Help - win32 Trojan

[jross1943]

I forgot to include the report. This alzheimers is great. I had to zip it to get it to upload.

ZZZZzzzzzzzzzzzzzzzzzzzz

John
-------------

Process.exe;C:\Documents and Settings\David\Desktop\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Documents and Settings\David\Desktop\SmitfraudFix;Tool.ShutDown.11;;
888111253.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.PWS.LDPinch.1526;Deleted.;
winupd_KB00206001.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB03449245.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB05724457.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB06281259.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB06704740.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB07462877.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB07955160.exe.Vir;C:\QUARANTINE;Trojan.Virtumod;Deleted.;
winupd_KB10329381.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB10942151.exe.Vir;C:\QUARANTINE;Trojan.Virtumod;Deleted.;
winupd_KB10946889.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB13215285.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB19066508.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB19301856.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB23828724.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB26583367.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB29215830.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB31204061.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB31678801.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB32836621.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB34134510.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB36285409.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB37543312.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB37915256.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB38810001.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB39371595.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB40003426.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB40009515.exe.Vir;C:\QUARANTINE;Trojan.Virtumod;Deleted.;
winupd_KB44211985.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB46176142.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB49411633.exe.Vir;C:\QUARANTINE;Trojan.Virtumod;Deleted.;
winupd_KB50258544.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB50309663.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB50418131.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB50542013.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB55890919.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB57204231.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB57455861.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB57856840.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB58049887.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB58407150.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB58644168.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB59215993.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB60537712.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB60550488.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB61121512.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB61903845.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB62931535.exe.Vir;C:\QUARANTINE;Trojan.Virtumod;Deleted.;
winupd_KB63394477.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB63434888.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB64693993.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB65319118.exe.Vir;C:\QUARANTINE;Trojan.Virtumod;Deleted.;
winupd_KB66599943.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB67844862.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB68190125.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB69765365.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB71072833.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB72445773.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB73927933.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB75855185.exe.Vir;C:\QUARANTINE;Trojan.Virtumod;Deleted.;
winupd_KB76608188.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB78257402.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB78485085.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB80152655.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB80858368.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB80952726.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB83385594.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB83647438.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB85967489.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB88124763.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB92810471.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB93949556.exe.Vir;C:\QUARANTINE;Trojan.Spambot;Deleted.;
winupd_KB94184285.exe.Vir;C:\QUARANTINE;Trojan.Virtumod;Deleted.;
winupd_KB94625724.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB94937474.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
winupd_KB95488542.exe.Vir;C:\QUARANTINE;Trojan.Sklog;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;;

[tetonbob]

That's fine John -

Nothing we wanted to keep was removed, and as expected, DrWeb took out a lot of those .vir files.

Let's see a new HJT log from that account, please.

[jross1943]

Sorry for the delay. I missed your post on the 27th and have been out all weekend. The computer is still off line and here is the current HJT log.

Thanks for all you do

John
----------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:14:43 AM, on 4/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.placeware.com/etc/...uicksilver.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SP Software Installer - Unknown owner - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe (file missing)
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

[tetonbob]

Ok, John....that's looking pretty good.

Let's use an online scan to look for any remnants.

Go here and do the BitDefender online virus scan, using Internet Explorer.

• Click "I Agree" to agree to the EULA.
• Allow the ActiveX control to install when prompted.
• Leave the scanning options at default and press "Click here to scan" to begin the scan.
• Please refrain from using the computer until the scan is finished.
• When the scan is finished, click on "Click here to export the scan results"
• Save the report to your desktop then come back here and post it in your next reply.

Also give me another report from Deckard's System Scanner.

[jross1943]

As I'm sure you're aware, I had to get back online to run the AV scan. Here is the DSS log you requested. It was necessary to rename the BitDefender file from .html to .txt in order to upload. If you have trouble viewing it just change the extension back to .html .

Cheers,

Johh
-------------------
Deckard's System Scanner v20070423.42
Run by David on 2007-04-30 at 15:46:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as David.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:47:06 PM, on 4/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\David\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\David.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwka.ops.placeware.com/etc/...uicksilver.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SP Software Installer - Unknown owner - C:\Program Files\AccessManager\PMAC\sp_SWIns.exe (file missing)
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe


-- Files created between 2007-03-30 and 2007-04-30 -----------------------------

2007-04-30 1327 0 d-------- C:\quarantine
2007-04-30 12:14:17 0 d-------- C:\WINDOWS\BDOSCAN8
2007-04-27 11:56:36 0 d-------- C:\Documents and Settings\David\DoctorWeb
2007-04-27 11:51:44 0 d-------- C:\Program Files\Common Files\Java
2007-04-27 11:51:02 0 d-------- C:\Documents and Settings\David\Application Data\Sun
2007-04-27 03:00:55 0 d-------- C:\WINDOWS\System32\PreInstall
2007-04-26 15:03:43 49152 --a------ C:\WINDOWS\nircmd.exe <Not Verified; NirSoft; NirCmd; 1.85; 1.85>
2007-04-26 14:47:50 0 d-------- C:\WINDOWS\System32\SoftwareDistribution
2007-04-26 14:47:12 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-04-26 09:40:30 3968 --a------ C:\WINDOWS\System32\drivers\AvgAsCln.sys <Not Verified; GRISOFT, s.r.o.; AVG7 Clean Driver; 1.0.0.14; 1.0.0.14>
2007-04-26 09:17:58 974914 --a------ C:\WINDOWS\System32\RC48E140.DLL <Not Verified; RICOH CO., LTD.; RICOH RPCS Printer Driver; 1.00; 7.3.0>
2007-04-26 09:17:58 32768 --a------ C:\WINDOWS\System32\RC00C140.dll <Not Verified; RICOH CO., LTD.; RC00C140; 7.3.0; 7.3.0>
2007-04-26 09:17:57 61440 --a------ C:\WINDOWS\System32\TrackID.dll <Not Verified; RICOH COMPANY,LTD.; Track ID; 1, 0, 4, 1; 1, 0, 4, 1>
2007-04-26 09:17:57 69632 --a------ C:\WINDOWS\System32\TIFmtA.dll <Not Verified; RICOH COMPANY,LTD.; Track ID; 1, 0, 4, 0; 1, 0, 4, 0>
2007-04-26 09:17:57 49152 --a------ C:\WINDOWS\System32\TIBase64.dll <Not Verified; RICOH COMPANY,LTD.; Track ID; 1, 0, 1, 0; 1, 0, 1, 0>
2007-04-26 09:17:57 262364 --a------ C:\WINDOWS\System32\rpcsecl.dll <Not Verified; RICOH; RICOH RPCS Printer Driver Module rpcsecl; 3, 3, 3, 0; 3, 3, 3, 0>
2007-04-26 09:17:57 221184 --a------ C:\WINDOWS\System32\RICJC32.dll <Not Verified; RICOH CO.,Ltd.; RICJC32; 1, 3, 4, 0; 1, 3, 4, 0>
2007-04-26 09:17:57 61440 --a------ C:\WINDOWS\System32\rdrvlog.dll <Not Verified; RICOH; RICOH rdrvlog; 0, 3, 7, 0; 0, 3, 7, 0>
2007-04-26 09:17:57 57344 --a------ C:\WINDOWS\System32\rdrvinf.dll <Not Verified; RICOH Co.,Ltd.; RICOH RPDL Driver; 6, 3, 1, 0; 6, 3, 1, 0>
2007-04-26 09:17:57 77824 --a------ C:\WINDOWS\System32\RCPRINT.dll <Not Verified; RICOH CO., LTD.; RICOH RPCS Printer Driver; 1.3.1.0; 1.3.1.0>
2007-04-26 09:17:57 126976 --a------ C:\WINDOWS\System32\Rc4manNT.dll <Not Verified; RICOH CO., LTD.; RC4MAN; 4, 0, 5, 0; 4, 0, 5, 0>
2007-04-26 09:17:57 167936 --a------ C:\WINDOWS\System32\JCUI.exe <Not Verified; Ricoh Co.,Ltd.; JCUI; 1, 3, 3, 0; 1, 3, 3, 0>
2007-04-26 09:17:56 53248 --a------ C:\WINDOWS\System32\RICDB32.dll <Not Verified; RICOH CO.,Ltd.; RICDB; 1, 1, 3, 0; 1, 1, 3, 0>
2007-04-26 09:17:56 27136 --a------ C:\WINDOWS\System32\RCINST.dll <Not Verified; RICOH CO., LTD.; RICOH RPCS Printer Driver; 0, 2, 0, 2; 2.0.2>
2007-04-26 09:17:56 32768 --a------ C:\WINDOWS\System32\rc4mon.dll <Not Verified; RICOH CO.,Ltd.; RC4MON; 3, 3, 1, 0; 3, 3, 1, 0>
2007-04-26 09:17:56 1236992 --a------ C:\WINDOWS\System32\MP450dat.dll <Not Verified; RICOH CO., LTD.; MP450dat.dll; 1, 0, 0, 0; 1, 0, 0, 0>
2007-04-26 09:17:56 37376 --a------ C:\WINDOWS\System32\MFRICRES.dll <Not Verified; RICOH CO.,Ltd.; MFRICRES; 1, 0, 3, 0; 1, 0, 3, 0>
2007-04-26 09:17:56 0 d--h----- C:\_rpcs
2007-04-25 14:55:37 2552 --a------ C:\WINDOWS\System32\tmp.reg
2007-04-25 14:55:09 288417 --a------ C:\WINDOWS\System32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS; ; >
2007-04-25 14:55:09 53248 --a------ C:\WINDOWS\System32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility; 2, 0, 0, 0; 2, 0, 0, 0>
2007-04-25 14:55:09 51200 --a------ C:\WINDOWS\System32\dumphive.exe
2007-04-25 12:00:08 0 d-------- C:\Program Files\Hijack This
2007-04-08 20:58:22 0 d-------- C:\Documents and Settings\David\Application Data\MSN6


-- Find3M Report ---------------------------------------------------------------

2007-04-27 11:53:54 0 d-------- C:\Program Files\Java
2007-04-27 11:50:37 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-04-26 14:47:52 0 d--h----- C:\Program Files\WindowsUpdate
2007-04-26 11:37:58 0 d-------- C:\Program Files\Common Files\Companion Wizard
2007-04-08 20:03:07 0 d-------- C:\Documents and Settings\David\Application Data\PhotoParade


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATIModeChange"="Ati2mdxx.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CPQDFWAG"="C:\\WINDOWS\\Cpqdiag\\CpqDfwAg.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link REG Utility.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\D-Link REG Utility.lnk"
"backup"="C:\\WINDOWS\\pss\\D-Link REG Utility.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\D-Link\\AIRPLU~1\\Reg.exe "
"item"="D-Link REG Utility"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChkAdmin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CHKADMIN"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Compaq\\COMPAQ~1\\CHKADMIN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpztsb07"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb07.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdaterUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfFactory Dispatcher v2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fppdis2a"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fppdis2a.exe\" /source=HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrgToDsc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EngUtil"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SHSTAT"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ip6FwHlp"=dword:00000003
"cpqWebDmi"=dword:00000002
"CPQALERT"=dword:00000002
"awhost32"=dword:00000003
"Ati HotKey Poller"=dword:00000002
"ACS"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-04-30 at 15:47:30 ---------

[tetonbob]

Looks good, John! Yep, I felt we had kicked the beast, so online was fine.

Delete these:

C:\Documents and Settings\David\Desktop\otmovit moved files.zip
C:\_OTMoveIt
C:\Qoobox

Empty the recycle bin.

Well done. Your logs appear clean.You should be good to go. We still have a few items to address.

AVG Anti-Spyware would be a good program to keep, update and run a scan with once a week or so. It adds another layer of protection to your system's security tools. You may want to prevent AVG Anti-Spyware from running at Windows startup, and just call it into service when needed. This may help with system boot times. To do so, right click on the AVG A/S system tray icon, and uncheck Start with Windows. Also disable it's real time protection, as this will also use system resources, and will time out at the end of the trial period in 30 days. To do so:

Open AVG Anti-Spyware.

• On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.

Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Clear & Reset System Restore's Cache

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:

• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
  
• IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
    From within the folder, double-click install.bat
    Select Option #2 - Install the new IE-SPYAD list.
    Then return to the main menu.
    Select option #4 - Add the old porn sites domain
  
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  
  
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  Here are a few very good free Antivirus products which are available:
  • AOL Active Virus Shield (powered by Kaspersky Antivirus)
  • Avast!
  • AVG
  • Avira PersonalEdition Classic
  Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  

  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial

• FIREWALL
  If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:
  
  Do not install more than one firewall program because they will conflict with each other.

• Comodo Personal Firewall
• ZoneAlarm

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[jross1943]

Bob, once again you have performed a miricle. You have returned this machine from the dead. I salute you and all those who give their time and talent to help others.

Best regards,

John

[tetonbob]

Happy Computing, and Safe Surfing, John!