Infected with TROJANS

CRCHUCK1 · 08-05-2006, 10:58 AM

After having run Computer Associates (CA) Easy Trust Anti-Virus software it found Win32\SillyDl.AFU, Java/ByteVerify and Java/Sinwow.M and .N had infected my computer. I have tried to follow the 5 Step Process and have not been able to clean my computer. I have run Spybot, Ad-Aware SE, MicroTrend free scan, eTrust PestControl, CA's EZ Anti-Virus (several times), Symantec's free scan, all without successfully cleaning/deleting the virus. CA's scan provided an address of four locations. They are "Windows\TEMP\AAWTMP\C14726090\269FCF\; 1F299\; 43F2C\; 17843F\". I tried seaching with the search function and through the Local Disk C using My Computer. Both without success in finding the file/folder. I could find "TEMP" but could not find "AAWMP" within TEMP. Perhaps someone has had a similar experience and may have a solution for me. All help will be appreciated. I have not taken any action to delete or change anything the follow HJT log has displayed.

Logfile of HijackThis v1.99.1
Scan saved at 11:53:52 PM, on 08/05/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELOADER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/ma...Downloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://ww2.lifescan.com/otdms/isetup.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab
O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Do...4Financial.cab
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebca...ebMonProj1.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...20/mcfscan.cab

Vikesrock8411 · 08-06-2006, 02:20 AM

Download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually.

At the end of the scan click on see report. Then click Save report

Please post that log in your next reply.

In your next post please include:

Panda Activescan Log
A new Hijackthis! Log

CRCHUCK1 · 08-06-2006, 10:24 AM

I have followed your instructions by using ATF=Cleaner.exe and have scanned My Computer with Panda ActiveScan. The following are the logs for each.

The following is the Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 11:07:19 PM, on 08/06/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELOADER.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/ma...Downloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://ww2.lifescan.com/otdms/isetup.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab
O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Do...4Financial.cab
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebca...ebMonProj1.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...20/mcfscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

The following is the Panda ActiveScan Log.

Incident Status Location

Adware:adware/comet Not disinfected c:\windows\downloaded program files\cc.inf
Adware:adware/transponder Not disinfected c:\windows\thin-114-1-x-x.exe
Adware:adware/cws Not disinfected C:\WINDOWS\Favorites\Insurance
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[1].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[3].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\Cookies\charles r[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\anyuser@www.myaffiliateprogram[2].txt
Spyware:Cookie/WebPower Not disinfected C:\WINDOWS\Cookies\anyuser@webpower[1].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\charles r. clark@go[1].txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\WINDOWS\Cookies\anyuser@www.affiliatefuel[1].txt
Spyware:Cookie/Mircx Not disinfected C:\WINDOWS\Cookies\anyuser@pop.mircx[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Cookies\charles r. clark@ccbill[2].txt
Spyware:Cookie/web-stat Not disinfected C:\WINDOWS\Cookies\anyuser@www.web-stat[1].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\anyuser@atwola[2].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[2].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[4].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\charles r. clark@go[3].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\charles r. clark@atwola[2].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\charles r. clark@go[4].txt
Spyware:Cookie/Azjmp Not disinfected C:\WINDOWS\Cookies\charles r. clark@azjmp[1].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[5].txt
Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\anyuser@ct.360i[1].txt
Spyware:Cookie/Yadro Not disinfected C:\WINDOWS\Cookies\anyuser@yadro[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\Cookies\charles r[30].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\charles r. clark@go[2].txt
Spyware:Cookie/Kount Not disinfected C:\WINDOWS\Cookies\charles r. clark@kount[1].txt
Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\charles r. clark@ct.360i[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\anyuser@www.myaffiliateprogram[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\anyuser@www.burstbeacon[2].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[6].txt
Spyware:Cookie/did-it Not disinfected C:\WINDOWS\Cookies\anyuser@did-it[1].txt
Spyware:Cookie/GoClick Not disinfected C:\WINDOWS\Cookies\anyuser@c.goclick[2].txt
Spyware:Cookie/Target Not disinfected C:\WINDOWS\Cookies\anyuser@target[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\WINDOWS\Cookies\anyuser@searchportal.information[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\anyuser@ath.belnk[1].txt
Spyware:Cookie/64.62.232 Not disinfected C:\WINDOWS\Cookies\anyuser@64.62.232[3].txt
Spyware:Cookie/Adrevolver Not disinfected C:\WINDOWS\Cookies\charles r[41].txt
Spyware:Cookie/Azjmp Not disinfected C:\WINDOWS\Cookies\anyuser@azjmp[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\WINDOWS\Cookies\charles r. clark@searchportal.information[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\charles r. clark@ath.belnk[1].txt
Spyware:Cookie/Xmts Not disinfected C:\WINDOWS\Cookies\anyuser@xmts[2].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[8].txt
Spyware:Cookie/NewMedia Not disinfected C:\WINDOWS\Cookies\anyuser@anm.co[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\anyuser@www.myaffiliateprogram[4].txt
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Cookies\anyuser@microsofteup.112.2o7[1].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\charles r. clark@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\WINDOWS\Cookies\anyuser@banner[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\WINDOWS\Cookies\anyuser@i.screensavers[2].txt
Spyware:Cookie/did-it Not disinfected C:\WINDOWS\Cookies\anyuser@did-it[2].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\anyuser@atwola[1].txt
Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\anyuser@ct.360i[3].txt
Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Cookies\anyuser@xiti[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\anyuser@www.burstbeacon[3].txt
Spyware:Cookie/Paypopup Not disinfected C:\WINDOWS\Cookies\anyuser@paypopup[1].txt

Vikesrock8411 · 08-06-2006, 12:04 PM

Open Internet Explorer and click Tools->Internet Options. On the General tab click the Delete Cookies button. Click OK twice and close IE.

File and Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
c:\windows\thin-114-1-x-x.exe
C:\WINDOWS\Favorites\Insurance

Post a new Hijackthis log and let me know if you are still experiencing the original issue.

CRCHUCK1 · 08-06-2006, 02:50 PM

The following are the new scans for Hijack This and ActiveScan after having delete "Cwindows thin-114-1-x-x.exe and C\windows\Favorites\Insurance. I hope I deleted them correctly. I went to My Computer, Windows and manually deleted "thin...." and then to Favorites and manually deleted Insurance. I did that using the Delete Button (Large red X). I also ran ActiveScan again and it still found 54 Spyware items. I want to thank you very much for helping with this problem. Also, I did delete the cookies as you advised.

The following is the HijackThis Log followed by the ActiveScan Log.
Logfile of HijackThis v1.99.1
Scan saved at 3:26:05 AM, on 08/07/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELOADER.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/ma...Downloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://ww2.lifescan.com/otdms/isetup.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab
O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Do...4Financial.cab
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebca...ebMonProj1.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...20/mcfscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

Incident Status Location

Adware:adware/comet Not disinfected c:\windows\downloaded program files\cc.inf
Adware:adware/cws Not disinfected C:\WINDOWS\Favorites\Health
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[1].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[3].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\Cookies\charles r[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\anyuser@www.myaffiliateprogram[2].txt
Spyware:Cookie/WebPower Not disinfected C:\WINDOWS\Cookies\anyuser@webpower[1].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\charles r. clark@go[1].txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\WINDOWS\Cookies\anyuser@www.affiliatefuel[1].txt
Spyware:Cookie/Mircx Not disinfected C:\WINDOWS\Cookies\anyuser@pop.mircx[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Cookies\charles r. clark@ccbill[2].txt
Spyware:Cookie/web-stat Not disinfected C:\WINDOWS\Cookies\anyuser@www.web-stat[1].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\anyuser@atwola[2].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[2].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[4].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\charles r. clark@go[3].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\charles r. clark@atwola[2].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\charles r. clark@go[4].txt
Spyware:Cookie/Azjmp Not disinfected C:\WINDOWS\Cookies\charles r. clark@azjmp[1].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[5].txt
Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\anyuser@ct.360i[1].txt
Spyware:Cookie/Yadro Not disinfected C:\WINDOWS\Cookies\anyuser@yadro[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\Cookies\charles r[30].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\charles r. clark@go[2].txt
Spyware:Cookie/Kount Not disinfected C:\WINDOWS\Cookies\charles r. clark@kount[1].txt
Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\charles r. clark@ct.360i[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\anyuser@www.myaffiliateprogram[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\anyuser@www.burstbeacon[2].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[6].txt
Spyware:Cookie/did-it Not disinfected C:\WINDOWS\Cookies\anyuser@did-it[1].txt
Spyware:Cookie/GoClick Not disinfected C:\WINDOWS\Cookies\anyuser@c.goclick[2].txt
Spyware:Cookie/Target Not disinfected C:\WINDOWS\Cookies\anyuser@target[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\WINDOWS\Cookies\anyuser@searchportal.information[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\anyuser@ath.belnk[1].txt
Spyware:Cookie/64.62.232 Not disinfected C:\WINDOWS\Cookies\anyuser@64.62.232[3].txt
Spyware:Cookie/Adrevolver Not disinfected C:\WINDOWS\Cookies\charles r[41].txt
Spyware:Cookie/Azjmp Not disinfected C:\WINDOWS\Cookies\anyuser@azjmp[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\WINDOWS\Cookies\charles r. clark@searchportal.information[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\charles r. clark@ath.belnk[1].txt
Spyware:Cookie/Xmts Not disinfected C:\WINDOWS\Cookies\anyuser@xmts[2].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[8].txt
Spyware:Cookie/NewMedia Not disinfected C:\WINDOWS\Cookies\anyuser@anm.co[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\anyuser@www.myaffiliateprogram[4].txt
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Cookies\anyuser@microsofteup.112.2o7[1].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\charles r. clark@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\WINDOWS\Cookies\anyuser@banner[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\WINDOWS\Cookies\anyuser@i.screensavers[2].txt
Spyware:Cookie/did-it Not disinfected C:\WINDOWS\Cookies\anyuser@did-it[2].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\anyuser@atwola[1].txt
Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\anyuser@ct.360i[3].txt
Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Cookies\anyuser@xiti[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\anyuser@www.burstbeacon[3].txt
Spyware:Cookie/Paypopup Not disinfected C:\WINDOWS\Cookies\anyuser@paypopup[1].txt

Vikesrock8411 · 08-07-2006, 08:30 PM

Browse to this folder:
C:\WINDOWS\Cookies

Click Ctrl+A to select all the files then click Delete

Download CWShredder- Run CWShredder and click on Fix (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here.

CRCHUCK1 · 08-08-2006, 09:09 PM

Thanks again for your help. I deleted all cookies as you instructed and ran CWShredder. It removed one item. Unfortunately I didn't get its name. I ran Hijackthis again and ActiveScan. Both logs are below. ActiveScan indicates there are still three (3) Spyware programs remaining in my computer. Hopefully you can suggest how to get rid of them. Many thanks again for you invaluable help.

Logfile of HijackThis v1.99.1
Scan saved at 9:56:38 AM, on 08/09/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELOADER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/ma...Downloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://ww2.lifescan.com/otdms/isetup.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab
O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Do...4Financial.cab
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebca...ebMonProj1.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...20/mcfscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

Incident Status Location

Adware:adware/comet Not disinfected c:\windows\downloaded program files\cc.inf
Adware:adware/cws Not disinfected C:\WINDOWS\Favorites\Health
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry

Vikesrock8411 · 08-09-2006, 01:03 PM

Delete this folder:
C:\WINDOWS\Favorites\Health

Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot

In the popup box that appears, type in c:\windows\downloaded program files\cc.inf
Click the Open button.
Click YES when prompted to restart your computer.

How is the Pc running now?

CRCHUCK1 · 08-10-2006, 01:13 PM

Again Thanks for you help. I did as you instructed and deleted "Health" in Windows Favorites and did the delete on reboot of "cc.inf" in Windows downloaded program files. I ran HijackThis and ActiveScan again and instead of only three Spyware that it previously found, ActiveScan found eight Spyware and one Dialer. I then performed a delete of all cookies in Windows\Cookies using Ctrl+A and Delete button. At this point I'm not sure what else to do. "Bargainbuddy" keep coming back and the Dialer seems to be a new entry, and, there also seems to be something in the Registry. Non of these I know how to clean or fix. Especially the Registry. I don't know how they are getting into my computer.I have not visited any weird web sites. Primarily, I have only visited your web, new web sited (CNN, Fox ABC NBC, CBS etc.) and Outlook Express for EMail. I'm beginning to lose faith in Computer Associates EZ Armor software, which I"m sure you know has a Firewall and Anti-Virus software. Anyway, My Computer seems to be running OK at the moment. I have provided logs for both HijackThis and ActiveScann below.

Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:01:05 AM, on 08/10/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELOADER.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/ma...Downloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://ww2.lifescan.com/otdms/isetup.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab
O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Do...4Financial.cab
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebca...ebMonProj1.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...20/mcfscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

ACTIVESCAN LOG AS OF 8/10/06, 12:01 PM

Incident Status Location

Adware:adware/comet Not disinfected c:\windows\downloaded program files\cc.inf
Dialer:dialer generic Not disinfected c:\program files\GIB
Adware:adware/exact.bargainbuddy Not disinfected Windows Registry
Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Cookies\anyuser@tribalfusion[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\WINDOWS\Cookies\anyuser@apmebf[2].txt
Spyware:Cookie/QkSrv Not disinfected C:\WINDOWS\Cookies\anyuser@qksrv[2].txt
Spyware:Cookie/Falkag Not disinfected C:\WINDOWS\Cookies\anyuser@as-us.falkag[1].txt
Spyware:Cookie/Zedo Not disinfected C:\WINDOWS\Cookies\anyuser@zedo[1].txt
Spyware:Cookie/Com.com

Vikesrock8411 · 08-10-2006, 07:05 PM

Please install the following preventative programs before continuing.

The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed.

Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set.

Delete the following files\folders:
c:\windows\downloaded program files\cc.inf
c:\program files\GIB

Post a new Hijackthis log and let me know how the PC is running

CRCHUCK1 · 08-12-2006, 08:42 AM

My computer seems to be running Ok, for now. I did download MVPS HOSTS and Spyware Blaster. But, I don't know if the download for MVPS went as it should. I read the instructions for download MVPS and did a "Save Target As" but when I clicked the saved button (to save in Desktop) I get an icon that looks like a sheet of paper with simulated writing and a capital "A" in the lower riight corner. I clicked on that and did and got a window that ask if I wanted to install the program. I clicked yes. I guess it unziped and installed it but it did not change its name to "HOST.MVP" as described in the instructions. When I click on the Icon the only thing I get is the "Do You Want to Install This Program" window.

I did find the same Icon in C:\Windows\Desktop and when I click on it, it comes up with the same "Do I want To Install" window. I only tried to download it once. I'm not sure what to do next. Do you have any suggestions or advice? Should I delete it and try again?

Vikesrock8411 · 08-12-2006, 07:09 PM

Click here and save the zip file to your desktop. Double click on MVPS.bat to run it.

Is the PC still behaving well?

CRCHUCK1 · 08-14-2006, 08:53 AM

My PC seems to be running OK. I did as you instructed and clicked on the word "here" in you previous reply to download MVPS. But again, I did not have any success when I clicked on the Desktop "hosts" icon. Again, all I got was the window asking me if I wanted to install the software. I clicked "yes" and the window disappeared and nothing else happened. The screen went back to the normal Desktop with all the other software icons. I did a search for MVSP.bat but did not find it. I also did a search for "*.zip" and "*.bat". I did find the "hosts" icon in the Desktop folder and when I clicked on it I had the same result described above. So I guess I cannot get to setup in MVSP. As you requested, I have included a HijackThis log below. Thank you for your patience with me and my problems.

Logfile of HijackThis v1.99.1
Scan saved at 9:36:13 PM, on 08/14/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELOADER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/ma...Downloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://ww2.lifescan.com/otdms/isetup.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab
O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Do...4Financial.cab
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebca...ebMonProj1.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...20/mcfscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

Vikesrock8411 · 08-14-2006, 11:38 AM

Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved.

Disabling the Viewing of Hidden and System Files

Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Setting a new Restore Point
To turn off System Restore go to Start > Settings > Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check "Disable System Restore". Click OK. Click Yes when you are prompted to restart Windows.

Reboot your system.

To turn on System Restore go to Start > Settings > Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then uncheck "Disable System Restore". Click OK. Click Yes when you are prompted to restart Windows.

Windows Update
Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site.

Prevention
A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include:
AVG Free
Avast! Home Edition (Antivirus & Firewall)
AntiVir

A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are:
Zone Alarm
Outpost
Tiny Personal Firewall
Sunbelt Kerio Personal Firewall

Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed.

Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses.

IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC.

The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed.

Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all.

Alternative Programs
Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Desktop Weather - Free taskbar weather program that is free, malware free, and resource light.

Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

CRCHUCK1 · 08-14-2006, 03:16 PM

Yes, I agree. We can mark this thread as resolved. Many, many thanks for all your help and advice. Posting one more HijacThis log. Thank again.

Logfile of HijackThis v1.99.1
Scan saved at 4:12:21 AM, on 08/15/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELOADER.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/ma...Downloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://ww2.lifescan.com/otdms/isetup.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab
O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Do...4Financial.cab
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebca...ebMonProj1.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...20/mcfscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

08-05-2006, 10:58 AM	#1 (permalink)
CRCHUCK1 Registered User Join Date: Dec 2005 Posts: 11 OS: Windows Me	Infected with TROJANS After having run Computer Associates (CA) Easy Trust Anti-Virus software it found Win32\SillyDl.AFU, Java/ByteVerify and Java/Sinwow.M and .N had infected my computer. I have tried to follow the 5 Step Process and have not been able to clean my computer. I have run Spybot, Ad-Aware SE, MicroTrend free scan, eTrust PestControl, CA's EZ Anti-Virus (several times), Symantec's free scan, all without successfully cleaning/deleting the virus. CA's scan provided an address of four locations. They are "Windows\TEMP\AAWTMP\C14726090\269FCF\; 1F299\; 43F2C\; 17843F\". I tried seaching with the search function and through the Local Disk C using My Computer. Both without success in finding the file/folder. I could find "TEMP" but could not find "AAWMP" within TEMP. Perhaps someone has had a similar experience and may have a solution for me. All help will be appreciated. I have not taken any action to delete or change anything the follow HJT log has displayed. Logfile of HijackThis v1.99.1 Scan saved at 11:53:52 PM, on 08/05/2006 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELOADER.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELoader.exe" O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322 O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/ma...Downloader.cab O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://ww2.lifescan.com/otdms/isetup.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Do...4Financial.cab O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebca...ebMonProj1.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...20/mcfscan.cab

08-06-2006, 02:20 AM	#2 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. Online Scans Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Scan your PC** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually. At the end of the scan click on see report. Then click Save report Please post that log in your next reply. In your next post please include: Panda Activescan Log A new Hijackthis! Log __________________

08-06-2006, 10:24 AM	#3 (permalink)
CRCHUCK1 Registered User Join Date: Dec 2005 Posts: 11 OS: Windows Me	Infected with TROJANS I have followed your instructions by using ATF=Cleaner.exe and have scanned My Computer with Panda ActiveScan. The following are the logs for each. The following is the Hijackthis log. Logfile of HijackThis v1.99.1 Scan saved at 11:07:19 PM, on 08/06/2006 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELOADER.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELoader.exe" O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\RunServices: [StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322 O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/ma...Downloader.cab O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://ww2.lifescan.com/otdms/isetup.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Do...4Financial.cab O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebca...ebMonProj1.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...20/mcfscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab The following is the Panda ActiveScan Log.* Incident Status Location Adware:adware/comet Not disinfected c:\windows\downloaded program files\cc.inf Adware:adware/transponder Not disinfected c:\windows\thin-114-1-x-x.exe Adware:adware/cws Not disinfected C:\WINDOWS\Favorites\Insurance Adware:adware/exact.bargainbuddy Not disinfected Windows Registry Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[1].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[3].txt Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\Cookies\charles r[1].txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\anyuser@www.myaffiliateprogram[2].txt Spyware:Cookie/WebPower Not disinfected C:\WINDOWS\Cookies\anyuser@webpower[1].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\charles r. clark@go[1].txt Spyware:Cookie/Affiliate fuel Not disinfected C:\WINDOWS\Cookies\anyuser@www.affiliatefuel[1].txt Spyware:Cookie/Mircx Not disinfected C:\WINDOWS\Cookies\anyuser@pop.mircx[2].txt Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Cookies\charles r. clark@ccbill[2].txt Spyware:Cookie/web-stat Not disinfected C:\WINDOWS\Cookies\anyuser@www.web-stat[1].txt Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\anyuser@atwola[2].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[2].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[4].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\charles r. clark@go[3].txt Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\charles r. clark@atwola[2].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\charles r. clark@go[4].txt Spyware:Cookie/Azjmp Not disinfected C:\WINDOWS\Cookies\charles r. clark@azjmp[1].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[5].txt Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\anyuser@ct.360i[1].txt Spyware:Cookie/Yadro Not disinfected C:\WINDOWS\Cookies\anyuser@yadro[2].txt Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\Cookies\charles r[30].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\charles r. clark@go[2].txt Spyware:Cookie/Kount Not disinfected C:\WINDOWS\Cookies\charles r. clark@kount[1].txt Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\charles r. clark@ct.360i[1].txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\anyuser@www.myaffiliateprogram[1].txt Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\anyuser@www.burstbeacon[2].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[6].txt Spyware:Cookie/did-it Not disinfected C:\WINDOWS\Cookies\anyuser@did-it[1].txt Spyware:Cookie/GoClick Not disinfected C:\WINDOWS\Cookies\anyuser@c.goclick[2].txt Spyware:Cookie/Target Not disinfected C:\WINDOWS\Cookies\anyuser@target[1].txt Spyware:Cookie/Searchportal Not disinfected C:\WINDOWS\Cookies\anyuser@searchportal.information[1].txt Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\anyuser@ath.belnk[1].txt Spyware:Cookie/64.62.232 Not disinfected C:\WINDOWS\Cookies\anyuser@64.62.232[3].txt Spyware:Cookie/Adrevolver Not disinfected C:\WINDOWS\Cookies\charles r[41].txt Spyware:Cookie/Azjmp Not disinfected C:\WINDOWS\Cookies\anyuser@azjmp[2].txt Spyware:Cookie/Searchportal Not disinfected C:\WINDOWS\Cookies\charles r. clark@searchportal.information[1].txt Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\charles r. clark@ath.belnk[1].txt Spyware:Cookie/Xmts Not disinfected C:\WINDOWS\Cookies\anyuser@xmts[2].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[8].txt Spyware:Cookie/NewMedia Not disinfected C:\WINDOWS\Cookies\anyuser@anm.co[2].txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\anyuser@www.myaffiliateprogram[4].txt Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Cookies\anyuser@microsofteup.112.2o7[1].txt Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\charles r. clark@atwola[1].txt Spyware:Cookie/Banner Not disinfected C:\WINDOWS\Cookies\anyuser@banner[1].txt Spyware:Cookie/Screensavers Not disinfected C:\WINDOWS\Cookies\anyuser@i.screensavers[2].txt Spyware:Cookie/did-it Not disinfected C:\WINDOWS\Cookies\anyuser@did-it[2].txt Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\anyuser@atwola[1].txt Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\anyuser@ct.360i[3].txt Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Cookies\anyuser@xiti[1].txt Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\anyuser@www.burstbeacon[3].txt Spyware:Cookie/Paypopup Not disinfected C:\WINDOWS\Cookies\anyuser@paypopup[1].txt

08-06-2006, 12:04 PM	#4 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Open Internet Explorer and click Tools->Internet Options. On the General tab click the Delete Cookies button. Click OK twice and close IE. File and Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. c:\windows\thin-114-1-x-x.exe C:\WINDOWS\Favorites\Insurance Post a new Hijackthis log and let me know if you are still experiencing the original issue. __________________

08-06-2006, 02:50 PM	#5 (permalink)
CRCHUCK1 Registered User Join Date: Dec 2005 Posts: 11 OS: Windows Me	Infected with TROJANS The following are the new scans for Hijack This and ActiveScan after having delete "Cwindows thin-114-1-x-x.exe and C\windows\Favorites\Insurance. I hope I deleted them correctly. I went to My Computer, Windows and manually deleted "thin...." and then to Favorites and manually deleted Insurance. I did that using the Delete Button (Large red X). I also ran ActiveScan again and it still found 54 Spyware items. I want to thank you very much for helping with this problem. Also, I did delete the cookies as you advised. The following is the HijackThis Log followed by the ActiveScan Log. Logfile of HijackThis v1.99.1 Scan saved at 3:26:05 AM, on 08/07/2006 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELOADER.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELoader.exe" O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\RunServices: [StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322 O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/ma...Downloader.cab O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://ww2.lifescan.com/otdms/isetup.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Do...4Financial.cab O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebca...ebMonProj1.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...20/mcfscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab Incident Status Location Adware:adware/comet Not disinfected c:\windows\downloaded program files\cc.inf Adware:adware/cws Not disinfected C:\WINDOWS\Favorites\Health Adware:adware/exact.bargainbuddy Not disinfected Windows Registry Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[1].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[3].txt Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\Cookies\charles r[1].txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\anyuser@www.myaffiliateprogram[2].txt Spyware:Cookie/WebPower Not disinfected C:\WINDOWS\Cookies\anyuser@webpower[1].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\charles r. clark@go[1].txt Spyware:Cookie/Affiliate fuel Not disinfected C:\WINDOWS\Cookies\anyuser@www.affiliatefuel[1].txt Spyware:Cookie/Mircx Not disinfected C:\WINDOWS\Cookies\anyuser@pop.mircx[2].txt Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Cookies\charles r. clark@ccbill[2].txt Spyware:Cookie/web-stat Not disinfected C:\WINDOWS\Cookies\anyuser@www.web-stat[1].txt Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\anyuser@atwola[2].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[2].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[4].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\charles r. clark@go[3].txt Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\charles r. clark@atwola[2].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\charles r. clark@go[4].txt Spyware:Cookie/Azjmp Not disinfected C:\WINDOWS\Cookies\charles r. clark@azjmp[1].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[5].txt Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\anyuser@ct.360i[1].txt Spyware:Cookie/Yadro Not disinfected C:\WINDOWS\Cookies\anyuser@yadro[2].txt Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\Cookies\charles r[30].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\charles r. clark@go[2].txt Spyware:Cookie/Kount Not disinfected C:\WINDOWS\Cookies\charles r. clark@kount[1].txt Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\charles r. clark@ct.360i[1].txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\anyuser@www.myaffiliateprogram[1].txt Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\anyuser@www.burstbeacon[2].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[6].txt Spyware:Cookie/did-it Not disinfected C:\WINDOWS\Cookies\anyuser@did-it[1].txt Spyware:Cookie/GoClick Not disinfected C:\WINDOWS\Cookies\anyuser@c.goclick[2].txt Spyware:Cookie/Target Not disinfected C:\WINDOWS\Cookies\anyuser@target[1].txt Spyware:Cookie/Searchportal Not disinfected C:\WINDOWS\Cookies\anyuser@searchportal.information[1].txt Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\anyuser@ath.belnk[1].txt Spyware:Cookie/64.62.232 Not disinfected C:\WINDOWS\Cookies\anyuser@64.62.232[3].txt Spyware:Cookie/Adrevolver Not disinfected C:\WINDOWS\Cookies\charles r[41].txt Spyware:Cookie/Azjmp Not disinfected C:\WINDOWS\Cookies\anyuser@azjmp[2].txt Spyware:Cookie/Searchportal Not disinfected C:\WINDOWS\Cookies\charles r. clark@searchportal.information[1].txt Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\charles r. clark@ath.belnk[1].txt Spyware:Cookie/Xmts Not disinfected C:\WINDOWS\Cookies\anyuser@xmts[2].txt Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\anyuser@go[8].txt Spyware:Cookie/NewMedia Not disinfected C:\WINDOWS\Cookies\anyuser@anm.co[2].txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\anyuser@www.myaffiliateprogram[4].txt Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Cookies\anyuser@microsofteup.112.2o7[1].txt Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\charles r. clark@atwola[1].txt Spyware:Cookie/Banner Not disinfected C:\WINDOWS\Cookies\anyuser@banner[1].txt Spyware:Cookie/Screensavers Not disinfected C:\WINDOWS\Cookies\anyuser@i.screensavers[2].txt Spyware:Cookie/did-it Not disinfected C:\WINDOWS\Cookies\anyuser@did-it[2].txt Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\anyuser@atwola[1].txt Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\anyuser@ct.360i[3].txt Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Cookies\anyuser@xiti[1].txt Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\anyuser@www.burstbeacon[3].txt Spyware:Cookie/Paypopup Not disinfected C:\WINDOWS\Cookies\anyuser@paypopup[1].txt Last edited by CRCHUCK1; 08-06-2006 at 02:55 PM.*

08-07-2006, 08:30 PM	#6 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Browse to this folder: C:\WINDOWS\Cookies Click Ctrl+A to select all the files then click Delete Download CWShredder- Run CWShredder and click on Fix (it will automatically fix anything it finds for you). If it asks if you want to delete a certain random file, choose No and post that filename here. __________________

08-08-2006, 09:09 PM	#7 (permalink)
CRCHUCK1 Registered User Join Date: Dec 2005 Posts: 11 OS: Windows Me	Thanks again for your help. I deleted all cookies as you instructed and ran CWShredder. It removed one item. Unfortunately I didn't get its name. I ran Hijackthis again and ActiveScan. Both logs are below. ActiveScan indicates there are still three (3) Spyware programs remaining in my computer. Hopefully you can suggest how to get rid of them. Many thanks again for you invaluable help. Logfile of HijackThis v1.99.1 Scan saved at 9:56:38 AM, on 08/09/2006 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELOADER.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELoader.exe" O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322 O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/ma...Downloader.cab O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://ww2.lifescan.com/otdms/isetup.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Do...4Financial.cab O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebca...ebMonProj1.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...20/mcfscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab Incident Status Location Adware:adware/comet Not disinfected c:\windows\downloaded program files\cc.inf Adware:adware/cws Not disinfected C:\WINDOWS\Favorites\Health Adware:adware/exact.bargainbuddy Not disinfected Windows Registry

08-09-2006, 01:03 PM	#8 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Delete this folder: C:\WINDOWS\Favorites\Health Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot In the popup box that appears, type in c:\windows\downloaded program files\cc.inf Click the Open button. Click YES when prompted to restart your computer. How is the Pc running now? __________________

08-10-2006, 01:13 PM	#9 (permalink)
CRCHUCK1 Registered User Join Date: Dec 2005 Posts: 11 OS: Windows Me	Infected with TROJANS (Spyware & Dialer) Again Thanks for you help. I did as you instructed and deleted "Health" in Windows Favorites and did the delete on reboot of "cc.inf" in Windows downloaded program files. I ran HijackThis and ActiveScan again and instead of only three Spyware that it previously found, ActiveScan found eight Spyware and one Dialer. I then performed a delete of all cookies in Windows\Cookies using Ctrl+A and Delete button. At this point I'm not sure what else to do. "Bargainbuddy" keep coming back and the Dialer seems to be a new entry, and, there also seems to be something in the Registry. Non of these I know how to clean or fix. Especially the Registry. I don't know how they are getting into my computer.I have not visited any weird web sites. Primarily, I have only visited your web, new web sited (CNN, Fox ABC NBC, CBS etc.) and Outlook Express for EMail. I'm beginning to lose faith in Computer Associates EZ Armor software, which I"m sure you know has a Firewall and Anti-Virus software. Anyway, My Computer seems to be running OK at the moment. I have provided logs for both HijackThis and ActiveScann below. Hijack This Log: Logfile of HijackThis v1.99.1 Scan saved at 12:01:05 AM, on 08/10/2006 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELOADER.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELoader.exe" O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\RunServices: [StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322 O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/ma...Downloader.cab O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://ww2.lifescan.com/otdms/isetup.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Do...4Financial.cab O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebca...ebMonProj1.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...20/mcfscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab ACTIVESCAN LOG AS OF 8/10/06, 12:01 PM* Incident Status Location Adware:adware/comet Not disinfected c:\windows\downloaded program files\cc.inf Dialer:dialer generic Not disinfected c:\program files\GIB Adware:adware/exact.bargainbuddy Not disinfected Windows Registry Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Cookies\anyuser@tribalfusion[1].txt Spyware:Cookie/Apmebf Not disinfected C:\WINDOWS\Cookies\anyuser@apmebf[2].txt Spyware:Cookie/QkSrv Not disinfected C:\WINDOWS\Cookies\anyuser@qksrv[2].txt Spyware:Cookie/Falkag Not disinfected C:\WINDOWS\Cookies\anyuser@as-us.falkag[1].txt Spyware:Cookie/Zedo Not disinfected C:\WINDOWS\Cookies\anyuser@zedo[1].txt Spyware:Cookie/Com.com Last edited by CRCHUCK1; 08-10-2006 at 01:15 PM.

08-10-2006, 07:05 PM	#10 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Please install the following preventative programs before continuing. The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed. Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Delete the following files\folders: c:\windows\downloaded program files\cc.inf c:\program files\GIB Post a new Hijackthis log and let me know how the PC is running __________________

08-12-2006, 08:42 AM	#11 (permalink)
CRCHUCK1 Registered User Join Date: Dec 2005 Posts: 11 OS: Windows Me	My computer seems to be running Ok, for now. I did download MVPS HOSTS and Spyware Blaster. But, I don't know if the download for MVPS went as it should. I read the instructions for download MVPS and did a "Save Target As" but when I clicked the saved button (to save in Desktop) I get an icon that looks like a sheet of paper with simulated writing and a capital "A" in the lower riight corner. I clicked on that and did and got a window that ask if I wanted to install the program. I clicked yes. I guess it unziped and installed it but it did not change its name to "HOST.MVP" as described in the instructions. When I click on the Icon the only thing I get is the "Do You Want to Install This Program" window. I did find the same Icon in C:\Windows\Desktop and when I click on it, it comes up with the same "Do I want To Install" window. I only tried to download it once. I'm not sure what to do next. Do you have any suggestions or advice? Should I delete it and try again?

08-12-2006, 07:09 PM	#12 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Click here and save the zip file to your desktop. Double click on MVPS.bat to run it. Is the PC still behaving well? __________________

08-14-2006, 08:53 AM	#13 (permalink)
CRCHUCK1 Registered User Join Date: Dec 2005 Posts: 11 OS: Windows Me	My PC seems to be running OK. I did as you instructed and clicked on the word "here" in you previous reply to download MVPS. But again, I did not have any success when I clicked on the Desktop "hosts" icon. Again, all I got was the window asking me if I wanted to install the software. I clicked "yes" and the window disappeared and nothing else happened. The screen went back to the normal Desktop with all the other software icons. I did a search for MVSP.bat but did not find it. I also did a search for ".zip" and ".bat". I did find the "hosts" icon in the Desktop folder and when I clicked on it I had the same result described above. So I guess I cannot get to setup in MVSP. As you requested, I have included a HijackThis log below. Thank you for your patience with me and my problems. Logfile of HijackThis v1.99.1 Scan saved at 9:36:13 PM, on 08/14/2006 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELOADER.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELoader.exe" O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\RunServices: [StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322 O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/ma...Downloader.cab O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://ww2.lifescan.com/otdms/isetup.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Do...4Financial.cab O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebca...ebMonProj1.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...20/mcfscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab Last edited by CRCHUCK1; 08-14-2006 at 08:57 AM.*

08-14-2006, 11:38 AM	#14 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved. Disabling the Viewing of Hidden and System Files Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Setting a new Restore Point To turn off System Restore go to Start > Settings > Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check "Disable System Restore". Click OK. Click Yes when you are prompted to restart Windows. Reboot your system. To turn on System Restore go to Start > Settings > Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then uncheck "Disable System Restore". Click OK. Click Yes when you are prompted to restart Windows. Windows Update Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site. Prevention A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include: AVG Free Avast! Home Edition (Antivirus & Firewall) AntiVir A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are: Zone Alarm Outpost Tiny Personal Firewall Sunbelt Kerio Personal Firewall Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed. Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses. IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC. The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed. Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all. Alternative Programs Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Desktop Weather - Free taskbar weather program that is free, malware free, and resource light. Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. __________________

08-14-2006, 03:16 PM	#15 (permalink)
CRCHUCK1 Registered User Join Date: Dec 2005 Posts: 11 OS: Windows Me	Yes, I agree. We can mark this thread as resolved. Many, many thanks for all your help and advice. Posting one more HijacThis log. Thank again. Logfile of HijackThis v1.99.1 Scan saved at 4:12:21 AM, on 08/15/2006 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\DEVLDR16.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELOADER.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVTRAY.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\CAVRID.EXE C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=69 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST ANTI-SPAM\QSP-2.1.215.5\QOELoader.exe" O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\PROGRAM FILES\MARKETBROWSER\LMT\MarketBrowser_Launch.xpy O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?322 O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...9x/AvSniff.cab O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://prod1.centra.com/SiteRoots/ma...Downloader.cab O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://ww2.lifescan.com/otdms/isetup.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.schaeffersresearch.com/download/CfxIEAx.cab O16 - DPF: {24BACF02-5676-11D3-B8DE-00105A17A9E6} (ChartFX Internet Financial Client 4.0) - http://www.schaeffersresearch.com/Do...4Financial.cab O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebca...ebMonProj1.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...20/mcfscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab