VirusBursters infection

antone1 · 12-05-2006, 07:08 PM

I've been infected on a Thinkpad T42 , Windows XP Service Pack 2 machine with VirusBursters. I've tried the various cleanup tools such as Symantec Client Security, Ad-Aware SE Personal, CW Shredder and Spyware Doctor. All to no avail. I'm a newbie to the Forum but figured this was the best place to get some real world help .

I would greatly appreciate any assistance that can be provided in ridding my sytem of this. Thanks very muchin advance .

tetonbob · 12-05-2006, 07:57 PM

Please download HijackThis to your desktop - this program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

Double click on HijackThis.exe to run the program.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.

antone1 · 12-05-2006, 08:08 PM

Logfile of Hijack this

Logfile of HijackThis v1.99.1
Scan saved at 8:03:38 PM, on 12/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Drivers\trcboot.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\progra~1\c4ebreg\c4ebreg.exe
C:\notes\ntmulti.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\Drivers\ldlcserv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IBM\Personal Communications\tpam.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\progra~1\c4ebreg\isamtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IBM\My Help\MyHelp.exe
C:\Program Files\IBM\My Help\jre\bin\javaw.exe
C:\Program Files\CheckPoint\Integrity Client\iclient.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\FSScrCtl.exe
C:\Documents and Settings\Administrator\Application Data\Map Maker\MMManager.exe
C:\WINDOWS\System32\lxcjcoms.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Windows Defender\MsMpEng.exe
c:\sdwork\issimsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://w3.ibm.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://w3.ibm.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [ISAMTray] "C:\progra~1\c4ebreg\isamtray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [MyHelpService] "C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\MyHelpStart.exe"
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CheckPoint\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [defergui] c:\sdwork\defergui.exe
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Network client\NetSP.exe" -show
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: SunClock5.lnk = C:\Documents and Settings\Administrator\Application Data\Map Maker\MMManager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Lotus QuickStart.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com
O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab
O16 - DPF: ST MRC ST31IF1 PMR-90722999000 - https://www-1.ibm.com/sametime/stmee...RoomClient.cab
O16 - DPF: {5F30F398-64B6-4D5B-AF59-164FB61F56A6} (One Force Compplanner) - https://comp.amer.workscape.com/onef...ner/master.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/a...tent/AcpIR.cab
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bluepages/scripts/lnwebassist.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: atmgrtok - atmgrtok.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: pcsinst - C:\WINDOWS\SYSTEM32\pcsinst.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O21 - SSODL: blippers - {f2efa195-4785-4db1-9316-b48c64bb71da} - C:\WINDOWS\system32\xqpauzx.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\System32\Drivers\appnnode.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IBM Content Delivery Service (CDSClient) - Unknown owner - C:\Program Files\IBM\tivoli\CDSClient\cds\CDSWinSrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Global Services - C:\progra~1\c4ebreg\c4ebreg.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\System32\Drivers\ldlcserv.exe
O23 - Service: lxcj_device - - C:\WINDOWS\System32\lxcjcoms.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe
O23 - Service: My Help (MyHelp) - Unknown owner - C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\MyHelpService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\System32\Drivers\trcboot.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

tetonbob · 12-05-2006, 09:03 PM

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

---------------------------------------------------------------------------------------------

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

Install AVG Anti Spyware
Double-click the icon on Desktop to launch AVG
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

We'll use this later.

---------------------------------------------------------------------------------------------

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

---------------------------------------------------------------------------------------------

Double-click smitfraudfix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

---------------------------------------------------------------------------------------------

Clean out your Temporary Internet files.

Run Cleanup! using the following configuration:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------

Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

"Security Info"
"Warning Message"
"Security Desktop"
"Warning Homepage"
"Desktop Uninstall" or something similar

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Double-click smitfraudfix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Then post the following logs in your next reply...

C:\rapport.txt (log from the tool)
AVG Anti-Spyware log
Panda log
Hijackthis log

antone1 · 12-06-2006, 02:45 PM

Delighted to say, it seems gone . This process works well. Does take some time though but the penalty of some time versus the trojan ( or whatever it is ) is WELL worth it .

Thanks a bunch !

SmitFraudFix v2.128

Scan done at 10:34:39.02, Wed 12/06/2006
Run from C:\Documents and Settings\Administrator\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{f2efa195-4785-4db1-9316-b48c64bb71da}"="blippers"

[HKEY_CLASSES_ROOT\CLSID\{f2efa195-4785-4db1-9316-b48c64bb71da}\InProcServer32]
@="C:\WINDOWS\system32\xqpauzx.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{f2efa195-4785-4db1-9316-b48c64bb71da}\InProcServer32]
@="C:\WINDOWS\system32\xqpauzx.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\xqpauzx.dll -> Hoax.Win32.Renos.gen.i
C:\WINDOWS\system32\xqpauzx.dll -> Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Program Files\Video ActiveX Object\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:28:46 PM 12/6/2006

+ Scan result:

Nothing found.

::Report end

Incident Status Location

Potentially unwanted tool:Application/Service9x Not disinfected C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\antone1@ads.pointroll[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator\Cookies\antone1@go[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Service9x Not disinfected C:\Program Files\Lexmark 8300 Series\Drivers\I386\lxcjtime.dll[C:\Program Files\Lexmark 8300 Series\Drivers\I386\lxcjtime.dll]
Possible Virus. Not disinfected C:\Program Files\mediacodec-v4.588.exe[ecodec.exe]
Potentially unwanted tool:Application/Service9x Not disinfected C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_8300_seriesda3d\lxcjtime.dll
Possible Virus. Not disinfected C:\wxpdrive\repos\HOTKEY09\TPISETUP.DLL

antone1 · 12-06-2006, 02:49 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:37:12 PM, on 12/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\progra~1\c4ebreg\c4ebreg.exe
c:\sdwork\issimsvc.exe
C:\notes\ntmulti.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Drivers\ldlcserv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IBM\Personal Communications\tpam.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\progra~1\c4ebreg\isamtray.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\CheckPoint\Integrity Client\iclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IBM\My Help\MyHelp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\IBM\My Help\jre\bin\javaw.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\FSScrCtl.exe
C:\Documents and Settings\Administrator\Application Data\Map Maker\MMManager.exe
C:\WINDOWS\System32\lxcjcoms.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\AT&T Network client\netclient.exe
C:\notes\NLNOTES.EXE
C:\notes\ntaskldr.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://w3.ibm.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [ISAMTray] "C:\progra~1\c4ebreg\isamtray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [MyHelpService] "C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\MyHelpStart.exe"
O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CheckPoint\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [defergui] c:\sdwork\defergui.exe
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Network client\NetSP.exe" -show
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: SunClock5.lnk = C:\Documents and Settings\Administrator\Application Data\Map Maker\MMManager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Lotus QuickStart.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com
O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab
O16 - DPF: ST MRC ST31IF1 PMR-90722999000 - https://www-1.ibm.com/sametime/stmee...RoomClient.cab
O16 - DPF: {5F30F398-64B6-4D5B-AF59-164FB61F56A6} (One Force Compplanner) - https://comp.amer.workscape.com/onef...ner/master.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/a...tent/AcpIR.cab
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bluepages/scripts/lnwebassist.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E17D9736-81D5-45D7-9EF9-B015189B5AC8}: Domain = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{E17D9736-81D5-45D7-9EF9-B015189B5AC8}: NameServer = 9.0.4.1,9.0.5.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{E17D9736-81D5-45D7-9EF9-B015189B5AC8}: Domain = ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{E17D9736-81D5-45D7-9EF9-B015189B5AC8}: NameServer = 9.0.4.1,9.0.5.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: atmgrtok - atmgrtok.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: pcsinst - C:\WINDOWS\SYSTEM32\pcsinst.dll
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\System32\Drivers\appnnode.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IBM Content Delivery Service (CDSClient) - Unknown owner - C:\Program Files\IBM\tivoli\CDSClient\cds\CDSWinSrv.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Global Services - C:\progra~1\c4ebreg\c4ebreg.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\System32\Drivers\ldlcserv.exe
O23 - Service: lxcj_device - - C:\WINDOWS\System32\lxcjcoms.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe
O23 - Service: My Help (MyHelp) - Unknown owner - C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\MyHelpService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\System32\Drivers\trcboot.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

tetonbob · 12-06-2006, 07:34 PM

Looking much better. I need a bit more information, please.

Please go to: VirusTotal

At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to this file in BOLD:

C:\Program Files\mediacodec-v4.588.exe
Click "Open".
Then click the "Send" button at the top of the VirusTotal page.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

---------------------------------------------------------------------------------------------

antone1 · 12-07-2006, 06:40 AM

Here's the result from

Antivirus Version Update Result
AntiVir 7.2.0.49 12.07.2006 TR/Zlob.65536.3
Authentium 4.93.8 12.07.2006 no virus found
Avast 4.7.892.0 12.07.2006 no virus found
AVG 386 12.07.2006 Downloader.Zlob.AFD
BitDefender 7.2 12.07.2006 Trojan.Zlob.Gen
CAT-QuickHeal 8.00 12.06.2006 TrojanDownloader.Zlob.fe
ClamAV devel-20060426 12.07.2006 Trojan.Downloader.Zlob-545
DrWeb 4.33 12.07.2006 T Trojan.Popuper
eSafe 7.0.14.0 12.07.2006 suspicious Trojan/Worm
eTrust-InoculateIT 23.73.79 12.07.2006 no virus found
eTrust-Vet 30.3.3236 12.07.2006 no virus found
Ewido 4.0 12.07.2006 no virus found
Fortinet 2.82.0.0 12.07.2006 W32/Zlob.MF!tr.dldr
F-Prot 3.16f 12.05.2006 no virus found
F-Prot4 4.2.1.29 12.05.2006 no virus found
Ikarus T3.1.0.26 12.07.2006 Trojan-Downloader.Win32.Zlob.ni
Kaspersky 4.0.2.24 12.07.2006 Trojan-Downloader.Win32.Zlob.mf
McAfee 4912 12.07.2006 no virus found
Microsoft 1.1804 12.07.2006 Zlob
NOD32v2 1908 12.07.2006 a variant of Win32/TrojanDownloader.Zlob.OU
Norman 5.80.02 12.07.2006 no virus found
Panda 9.0.0.4 12.07.2006 Suspicious file
Prevx1 V2 12.07.2006 Trojan.MediaCodec
Sophos 4.12.0 12.06.2006 no virus found
Sunbelt 2.2.907.0 11.30.2006 KAS NET (v)
TheHacker 6.0.3.130 12.06.2006 no virus found
UNA 1.83 12.06.2006 TrojanDownloader.Win32.Zlob.02C3
VBA32 3.11.1 12.06.2006 no virus found
VirusBuster 4.3.15:9 12.07.2006 no virus found

tetonbob · 12-07-2006, 07:09 AM

I'd like to collect a sample of this file, please.

Please download the Suspicious File Packer http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.
Paste the following list of bad files into the Suspicious File Packer window:

C:\Program Files\mediacodec-v4.588.exe

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.

Once you've done this, delete that file

C:\Program Files\mediacodec-v4.588.exe

with prejudice!

If you encounter any troubles following those instructions, don't worry about it, and just delete the file.

---------------------------------------------------------------------------------------------

We'd better have you run one more online scan to look for remnants:

Establish an internet connection & perform an online scan using Internet Explorer at http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

antone1 · 12-07-2006, 11:53 AM

C:\Program Files\mediacodec-v4.588.exe has been deleted and kaspersky scan run with results attached .

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, December 07, 2006 11:48:11 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 7/12/2006
Kaspersky Anti-Virus database records: 248857
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 85719
Number of viruses found: 7
Number of infected objects: 24 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:26:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\requested-files[2006-12-07_10_01].cab/C:/Program Files/mediacodec-v4.588.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.mf skipped
C:\Documents and Settings\Administrator\Desktop\requested-files[2006-12-07_10_01].cab/C:/Program Files/mediacodec-v4.588.exe/stream/data0007 Infected: Trojan-Downloader.Win32.Zlob.ph skipped
C:\Documents and Settings\Administrator\Desktop\requested-files[2006-12-07_10_01].cab/C:/Program Files/mediacodec-v4.588.exe/stream Infected: Trojan-Downloader.Win32.Zlob.ph skipped
C:\Documents and Settings\Administrator\Desktop\requested-files[2006-12-07_10_01].cab/C:/Program Files/mediacodec-v4.588.exe Infected: Trojan-Downloader.Win32.Zlob.ph skipped
C:\Documents and Settings\Administrator\Desktop\requested-files[2006-12-07_10_01].cab CAB: infected - 4 skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\A052300A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\A082946A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\A302921A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\A334133A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\A318094A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\A318094A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\A367925A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\A367925A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\A367925A.fpt Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\C361300A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\C361300A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\C398560A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\C398560A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\C407276A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\C407276A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\C485630A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\C485630A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\E448385A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\E448385A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\E622494A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\E622494A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\E634158A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\E634158A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\G428112A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\G428112A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\L363476A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\L363476A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\P207690A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\P207690A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\R076229A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\R076229A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\R394904A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\R394904A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\R687954A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\R687954A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\S154151A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\S154151A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\T730359A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\T730359A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\T734652A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\T734652A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\Z138761A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\Z138761A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\Z855462A.cdx Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\APList1\Z855462A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\B532953A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\B845958A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\B845958A.fpt Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\C087000A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\C723765A.CDX Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\C723765A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\C728711A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\C757756A.CDX Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\C757756A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\C860768A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\D519098A.CDX Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\D519098A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\D519098A.FPT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\E068777A.CDX Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\E068777A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\E280024A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\E280024A.FPT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\F461816A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\G492336A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\G492336A.FPT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\L095660A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\L610047A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\M592309A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\M994998A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\P060203A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\P122122A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\P237055A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\P307370A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\P307370A.fpt Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\P544827A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\P570782A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\P755618A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\P755618A.fpt Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\S179759A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\S203548A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\S320860A.CDX Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\S320860A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\S320860A.FPT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\S714639A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\S864024A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\S915957A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\S931901A.CDX Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\S931901A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\S931901A.FPT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\U759733A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\V364466A.dbf Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\V364466A.fpt Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\Data\W399395A.DBF Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\NetMon.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\NetPacket.TXT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\NetSSL.txt Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\AGNS\C~,PROGRA~1,AT&TNE~1,\NetVPN.TXT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\GoogleEarth\dbCache.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\GoogleEarth\dbCache.dat.index Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\NLPaaa.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\NLPbaa.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\NLPcaa.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\notes\data\bookmark.nsf Object is locked skipped
C:\notes\data\Cache.NDK Object is locked skipped
C:\notes\data\desktop6.ndk Object is locked skipped
C:\notes\data\headline.nsf Object is locked skipped
C:\notes\data\IBM_TECHNICAL_SUPPORT\console.log Object is locked skipped
C:\notes\data\log.nsf Object is locked skipped
C:\notes\data\mail.box Object is locked skipped
C:\notes\data\NAMES.NSF Object is locked skipped
C:\notes\data\~notes.lck Object is locked skipped
C:\Program Files\CheckPoint\Integrity Client\zlxeap.log Object is locked skipped
C:\Program Files\IBM\My Help\configuration\org.eclipse.core.runtime\.manager\.tmp34115.instance Object is locked skipped
C:\Program Files\IBM\My Help\configuration\org.eclipse.osgi\.manager\.tmp34114.instance Object is locked skipped
C:\Program Files\IBM\My Help\configuration\org.eclipse.update\.lock Object is locked skipped
C:\Program Files\IBM\My Help\derby.log Object is locked skipped
C:\Program Files\IBM\My Help\workspace\.metadata\.lock Object is locked skipped
C:\Program Files\IBM\My Help\workspace\log\MyHelp.log Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\db.lck Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\log\log10.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c10.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c121.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c130.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c141.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c20.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c200.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c211.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c290.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c2c1.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c2d0.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c2e1.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c430.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c441.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c450.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c4a0.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c4b0.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c4c1.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c51.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c540.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c551.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c560.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c570.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c581.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c590.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c5a0.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c5b0.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c5c1.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c5e0.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c5f1.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c60.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c670.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c681.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c690.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c6a1.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c6b0.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c6c1.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c6d0.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c6e1.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c71.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c770.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c780.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c791.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c7a1.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c7b0.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c7c1.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c7e0.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\c90.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\ca1.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\cc0.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\cd1.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\ce1.dat Object is locked skipped
C:\Program Files\IBM\My Help\workspace\MyHelpDatabase\seg0\cf0.dat Object is locked skipped
C:\Program Files\RRUInst\rrpc\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/HOTVIEW.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\Program Files\RRUInst\rrpc\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/OMNITHREAD_RT.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.g skipped
C:\Program Files\RRUInst\rrpc\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE/VNCHOOKS.DLL Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\Program Files\RRUInst\rrpc\superinstall.EXE/IGWSE2SAS2.1WM2.1.EXE Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\Program Files\RRUInst\rrpc\superinstall.EXE ZIP: infected - 4 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP596\A0105342.exe Infected: Trojan-Downloader.Win32.Zlob.bag skipped
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP601\A0108018.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.mf skipped
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP601\A0108018.exe/stream/data0007 Infected: Trojan-Downloader.Win32.Zlob.ph skipped
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP601\A0108018.exe/stream Infected: Trojan-Downloader.Win32.Zlob.ph skipped
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP601\A0108018.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP601\A0108018.exe UPX: infected - 3 skipped
C:\System Volume Information\_restore{025383FA-625F-412F-B757-56B6C9BB8E21}\RP601\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\I386\WIN9XMIG\EASTMAN\MIGRATE.DLL Infected: Trojan.Win32.Agent.acj skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\I400489S.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ASHeuristic\ecodec_exe.vir Infected: Trojan-Downloader.Win32.Zlob.ph skipped
C:\WINDOWS\Temp\ZLT06235.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

tetonbob · 12-07-2006, 07:30 PM

Thanks for the sample, it was received. We're all but done....one file found by Kaspersky has me curious.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following if they exist:

C:\Documents and Settings\Administrator\Desktop\requested-files[2006-12-07_10_01].cab
C:\WINDOWS\Temp\ASHeuristic\ecodec_exe.vir

---------------------------------------------------------------------------------------------

This next file seems like it should be a false positive, but I'd like you to scan it at VirusTotal to see what other vendors' engines think about it.

Please go to: VirusTotal

At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to this file in BOLD:

C:\WINDOWS\I386\WIN9XMIG\EASTMAN\MIGRATE.DLL
Click "Open".
Then click the "Send" button at the top of the VirusTotal page.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

antone1 · 12-08-2006, 09:20 AM

This first file of the two you referenced was present and deleted. The file name was :

C:\WINDOWS\Temp\ASHeuristic\ecodec_exe.vir

The closest I could find to the second file you mentioned C:\Documents and Settings\Administrator\Desktop\requested-files[2006-12-07_10_01].cab is this one below in the same location :

request-readme[2006-12-07_10_01].txt

The VirusTotal scan results on C:\WINDOWS\I386\WIN9XMIG\EASTMAN\MIGRATE.DLL are as follows :

Antivirus Version Update Result
AntiVir 7.2.0.49 12.08.2006 no virus found
Authentium 4.93.8 12.07.2006 no virus found
Avast 4.7.892.0 12.08.2006 no virus found
AVG 386 12.08.2006 Generic2.LNI
BitDefender 7.2 12.08.2006 no virus found
CAT-QuickHeal 8.00 12.08.2006 no virus found
ClamAV devel-20060426 12.08.2006 no virus found
DrWeb 4.33 12.08.2006 no virus found
eSafe 7.0.14.0 12.07.2006 no virus found
eTrust-InoculateIT 23.73.80 12.08.2006 no virus found
eTrust-Vet 30.3.3238 12.08.2006 no virus found
Ewido 4.0 12.08.2006 no virus found
Fortinet 2.82.0.0 12.08.2006 no virus found
F-Prot 3.16f 12.07.2006 no virus found
F-Prot4 4.2.1.29 12.07.2006 no virus found
Ikarus T3.1.0.26 12.07.2006 no virus found
Kaspersky 4.0.2.24 12.08.2006 no virus found
McAfee 4914 12.08.2006 no virus found
Microsoft 1.1804 12.08.2006 no virus found
NOD32v2 1911 12.08.2006 no virus found
Norman 5.80.02 12.08.2006 no virus found
Panda 9.0.0.4 12.08.2006 no virus found
Prevx1 V2 12.08.2006 no virus found
Sophos 4.12.0 12.08.2006 no virus found
Sunbelt 2.2.907.0 11.30.2006 no virus found
TheHacker 6.0.3.130 12.06.2006 no virus found
UNA 1.83 12.07.2006 no virus found
VBA32 3.11.1 12.08.2006

no virus found
VirusBuster 4.3.15:9 12.08.2006 no virus found

tetonbob · 12-08-2006, 07:51 PM

Interesting...this file:

C:\Documents and Settings\Administrator\Desktop\requested-files[2006-12-07_10_01].cab

Is the one created by Suspicious File Packer. If you didn't delete it after uploading it, it should still be there,and it does contain the zlob downloader. Kaspersky showed it to be present.

Let's be sure, and do this:

Double click on HijackThis.exe to run it.
Click on Open the Misc Tools section
click the button labelled "Delete A File on Reboot..."
In the dialogue that shows up, enter the path (type, or copy and paste) of the file in "file name:" field C:\Documents and Settings\Administrator\Desktop\requested-files[2006-12-07_10_01].cab
When you have selected the file, Click the "Open" Button
Click yes at the next prompt and your system will reboot.

Other than that.....

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Create a new System Restore point

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
SpywareGuard to catch and block spyware before it can execute.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- Download IE-SpyAD - Extract the contents to a new folder
  From within the folder, double-click install.bat
  Select Option #2 - Install the new IE-SPYAD list.
  Then return to the main menu.
  Select option #4 - Add the old porn sites domain
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

Here are a few very good free Antivirus products which are available:
- AOL Active Virus Shield (powered by Kaspersky Antivirus)
- Avast!
- AVG
- Avira PersonalEdition Classic
Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

See this link for a listing of some online antivirus scanners:

Anti-Spyware Tutorial

If you do not have a firewall, here are a couple of free ones available for personal use:

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

antone1 · 12-11-2006, 09:50 AM

OK, done. Can I uninstall SmitfraudFix or just keep on system ?

Should I delete various logs ( Kapersky etc ) or save ?

I am running Symantec Client Security 9.0.3 , Checkpoint Integrity 6.0.182 and AVG 7.5 and Spyware Doctor 4.0.0 at the moment. I have Ad-Aware SE on my sytem with the latest definition file but not running actively. but I am familiar with this program. Also have SpyBot Search and Destroy on system but not running actively all the time. Last one is CW Shredder which I have installed and run occasionally .

tetonbob · 12-11-2006, 01:51 PM

Quote:

Originally Posted by antone1

OK, done. Can I uninstall SmitfraudFix or just keep on system ?

No need to keep it....hopefully you'll not require it ever again.

Should I delete various logs ( Kapersky etc ) or save ?

You can delete them. If you need to reference them, this thread will be archived.

I am running Symantec Client Security 9.0.3 , Checkpoint Integrity 6.0.182 and AVG 7.5 and Spyware Doctor 4.0.0 at the moment. I have Ad-Aware SE on my sytem with the latest definition file but not running actively. but I am familiar with this program. Also have SpyBot Search and Destroy on system but not running actively all the time. Last one is CW Shredder which I have installed and run occasionally .

Seems like fine protection.

SpywareGuard and SpywareBlaster add additional layers of protection without using much in the way of system resources. Same too with IESpyad and a hosts file.

12-05-2006, 07:08 PM	#1 (permalink)
antone1 Registered User Join Date: Dec 2006 Location: Oregon Posts: 13 OS: Windows XP	VirusBursters infection I've been infected on a Thinkpad T42 , Windows XP Service Pack 2 machine with VirusBursters. I've tried the various cleanup tools such as Symantec Client Security, Ad-Aware SE Personal, CW Shredder and Spyware Doctor. All to no avail. I'm a newbie to the Forum but figured this was the best place to get some real world help . I would greatly appreciate any assistance that can be provided in ridding my sytem of this. Thanks very muchin advance .

12-05-2006, 07:57 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,625 OS: 2000 Pro; XP Pro; XP Home	Please download HijackThis to your desktop - this program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\ Double click on HijackThis.exe to run the program. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

12-05-2006, 08:08 PM	#3 (permalink)
antone1 Registered User Join Date: Dec 2006 Location: Oregon Posts: 13 OS: Windows XP	Hijack this logfile Logfile of Hijack this Logfile of HijackThis v1.99.1 Scan saved at 8:03:38 PM, on 12/5/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Drivers\trcboot.exe C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\progra~1\c4ebreg\c4ebreg.exe C:\notes\ntmulti.exe C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\TPHDEXLG.EXE C:\WINDOWS\system32\TpKmpSVC.exe C:\WINDOWS\System32\wdfmgr.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\Drivers\ldlcserv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\acs.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\IBM\Personal Communications\tpam.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe C:\WINDOWS\system32\TpShocks.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\rundll32.exe C:\progra~1\c4ebreg\isamtray.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\ESPNRunTime\DIGServices.exe C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe C:\Program Files\Lexmark 8300 Series\lxcjmon.exe C:\Program Files\Lexmark 8300 Series\ezprint.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\DIGStream\digstream.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\IBM\My Help\MyHelp.exe C:\Program Files\IBM\My Help\jre\bin\javaw.exe C:\Program Files\CheckPoint\Integrity Client\iclient.exe C:\Program Files\Analog Devices\SoundMAX\smax4.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\FSScrCtl.exe C:\Documents and Settings\Administrator\Application Data\Map Maker\MMManager.exe C:\WINDOWS\System32\lxcjcoms.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE C:\Program Files\Windows Defender\MsMpEng.exe c:\sdwork\issimsvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://w3.ibm.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://w3.ibm.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://w3.ibm.com/ O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe" O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor O4 - HKLM\..\Run: [ISAMTray] "C:\progra~1\c4ebreg\isamtray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24 O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe O4 - HKLM\..\Run: [MyHelpService] "C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\MyHelpStart.exe" O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe" O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CheckPoint\Integrity Client\iclient.exe" O4 - HKLM\..\Run: [defergui] c:\sdwork\defergui.exe O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Network client\NetSP.exe" -show O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe O4 - Startup: SunClock5.lnk = C:\Documents and Settings\Administrator\Application Data\Map Maker\MMManager.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Lotus QuickStart.lnk = ? O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab O16 - DPF: ST MRC ST31IF1 PMR-90722999000 - https://www-1.ibm.com/sametime/stmee...RoomClient.cab O16 - DPF: {5F30F398-64B6-4D5B-AF59-164FB61F56A6} (One Force Compplanner) - https://comp.amer.workscape.com/onef...ner/master.cab O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/a...tent/AcpIR.cab O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bluepages/scripts/lnwebassist.cab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing) O20 - Winlogon Notify: atmgrtok - atmgrtok.dll (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: pcsinst - C:\WINDOWS\SYSTEM32\pcsinst.dll O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll O21 - SSODL: blippers - {f2efa195-4785-4db1-9316-b48c64bb71da} - C:\WINDOWS\system32\xqpauzx.dll O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\System32\Drivers\appnnode.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: IBM Content Delivery Service (CDSClient) - Unknown owner - C:\Program Files\IBM\tivoli\CDSClient\cds\CDSWinSrv.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Global Services - C:\progra~1\c4ebreg\c4ebreg.exe O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\System32\Drivers\ldlcserv.exe O23 - Service: lxcj_device - - C:\WINDOWS\System32\lxcjcoms.exe O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe O23 - Service: My Help (MyHelp) - Unknown owner - C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\MyHelpService.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\System32\Drivers\trcboot.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

12-05-2006, 09:03 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,625 OS: 2000 Pro; XP Pro; XP Home	Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Please print out or copy these instructions/tutorial to Notepad as the internet will not (while in Safe Mode) be available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes. --------------------------------------------------------------------------------------------- Please download SmitfraudFix (by S!Ri) to your Desktop. --------------------------------------------------------------------------------------------- Download AVG Anti Spyware Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows" Install AVG Anti Spyware Double-click the icon on Desktop to launch AVG On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly. --------------------------------------------------------------------------------------------- Download and install CleanUp! NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe We'll use this later. --------------------------------------------------------------------------------------------- Reboot your computer in Safe Mode. If the computer is running, shut down Windows, and then turn off the power. Wait 30 seconds, and then turn the computer on. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Ensure that the Safe Mode option is selected. Press Enter. The computer then begins to start in Safe mode. Login on your usual account. --------------------------------------------------------------------------------------------- Double-click smitfraudfix.exe to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode. The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. --------------------------------------------------------------------------------------------- Clean out your Temporary Internet files. Run Cleanup! using the following configuration: Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!): Empty Recycle Bins Delete Cookies Delete Prefetch files (if present) Cleanup! All Users Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked. Click OK Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted. * CleanUp! will not create any backups!! --------------------------------------------------------------------------------------------- Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present: "Security Info" "Warning Message" "Security Desktop" "Warning Homepage" "Desktop Uninstall" or something similar Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. --------------------------------------------------------------------------------------------- Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). Restart in normal mode. --------------------------------------------------------------------------------------------- Double-click smitfraudfix.exe to start the tool. Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. --------------------------------------------------------------------------------------------- Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Run a new HijackThis scan. Save the log file and post it here. --------------------------------------------------------------------------------------------- Then post the following logs in your next reply... C:\rapport.txt (log from the tool) AVG Anti-Spyware log Panda log Hijackthis log __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

12-06-2006, 02:49 PM	#6 (permalink)
antone1 Registered User Join Date: Dec 2006 Location: Oregon Posts: 13 OS: Windows XP	Here's the final hijack log as well Logfile of HijackThis v1.99.1 Scan saved at 2:37:12 PM, on 12/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Drivers\trcboot.exe C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\progra~1\c4ebreg\c4ebreg.exe c:\sdwork\issimsvc.exe C:\notes\ntmulti.exe C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\TPHDEXLG.EXE C:\WINDOWS\system32\TpKmpSVC.exe C:\WINDOWS\System32\wdfmgr.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\Drivers\ldlcserv.exe C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\System32\acs.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\IBM\Personal Communications\tpam.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe C:\WINDOWS\system32\TpShocks.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\RunDll32.exe C:\WINDOWS\system32\rundll32.exe C:\progra~1\c4ebreg\isamtray.exe C:\Program Files\ESPNRunTime\DIGServices.exe C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE C:\Program Files\Lexmark 8300 Series\lxcjmon.exe C:\Program Files\Lexmark 8300 Series\ezprint.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\DIGStream\digstream.exe C:\Program Files\CheckPoint\Integrity Client\iclient.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\IBM\My Help\MyHelp.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\IBM\My Help\jre\bin\javaw.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\FSScrCtl.exe C:\Documents and Settings\Administrator\Application Data\Map Maker\MMManager.exe C:\WINDOWS\System32\lxcjcoms.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\Program Files\AT&T Network client\netclient.exe C:\notes\NLNOTES.EXE C:\notes\ntaskldr.EXE C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://w3.ibm.com/ O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Tpam.exe] "C:\Program Files\IBM\Personal Communications\tpam.exe" O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe" O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor O4 - HKLM\..\Run: [ISAMTray] "C:\progra~1\c4ebreg\isamtray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24 O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe O4 - HKLM\..\Run: [MyHelpService] "C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\MyHelpStart.exe" O4 - HKLM\..\Run: [LXCJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16 O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe" O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CheckPoint\Integrity Client\iclient.exe" O4 - HKLM\..\Run: [defergui] c:\sdwork\defergui.exe O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Network client\NetSP.exe" -show O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1 O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe O4 - Startup: SunClock5.lnk = C:\Documents and Settings\Administrator\Application Data\Map Maker\MMManager.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Lotus QuickStart.lnk = ? O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://w3.ibm.com O16 - DPF: IBM EA2000 - https://w3-1.ibm.com/tools/us/expenses/EA2000.cab O16 - DPF: ST MRC ST31IF1 PMR-90722999000 - https://www-1.ibm.com/sametime/stmee...RoomClient.cab O16 - DPF: {5F30F398-64B6-4D5B-AF59-164FB61F56A6} (One Force Compplanner) - https://comp.amer.workscape.com/onef...ner/master.cab O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/a...tent/AcpIR.cab O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bluepages/scripts/lnwebassist.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{E17D9736-81D5-45D7-9EF9-B015189B5AC8}: Domain = ibm.com O17 - HKLM\System\CCS\Services\Tcpip\..\{E17D9736-81D5-45D7-9EF9-B015189B5AC8}: NameServer = 9.0.4.1,9.0.5.1 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com O17 - HKLM\System\CS1\Services\Tcpip\..\{E17D9736-81D5-45D7-9EF9-B015189B5AC8}: Domain = ibm.com O17 - HKLM\System\CS1\Services\Tcpip\..\{E17D9736-81D5-45D7-9EF9-B015189B5AC8}: NameServer = 9.0.4.1,9.0.5.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing) O20 - Winlogon Notify: atmgrtok - atmgrtok.dll (file missing) O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: pcsinst - C:\WINDOWS\SYSTEM32\pcsinst.dll O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe O23 - Service: AppnNode - IBM Corporation - C:\WINDOWS\System32\Drivers\appnnode.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: IBM Content Delivery Service (CDSClient) - Unknown owner - C:\Program Files\IBM\tivoli\CDSClient\cds\CDSWinSrv.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: IBM Standard Asset Manager Service (ISAMSvc) - IBM Global Services - C:\progra~1\c4ebreg\c4ebreg.exe O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe O23 - Service: IBM Enterprise Extender (ldlcserv) - IBM Corporation - C:\WINDOWS\System32\Drivers\ldlcserv.exe O23 - Service: lxcj_device - - C:\WINDOWS\System32\lxcjcoms.exe O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe O23 - Service: My Help (MyHelp) - Unknown owner - C:\Program Files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\MyHelpService.exe O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe O23 - Service: IBM Trace Facility (TrcBoot) - IBM Corporation - C:\WINDOWS\System32\Drivers\trcboot.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

12-06-2006, 07:34 PM	#7 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,625 OS: 2000 Pro; XP Pro; XP Home	Looking much better. I need a bit more information, please. Please go to: VirusTotal At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to this file in BOLD: C:\Program Files\mediacodec-v4.588.exe Click "Open". Then click the "Send" button at the top of the VirusTotal page. This will scan the file. Please be patient. Once scanned, copy and paste the results in your next reply. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

12-07-2006, 06:40 AM	#8 (permalink)
antone1 Registered User Join Date: Dec 2006 Location: Oregon Posts: 13 OS: Windows XP	Result of scan - mediacodec-v4.588.exe from VirusTotal Here's the result from Antivirus Version Update Result AntiVir 7.2.0.49 12.07.2006 TR/Zlob.65536.3 Authentium 4.93.8 12.07.2006 no virus found Avast 4.7.892.0 12.07.2006 no virus found AVG 386 12.07.2006 Downloader.Zlob.AFD BitDefender 7.2 12.07.2006 Trojan.Zlob.Gen CAT-QuickHeal 8.00 12.06.2006 TrojanDownloader.Zlob.fe ClamAV devel-20060426 12.07.2006 Trojan.Downloader.Zlob-545 DrWeb 4.33 12.07.2006 T Trojan.Popuper eSafe 7.0.14.0 12.07.2006 suspicious Trojan/Worm eTrust-InoculateIT 23.73.79 12.07.2006 no virus found eTrust-Vet 30.3.3236 12.07.2006 no virus found Ewido 4.0 12.07.2006 no virus found Fortinet 2.82.0.0 12.07.2006 W32/Zlob.MF!tr.dldr F-Prot 3.16f 12.05.2006 no virus found F-Prot4 4.2.1.29 12.05.2006 no virus found Ikarus T3.1.0.26 12.07.2006 Trojan-Downloader.Win32.Zlob.ni Kaspersky 4.0.2.24 12.07.2006 Trojan-Downloader.Win32.Zlob.mf McAfee 4912 12.07.2006 no virus found Microsoft 1.1804 12.07.2006 Zlob NOD32v2 1908 12.07.2006 a variant of Win32/TrojanDownloader.Zlob.OU Norman 5.80.02 12.07.2006 no virus found Panda 9.0.0.4 12.07.2006 Suspicious file Prevx1 V2 12.07.2006 Trojan.MediaCodec Sophos 4.12.0 12.06.2006 no virus found Sunbelt 2.2.907.0 11.30.2006 KAS NET (v) TheHacker 6.0.3.130 12.06.2006 no virus found UNA 1.83 12.06.2006 TrojanDownloader.Win32.Zlob.02C3 VBA32 3.11.1 12.06.2006 no virus found VirusBuster 4.3.15:9 12.07.2006 no virus found

12-07-2006, 07:09 AM	#9 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,625 OS: 2000 Pro; XP Pro; XP Home	I'd like to collect a sample of this file, please. Please download the Suspicious File Packer http://www.safer-networking.org/files/sfp.zip Unzip it to the desktop and run it. Paste the following list of bad files into the Suspicious File Packer window: C:\Program Files\mediacodec-v4.588.exe Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4 Please include a link to this topic in the message. Once you've done this, delete that file C:\Program Files\mediacodec-v4.588.exe with prejudice! If you encounter any troubles following those instructions, don't worry about it, and just delete the file. --------------------------------------------------------------------------------------------- We'd better have you run one more online scan to look for remnants: Establish an internet connection & perform an online scan using Internet Explorer at http://www.kaspersky.com/service?chapter=161739400 Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

12-07-2006, 07:30 PM	#11 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,625 OS: 2000 Pro; XP Pro; XP Home	Thanks for the sample, it was received. We're all but done....one file found by Kaspersky has me curious. Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete the following if they exist: C:\Documents and Settings\Administrator\Desktop\requested-files[2006-12-07_10_01].cab C:\WINDOWS\Temp\ASHeuristic\ecodec_exe.vir --------------------------------------------------------------------------------------------- This next file seems like it should be a false positive, but I'd like you to scan it at VirusTotal to see what other vendors' engines think about it. Please go to: VirusTotal At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to this file in BOLD: C:\WINDOWS\I386\WIN9XMIG\EASTMAN\MIGRATE.DLL Click "Open". Then click the "Send" button at the top of the VirusTotal page. This will scan the file. Please be patient. Once scanned, copy and paste the results in your next reply. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

12-08-2006, 09:20 AM	#12 (permalink)
antone1 Registered User Join Date: Dec 2006 Location: Oregon Posts: 13 OS: Windows XP	This first file of the two you referenced was present and deleted. The file name was : C:\WINDOWS\Temp\ASHeuristic\ecodec_exe.vir The closest I could find to the second file you mentioned C:\Documents and Settings\Administrator\Desktop\requested-files[2006-12-07_10_01].cab is this one below in the same location : request-readme[2006-12-07_10_01].txt The VirusTotal scan results on C:\WINDOWS\I386\WIN9XMIG\EASTMAN\MIGRATE.DLL are as follows : Antivirus Version Update Result AntiVir 7.2.0.49 12.08.2006 no virus found Authentium 4.93.8 12.07.2006 no virus found Avast 4.7.892.0 12.08.2006 no virus found AVG 386 12.08.2006 Generic2.LNI BitDefender 7.2 12.08.2006 no virus found CAT-QuickHeal 8.00 12.08.2006 no virus found ClamAV devel-20060426 12.08.2006 no virus found DrWeb 4.33 12.08.2006 no virus found eSafe 7.0.14.0 12.07.2006 no virus found eTrust-InoculateIT 23.73.80 12.08.2006 no virus found eTrust-Vet 30.3.3238 12.08.2006 no virus found Ewido 4.0 12.08.2006 no virus found Fortinet 2.82.0.0 12.08.2006 no virus found F-Prot 3.16f 12.07.2006 no virus found F-Prot4 4.2.1.29 12.07.2006 no virus found Ikarus T3.1.0.26 12.07.2006 no virus found Kaspersky 4.0.2.24 12.08.2006 no virus found McAfee 4914 12.08.2006 no virus found Microsoft 1.1804 12.08.2006 no virus found NOD32v2 1911 12.08.2006 no virus found Norman 5.80.02 12.08.2006 no virus found Panda 9.0.0.4 12.08.2006 no virus found Prevx1 V2 12.08.2006 no virus found Sophos 4.12.0 12.08.2006 no virus found Sunbelt 2.2.907.0 11.30.2006 no virus found TheHacker 6.0.3.130 12.06.2006 no virus found UNA 1.83 12.07.2006 no virus found VBA32 3.11.1 12.08.2006 no virus found VirusBuster 4.3.15:9 12.08.2006 no virus found

12-08-2006, 07:51 PM	#13 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,625 OS: 2000 Pro; XP Pro; XP Home	Interesting...this file: C:\Documents and Settings\Administrator\Desktop\requested-files[2006-12-07_10_01].cab Is the one created by Suspicious File Packer. If you didn't delete it after uploading it, it should still be there,and it does contain the zlob downloader. Kaspersky showed it to be present. Let's be sure, and do this: Double click on HijackThis.exe to run it. Click on Open the Misc Tools section click the button labelled "Delete A File on Reboot..." In the dialogue that shows up, enter the path (type, or copy and paste) of the file in "file name:" field C:\Documents and Settings\Administrator\Desktop\requested-files[2006-12-07_10_01].cab When you have selected the file, Click the "Open" Button Click yes at the next prompt and your system will reboot. Other than that..... Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address. Reset hidden/system files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Create a new System Restore point click Start >> Run - type SYSDM.CPL & press Enter select the System Restore Tab tick on the checkbox - "Turn off System Restore on all drives" click Apply then untick the same checkbox & click OK Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl tick on the checkbox - "Keep my computer up to date" Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items SpywareGuard to catch and block spyware before it can execute. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Download IE-SpyAD - Extract the contents to a new folder From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Here are a few very good free Antivirus products which are available: AOL Active Virus Shield (powered by Kaspersky Antivirus) Avast! AVG Avira PersonalEdition Classic Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial If you do not have a firewall, here are a couple of free ones available for personal use: ZoneAlarm OutPost Firewall In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

12-11-2006, 09:50 AM	#14 (permalink)
antone1 Registered User Join Date: Dec 2006 Location: Oregon Posts: 13 OS: Windows XP	OK, done. Can I uninstall SmitfraudFix or just keep on system ? Should I delete various logs ( Kapersky etc ) or save ? I am running Symantec Client Security 9.0.3 , Checkpoint Integrity 6.0.182 and AVG 7.5 and Spyware Doctor 4.0.0 at the moment. I have Ad-Aware SE on my sytem with the latest definition file but not running actively. but I am familiar with this program. Also have SpyBot Search and Destroy on system but not running actively all the time. Last one is CW Shredder which I have installed and run occasionally .