32\oins.exe
good C:\WINDOWS\system32\winpfg32.sys
good C:\WINDOWS\system32\vrq7eb3a.sys
bad C:\814.exe
bad C:\WINDOWS\srvpbjwbvv.exe

was unable to find 'PuritySCAN By OIN, OIN or OuterInfo or any variation of that'

couldnt find these, so must assume they were removed
C:\windows\system32\omdsregl.exe <<< delete that file
C:\WINDOWS\?racle\ <<< delete that folder
C:\PROGRA~1\COMMON~1\FNTS~1\ delete that folder
 
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:31:25 PM 11/19/2006

+ Scan result:



C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP132\A0006332.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP205\A0009835.dll -> Adware.EZula : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006109.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006115.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006135.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006139.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP214\A0009997.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005822.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005823.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005832.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005840.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP135\A0006484.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3831158022-483468862-693128569-1006\Dc4.exe -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP214\A0009975.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3831158022-483468862-693128569-1006\Dc1.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP132\A0006331.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP205\A0009820.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP205\A0009821.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0009849.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP135\A0006481.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005962.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP127\A0006005.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006027.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006045.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006060.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006090.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006104.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006129.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006195.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006230.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP135\A0006476.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006052.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006077.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006080.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006081.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005831.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005941.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005943.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005950.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005953.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP126\A0005976.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006172.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006199.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP129\A0006202.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3831158022-483468862-693128569-1006\Dc6.exe -> Downloader.Dyfuca.fb : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-3831158022-483468862-693128569-1006\Dc3.exe -> Downloader.PurityScan.bl : Cleaned with backup (quarantined).
C:\QooBox\Purity\Program Files\Common Files\FNTS~1\alg.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\Program Files\Common Files\wiik\wiikd\vocabulary -> Downloader.TSUpdate.j : Cleaned with backup (quarantined).


::Report end
 
The HJT log looks good, let's clean the System Restore files.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


Can you look at these again with the scanners
C:\WINDOWS\system32\winpfg32.sys
Everything I see says it should be bad:
http://research.sunbelt-software.com/threatdisplay.aspx?name=Zenotecnico&threatid=41139
http://www.google.com/search?source...&rls=GGLG,GGLG:2006-16,GGLG:en&q=winpfg32.sys

C:\WINDOWS\system32\vrq7eb3a.sys
This one appears only once on Google, in this log.
http://www.google.com/search?source...&rls=GGLG,GGLG:2006-16,GGLG:en&q=vrq7eb3a.sys

Please use all three scans, if they are not bad we don't want to remove them, but they sure appear to be.

How is the computer running now?

Thanks
 
Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: vrq7eb3a.sys
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 a7db777915905f724274963d691e37ca
Packers detected: -


Kaspersky File Scanner

You're clean!
Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

However, only a fully-functional antivirus solution with regularly updated virus definitions can ensure comprehensive protection against malware. If you do not have an antivirus solution installed, you may wish to consider purchasing one today.

Download a trial version of Kaspersky Anti-Virus
Purchase Kaspersky Anti-Virus in our E-Store
Purchase Kaspersky Anti-Virus from a certified partner

Scanned file: vrq7eb3a.sys


STATUS: FINISHEDComplete scanning result of "vrq7eb3a.sys", received in VirusTotal at 11.22.2006, 00:31:55 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.44 11.21.2006 no virus found
Authentium 4.93.8 11.20.2006 no virus found
Avast 4.7.892.0 11.20.2006 no virus found
AVG 386 11.20.2006 no virus found
BitDefender 7.2 11.22.2006 no virus found
CAT-QuickHeal 8.00 11.21.2006 no virus found
ClamAV devel-20060426 11.21.2006 no virus found
DrWeb 4.33 11.21.2006 no virus found
eSafe 7.0.14.0 11.20.2006 no virus found
eTrust-InoculateIT 23.73.62 11.21.2006 no virus found
eTrust-Vet 30.3.3205 11.21.2006 no virus found
Ewido 4.0 11.21.2006 no virus found
Fortinet 2.82.0.0 11.21.2006 no virus found
F-Prot 3.16f 11.22.2006 no virus found
F-Prot4 4.2.1.29 11.20.2006 no virus found
Ikarus 0.2.65.0 11.21.2006 no virus found
Kaspersky 4.0.2.24 11.21.2006 no virus found
McAfee 4901 11.21.2006 no virus found
Microsoft 1.1804 11.21.2006 no virus found
NOD32v2 1876 11.21.2006 no virus found
Norman 5.80.02 11.21.2006 no virus found
Panda 9.0.0.4 11.21.2006 no virus found
Prevx1 V2 11.22.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.122 11.21.2006 no virus found
UNA 1.83 11.21.2006 no virus found
VBA32 3.11.1 11.21.2006 no virus found
VirusBuster 4.3.15:9 11.21.2006 no virus found
 
Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: winpfg32.sys
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 f75d1ecf194dae46a1e3142ed26c4037
Packers detected: -


Kaspersky File Scanner

You're clean!
Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

However, only a fully-functional antivirus solution with regularly updated virus definitions can ensure comprehensive protection against malware. If you do not have an antivirus solution installed, you may wish to consider purchasing one today.

Download a trial version of Kaspersky Anti-Virus
Purchase Kaspersky Anti-Virus in our E-Store
Purchase Kaspersky Anti-Virus from a certified partner

Scanned file: winpfg32.sys


STATUS: FINISHEDComplete scanning result of "winpfg32.sys", received in VirusTotal at 11.22.2006, 00:28:03 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.44 11.21.2006 no virus found
Authentium 4.93.8 11.20.2006 no virus found
Avast 4.7.892.0 11.20.2006 no virus found
AVG 386 11.20.2006 no virus found
BitDefender 7.2 11.22.2006 no virus found
CAT-QuickHeal 8.00 11.21.2006 no virus found
ClamAV devel-20060426 11.21.2006 no virus found
DrWeb 4.33 11.21.2006 no virus found
eSafe 7.0.14.0 11.20.2006 no virus found
eTrust-InoculateIT 23.73.62 11.21.2006 no virus found
eTrust-Vet 30.3.3205 11.21.2006 no virus found
Ewido 4.0 11.21.2006 no virus found
Fortinet 2.82.0.0 11.21.2006 no virus found
F-Prot 3.16f 11.22.2006 no virus found
F-Prot4 4.2.1.29 11.20.2006 no virus found
Ikarus 0.2.65.0 11.21.2006 no virus found
Kaspersky 4.0.2.24 11.21.2006 no virus found
McAfee 4901 11.21.2006 no virus found
Microsoft 1.1804 11.21.2006 no virus found
NOD32v2 1876 11.21.2006 no virus found
Norman 5.80.02 11.21.2006 no virus found
Panda 9.0.0.4 11.21.2006 no virus found
Prevx1 V2 11.22.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.122 11.21.2006 no virus found
UNA 1.83 11.21.2006 no virus found
VBA32 3.11.1 11.21.2006 no virus found
VirusBuster 4.3.15:9 11.21.2006 no virus found
 
Spybot Log

Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-11-08 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-11-17 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-11-17 Includes\DialerC.sbi (*)
2006-11-03 Includes\Hijackers.sbi (*)
2006-11-17 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-11-17 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-11-17 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-11-17 Includes\PUPSC.sbi (*)
2006-11-17 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-11-17 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-11-17 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-11-17 Includes\Trojans.sbi (*)
2006-11-17 Includes\TrojansC.sbi (*)
 
Logfile of HijackThis v1.99.1
Scan saved at 6:53:22 PM, on 11/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cherry\CDI\CDI.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Imagistics\Printer Status Monitor\Smon.exe
C:\PROGRA~1\BOOK4G~1\_tomsagn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijack\HijakThs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.winnipegweather.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [StartAgent] C:\Program Files\Book4golf\StartHost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Shortcut to Listener.exe.lnk = C:\Program Files\Book4golf\Listener.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Printer Status Monitor.lnk = C:\Program Files\Imagistics\Printer Status Monitor\Smon.exe
O8 - Extra context menu item: Send to Keyman - C:\Program Files\Cherry\KeyMan\IEMenuExtKeyman.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A89551E8-992E-48D0-A90C-3E78CF66B217} - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DAD7A6E-6207-4E54-BF11-646707A692A0}: NameServer = 192.168.0.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cherry Device Interface - Cherry Gmbh, Auerbach Germany, www.cherry.de - C:\Program Files\Cherry\CDI\CDI.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
 
system seems to be running better. posted scan logs from the 3 sites you gave me for the 2 files, according to them the files are clean.

Did a scan with Spybot and there was 13 items found, and all but the command ones were removed, posted the report.

Scan from AVG showed nothing left.

And the system restore was turned off then back on as requested.

This sytem is hooked to a Dlink router. should I install some firewall software on this system or should the Dlink handle that and just run an antivirus on the computer ?

Thanks for all the help so far.
 
Did a scan with Spybot and there was 13 items found, and all but the command ones were removed, posted the report.
Click to expand...
If we covered this before, I apologize. These command.exe items are leftovers as a results of a poor removal by another program (possible Ad-aware). If this is the case then update Ad-aware (seems it is supposed to remove the leftovers now) and run it to see. If this does not work, let me know and I will post a solution for you. I am interested in the other items, were they cookies? If you need information to help you stop getting unwanted cookies, let me know.

Thanks for the feedback about those files, I appreciate you re-checking them, and suggest you leave them alone.

Dlink router: I would ask that question to support: http://support.dlink.com/chooseCountry.asp I have no experience with that router. I can tell you I run a Linksys with a firewall and still run Zone Alarm free because I do not feel the SP2 gives me the protection I want. I understand you can run a hardware firewall and a software firewall at the same time, but I would still prefer you get that information from the manufacturer.

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Safe surfing...tashi:) will close your topic in a few days.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
 
I'll post more info in next 2 or 3 days on the command issue as well as the items that were removed by spybot, think they were registry enterys, but not positive.
 
Installed Ad-aware, did updates and 1 scan then removed it via Add Remove programs, and spybot still finds the 3 command items. Thought I had a log with the other issues spybot found but I cant seem to find it now.

So any info on how to remove the command items so spybot wont keep detecting them on future scans would be welcome.

Thanks
 
Please download and unzip Ren-cmdservice to your Desktop.
It will only work correctly if the folder is placed on your Desktop and extracted !!.

http://www.bleepingcomputer.com/files/lonny/ren-cmdservice.zip
http://downloads.subratam.org/Lon/ren-cmdservice.zip

Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.

Thanks
 
This topic is closed due to lack of a response. :spider:

If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.
 
You must log in or register to reply here.
Back
Top