An apple from the same tree

jross1943 · 05-08-2007, 09:04 AM

Hello again,

The machine this log was taken from was connected to the same network as a computer that was severely infected and which you helped me clean (see http://www.techsupportforum.com/secu...tml#post878345 for details.

I disconnected the machine before connecting the previously infected unit to ensure there would be no cross contamination. Please examine the DSS log (extra log attached) and tell me if it is safe to re-connect the network.

Thanks for all you do

John
------------
Deckard's System Scanner v20070426.43
Run by Owner on 2007-05-08 at 10:21:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
90: 2007-05-08 14:21:44 UTC - RP1142 - Deckard's System Scanner Restore Point
89: 2007-05-06 18:19:43 UTC - RP1141 - System Checkpoint
88: 2007-05-05 17:19:59 UTC - RP1140 - System Checkpoint
87: 2007-05-04 16:19:58 UTC - RP1139 - System Checkpoint
86: 2007-05-03 15:19:58 UTC - RP1138 - System Checkpoint

-- First Restore Point --
1: 2007-02-07 14:55:14 UTC - RP1053 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:27:08 AM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
F:\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50026
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.comp...bio5_2_3_0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: Microsoft DirectXb - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Bdmfao32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WUSB54Gv42SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 iomdisk (Iomega Devices Disk Filter Services) - c:\windows\system32\drivers\iomdisk.sys <Not Verified; Iomega Corporation; Microsoft(R) Windows NT(R) Operating System>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - c:\windows\system32\drivers\sqcaptur.sys <Not Verified; Service & Quality Technology.; SQ913>
S3 PcdrNt - c:\windows\system32\drivers\pcdrnt.sys <Not Verified; PC-Doctor Inc.; PC-Doctor NT 3.0>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Iomega App Services - "c:\progra~1\iomega\system32\appservices.exe" <Not Verified; Iomega Corporation; Iomega App Services>
R2 ScsiAccess - c:\windows\system32\scsiaccess.exe

S4 Iomega Activity Disk2 - ""

-- Scheduled Tasks -------------------------------------------------------------

2007-05-02 08:56:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2002-06-12 08:40:37 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 3.job
2002-06-12 08:40:36 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 2.job
2002-06-12 08:40:35 258 --a------ C:\WINDOWS\Tasks\Registration reminder 3.job
2002-06-12 08:40:35 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job
2002-06-12 08:40:34 258 --a------ C:\WINDOWS\Tasks\Registration reminder 2.job

-- Files created between 2007-04-08 and 2007-05-08 -----------------------------

Nothing created in this timespan.

-- Find3M Report ---------------------------------------------------------------

2007-05-02 09:19:37 0 d-------- C:\Program Files\DesignPro

-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} C:\Program Files\NewDotNet\newdotnet7_48.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"checktime"="c:\\program files\\HPSelect\\Frontend\\ct.exe"
"HPGamesActiveMenu"="C:\\Program Files\\WildTangent\\ActiveMenu\\HP\\Games\\ActiveMenu.exe"
@=""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"OSS"="c:\\windows\\system32\\ossproxy.exe -boot"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~1.DLL,ClientStartup -s"
"TBPS"="C:\\PROGRA~1\\Toolbar\\TBPS.exe"
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"WinTools"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Acme.PCHButton"="C:\\PROGRA~1\\HPINST~1\\plugin\\bin\\PCHButton.exe"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Microsoft DirectXb"="{79FEACFF-FFCE-815E-A900-316290B5B738}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

-- End of Deckard's System Scanner: finished at 2007-05-08 at 10:28:19 ---------

tetonbob · 05-08-2007, 12:36 PM

Hi John....there's some current adware, and evidence of an data stealing trojan which now appears to have been partly removed.

Let's do a full clean on this machine before letting it talk to others on the network.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

Install AVG Anti Spyware
Double-click the icon on Desktop to launch AVG
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

We'll use this later.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
- Download the latest version of Java Runtime Environment (JRE) 6 u1.
- Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". (4th one down)
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement".
- The page will refresh.
- Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  
  J2SE Runtime Environment 5.0 Update 3
  J2SE Runtime Environment 5.0 Update 8
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6u1-windowsi586-p.exe to install the newest version.
- After the install is complete, go back into the Control Panel and double-click the Java Icon.
- Under Temporary Internet Files, click the Delete Files button.
- There are three options in the window to clear the cache - Leave ALL 3 Checked
  - Other Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Java Control Panel.
---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

New.net Domains 7.48
RelevantKnowledge

---------------------------------------------------------------------------------------------

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' if they still exist (make sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50026
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O21 - SSODL: Microsoft DirectXb - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Bdmfao32.dll (file missing)

Close HijackThis now.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

---------------------------------------------------------------------------------------------

Delete the following if they exist:

C:\Program Files\NewDotNet
c:\windows\system32\ossproxy.exe
C:\Program Files\Toolbar
C:\Program Files\Common Files\WinTools
C:\WINDOWS\System32\Bdmfao32.dll<<may not exist already

---------------------------------------------------------------------------------------------

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with logs from:

AVG Anti-Spyware
Panda
HJT

jross1943 · 05-09-2007, 08:34 AM

Hi Bob, sorry for the delay in responding but I have a problem. I realize the importance of following the instructions in sequence so the first thing I did was install AVG . . . no problem . . . but when I tried to update the definitions I was presented with; "ERROR - The server is not ready to serve. Please try again later". I have tried in both normal and safe mode with networking. After two days of attempts (including the automatic updates set to 30 minutes), I decided to ask'
; "Is there a workaround"?

Thanks,

John

tetonbob · 05-09-2007, 09:04 AM

Hi John -

That happens from time to time with the AVG servers...try again, or use this link to get the full, manual updates.

Download the file, and run it. It will want to install to the same directory as AVG AS.

http://download.ewido.net/avgas-sign...ll-current.exe

jross1943 · 05-10-2007, 10:52 AM

Here are the logs you requested.

Thanks

John
----------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:46:46 PM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50026
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.comp...bio5_2_3_0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WUSB54Gv42SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing)

-----------------------------------------------

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:47:19 AM 5/10/2007

+ Scan result:

C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\SeekmoTBInstaller.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1146\A0124375.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1146\A0124376.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall6_90.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_14.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_48.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-2495073255-3652652152-3399203189-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\hotfix.exe -> Adware.WebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\toolbar.IToolbarScriptClass -> Adware.WebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\toolbar.IToolbarScriptClass\Clsid -> Adware.WebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Adware.WebSearch : Cleaned with backup (quarantined).
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\MediaGateway.exe -> Adware.WinAD : Cleaned with backup (quarantined).
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@educationsuccess.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@www.adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@vip.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@e-2dj6wgk4qhdpweo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@e-2dj6wgkiwhc5mho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@e-2dj6wjliapdzogq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@c.goclick[1].txt -> TrackingCookie.Goclick : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ehg-advanceauto.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ehg-airtran.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ehg-cskautocorporation.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ehg-milesmediagroup.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ehg-wachovia.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@counter13.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.

::Report end

--------------------------------------

Panda Active Scan

Incident Status Location

Spyware:spyware/marketscore Not disinfected c:\windows\system32\osconfig.dll
Virus:trj/goldun.fz Disinfected Operating system
Adware:adware/wintools Not disinfected Windows Registry
Spyware:Cookie/adultfriendfinder Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@adultfriendfinder[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@apmebf[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@belnk[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ccbill[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@cgi-bin[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@dist.belnk[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Spyware:Spyware/MarketScore Not disinfected C:\WINDOWS\SYSTEM32\osmim.dll
end of report

tetonbob · 05-10-2007, 11:07 AM

Hi John -

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50026

Close HijackThis now.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

Delete the following:

C:\WINDOWS\SYSTEM32\osmim.dll
c:\windows\system32\osconfig.dll

If they resist, boot to safe mode and delete from there.

---------------------------------------------------------------------------------------------

Let's run this additional online scan, to look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------
Post a new HJT log as well.

How's the system behaving?

jross1943 · 05-11-2007, 11:46 AM

The system is running very slow. It took almost 8 hrs. to run the Kapersky online scan. It takes about 5-6 minutes to boot. Other than that, there's no extra pop-ups, etc.

Here's the logs you requested.

Thanks for all you do.

John
-------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:35:39 PM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.comp...bio5_2_3_0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WUSB54Gv42SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing)

-------------------
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 11, 2007 1:34:35 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 11/05/2007
Kaspersky Anti-Virus database records: 317372
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 114015
Number of viruses found: 25
Number of infected objects: 88 / 0
Number of suspicious objects: 3
Duration of the scan process: 03:52:11

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\AE7TXZHV\1[1].htm Infected: Trojan-Downloader.JS.Small.au skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\054C0001.VBN Infected: Trojan-Spy.Win32.Qukart.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09300000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09340000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09880000.VBN Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\099C0000.VBN Infected: Trojan-Spy.Win32.Qukart.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09A80000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09B00000.VBN Suspicious: Exploit.Win32.IMG-WMF skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09B00001.VBN Suspicious: Exploit.Win32.IMG-WMF skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09B40000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A740000.VBN Infected: Exploit.JS.CVE-2005-1790.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A780000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B140000.VBN Infected: Trojan-Spy.Win32.Qukart.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B140001.VBN Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D680000.VBN Infected: Trojan-Downloader.VBS.Mscount.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D780000.VBN Infected: Exploit.Win32.IMG-WMF.v skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D7C0000.VBN Infected: Exploit.Win32.IMG-WMF.v skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DC80000.VBN Infected: Trojan-Downloader.VBS.Mscount.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DC80001.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DC80001.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DC80001.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DC80001.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DC80001.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DC80002.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\35140001.VBN Suspicious: Exploit.Win32.IMG-WMF skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\35140003.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\35140005.VBN/Counter.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\35140005.VBN/VerifierBug.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\35140005.VBN/web.exe Infected: Trojan.Win32.Small.ev skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\35140005.VBN/Worker.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\35140005.VBN/Xeyond.class Infected: Trojan.Java.Femad skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\35140005.VBN ZIP: infected - 5 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\35140005.VBN CryptZ: infected - 5 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\me_bpwEjj51HUqnuM2 Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\me_mBqkUbeedtqWwEt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\me_P8GUEnDt0jvBk5o Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\me_sYR5YtatO6cgWWY Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe/WISE0077.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe/WISE0077.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe/WISE0077.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe/WISE0080.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe/WISE0080.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe/WISE0080.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe/WISE0081.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe/WISE0082.BIN/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe/WISE0082.BIN/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe/WISE0082.BIN/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe/WISE0082.BIN/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe/WISE0082.BIN/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe/WISE0082.BIN/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe/WISE0082.BIN Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe/WISE0083.BIN Infected: not-a-virus:Server-Proxy.Win32.MarketScore.h skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe/WISE0084.BIN Infected: not-a-virus:Server-Proxy.Win32.MarketScore.i skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe WiseSFX: infected - 16 skipped
C:\Documents and Settings\Owner\My Documents\clipartfree.exe WiseSFX Dropper: infected - 16 skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe/WISE0077.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe/WISE0077.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe/WISE0077.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe/WISE0080.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe/WISE0080.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe/WISE0080.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe/WISE0081.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe/WISE0082.BIN/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe/WISE0082.BIN/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe/WISE0082.BIN/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe/WISE0082.BIN/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe/WISE0082.BIN/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe/WISE0082.BIN/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe/WISE0082.BIN Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe/WISE0083.BIN Infected: not-a-virus:Server-Proxy.Win32.MarketScore.h skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe/WISE0084.BIN Infected: not-a-virus:Server-Proxy.Win32.MarketScore.i skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe WiseSFX: infected - 16 skipped
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe WiseSFX Dropper: infected - 16 skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\Program Files\KODAK\Kodak EasyShare software\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\KODAK\Kodak EasyShare software\Catalog\EasyShare.mm Object is locked skipped
C:\RECYCLER\S-1-5-21-2495073255-3652652152-3399203189-1003\Dc3.dll Infected: not-a-virus:Server-Proxy.Win32.MarketScore.q skipped
C:\RECYCLER\S-1-5-21-2495073255-3652652152-3399203189-1003\Dc4.dll Infected: not-a-virus:Server-Proxy.Win32.MarketScode.c skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1146\A0124388.exe Infected: not-a-virus:AdWare.Win32.WebSearch.ax skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1146\A0124389.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1146\A0124390.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1146\A0124391.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1146\A0124392.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1146\A0124393.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1146\A0124394.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1146\A0124395.exe Infected: not-a-virus:AdTool.Win32.WinAD.bv skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1148\A0124571.dll Infected: not-a-virus:Server-Proxy.Win32.MarketScode.c skipped
C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1148\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{57895ABB-D9D9-4207-96BB-F4BBCCDE7CB0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\rk.exe Infected: not-a-virus:Server-Proxy.Win32.MarketScore.i skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\UltraVNC\UltraVNC-102-Setup.exe/Stream/data0004 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
F:\UltraVNC\UltraVNC-102-Setup.exe/Stream/data0005 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
F:\UltraVNC\UltraVNC-102-Setup.exe/Stream Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c skipped
F:\UltraVNC\UltraVNC-102-Setup.exe Inno: infected - 3 skipped
F:\Virus-Malware Removers\B.S. 2.0\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\Virus-Malware Removers\B.S. 2.0\SmitfraudFix.zip ZIP: infected - 1 skipped
F:\SmitFraudFix\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\SmitFraudFix\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
F:\SmitFraudFix\SmitfraudFix.exe RarSFX: infected - 2 skipped

Scan process completed.
------------------------

tetonbob · 05-11-2007, 06:51 PM

Hi John -

Kaspersky log says it took less than 4 hours,

Quote:

Duration of the scan process: 03:52:11

not sure why the difference in what it reports.

Either seems like a long time for an 80GB drive.

What's F drive? Your USB drive?

There are some stray adware items left behind, but no serious risks that I can see, and nothing obvious to explain a slow system.

You may want to prevent AVG Anti-Spyware from running at Windows startup, and just call it into service when needed. This may help with system boot times. To do so, right click on the AVG A/S system tray icon, and uncheck Start with Windows. Also disable it's real time protection, as this will also use system resources, and will time out at the end of the trial period in 30 days. To do so:

Open AVG Anti-Spyware.

On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.

Hope that helps the boot time.

---------------------------------------------------------------------------------------------

Delete these:

C:\Deckard\System Scanner\backup
C:\Documents and Settings\Owner\My Documents\clipartfree.exe
C:\Documents and Settings\Owner\My Documents\wfallsawfree.exe
C:\WINDOWS\SYSTEM32\rk.exe

Delete contents of Norton Quarantine folder:

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine

---------------------------------------------------------------------------------------------

Next, let's use this tool as a diagnostic:

Download combofix.exe to your desktop.
Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply with a new HJT log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

jross1943 · 05-14-2007, 08:00 AM

Sorry for the delay. It's been an "interesting" week. Lots of opportunity for ME to excel in my chosen profession.

In response to your question about "Drive F"; Yes, that is my USB Drive.

Should I empty the recycle bin now?

Anyway, here's the logs you requested.
------------------------------------
"Owner" - 2007-05-14 9:49:39 Service Pack 2
ComboFix 07-05.14.3.V - Running from: "C:\Documents and Settings\Owner\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Owner\Desktop.\internet explorer.lnk
C:\install.log

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-14 ))))))))))))))))))))))))))))))))))

2007-05-11 09:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-05-10 09:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-05-09 09:29 3,968 --a------ C:\WINDOWS\SYSTEM32\drivers\AvgAsCln.sys
2007-05-08 10:21 <DIR> d-------- C:\Deckard

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-10 14:52:00 -------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2007-05-10 14:37:41 -------- d-----w C:\Program Files\Google
2007-05-02 13:19:37 -------- d-----w C:\Program Files\DesignPro
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-05 05:21:54 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2005-11-22 14:46]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2003-03-16 02:02]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"checktime"="c:\\program files\\HPSelect\\Frontend\\ct.exe"
"HPGamesActiveMenu"="C:\\Program Files\\WildTangent\\ActiveMenu\\HP\\Games\\ActiveMenu.exe"
@=""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 12:04]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 18:34]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 20:25]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 19:36]
"PS2"="C:\WINDOWS\system32\ps2.exe" []
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2001-08-13 23:23]
"HPGamesActiveMenu"="C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe" []
"@"="" [])
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" []
"KBD"="C:\HP\KBD\KBD.EXE" []
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" []
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Acme.PCHButton"="C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe" [2001-09-05 04:46]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-25 11:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Acme.PCHButton"="C:\\PROGRA~1\\HPINST~1\\plugin\\bin\\PCHButton.exe"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
HTTPFilter HTTPFilter
DcomLaunch DcomLaunch TermService
WudfServiceGroup WUDFSvc

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*
*newlycreated* -PROCEXP90

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070511-091637-704
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50026

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job
C:\WINDOWS\tasks\Registration reminder 2.job
C:\WINDOWS\tasks\Registration reminder 3.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-14 09:54:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 2007-05-14 9:54:33
C:\ComboFix-quarantined-files.txt ... 2007-05-14 09:54
---------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:55:09 AM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\ComboFix\nircmd.cfexe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.comp...bio5_2_3_0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WUSB54Gv42SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing)

-----------------

tetonbob · 05-14-2007, 08:22 AM

Hi John -

Logs look clean, though it appears AVG Anti-Spyware is still scheduled to run at startup.

Yes, empty recycle bin if it has items in it.

ComboFix didn't find anything which leads me to want to investigate malware further....so if the system is still slow, do a defrag, see if disabling some items from startup can help.

Let me know how you get along.

jross1943 · 05-14-2007, 01:28 PM

Hi Bob,

I've followed all your suggestions as well as removed some unnecessary resource hogs such as the HP suite of junk, Google and Yahoo toolbars.

The AVG Anti-Virus probably still showed as a startup item because I had not rebooted before running the last HJT scan.

Afterwards I installed Zone Alarm, Ad-Aware and Win Patrol.

When I ran Ad-Aware it found several things that are a concern. I'm posting the log as an attachment since it is so large.

I'm also including a current HJT scan.

Please advise if there are any further tests we should run.

Best regards,

John
-----------------------
Logfile of HijackThis v1.99.1
Scan saved at 3:26:42 PM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Toolbar) - http://us.dl1.yimg.com/download.comp...bio5_2_3_0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

tetonbob · 05-14-2007, 02:10 PM

Does Ad-Aware give you the option of fixing those finds? If so, do so.

Cookies are really no big deal, and the other finds seem to be orphaned registry entries or false positives.

tetonbob · 05-14-2007, 02:25 PM

To further my comments about false positives....this entry relates to IE7's popup blocker:

CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\new windows
Value : PopupMgr

I have the same registry entry on my machine. Turn on IE7 popup blocker, and the value data for PopupMgr is "yes", turn it off, and the value data is "no"

I have a couple of those other entries as well on my machine.

jross1943 · 05-14-2007, 02:40 PM

Bob, thanks so much for the detailed explanation. Yes, I fixed the items found in Ad-Aware. Since there seem to be no more concerns, I'll consider this thread closed.

Thanks again for all you do.

John

tetonbob · 05-14-2007, 03:01 PM

Well done, John.

Don't forget to flush old system restore points, and create a new one.

I'll give you "the clean log speech", though I think you have it saved by now...

Well done. Your logs appear clean.You should be good to go. We still have a few items to address.

AVG Anti-Spyware would be a good program to keep, update and run a scan with once a week or so. It adds another layer of protection to your system's security tools. You may want to prevent AVG Anti-Spyware from running at Windows startup, and just call it into service when needed. This may help with system boot times. To do so, right click on the AVG A/S system tray icon, and uncheck Start with Windows. Also disable it's real time protection, as this will also use system resources, and will time out at the end of the trial period in 30 days. To do so:

Open AVG Anti-Spyware.

On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.

Reset hidden/system files and folders

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Clear & Reset System Restore's Cache

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already:

SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
SpywareGuard to catch and block spyware before it can execute.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- Download IE-SpyAD - Extract the contents to a new folder
  From within the folder, double-click install.bat
  Select Option #2 - Install the new IE-SPYAD list.
  Then return to the main menu.
  Select option #4 - Add the old porn sites domain
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

Here are a few very good free Antivirus products which are available:
- AOL Active Virus Shield (powered by Kaspersky Antivirus)
- Avast!
- AVG
- Avira PersonalEdition Classic
Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

See this link for a listing of some online antivirus scanners:

Anti-Spyware Tutorial
FIREWALL
If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:

Do not install more than one firewall program because they will conflict with each other.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

Glad to have helped.

05-08-2007, 12:36 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,239 OS: 2000 Pro; XP Pro; XP Home	Re: An apple from the same tree Hi John....there's some current adware, and evidence of an data stealing trojan which now appears to have been partly removed. Let's do a full clean on this machine before letting it talk to others on the network. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Download AVG Anti Spyware Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows" Install AVG Anti Spyware Double-click the icon on Desktop to launch AVG On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly. --------------------------------------------------------------------------------------------- Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only We'll use this later. --------------------------------------------------------------------------------------------- Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java: Download the latest version of Java Runtime Environment (JRE) 6 u1. Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". (4th one down) Click the "Download" button to the right. Check the box that says: "*Accept* License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. J2SE Runtime Environment 5.0 Update 3 J2SE Runtime Environment 5.0 Update 8 Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u1-windowsi586-p.exe to install the newest version. After the install is complete, go back into the Control Panel and double-click the Java Icon. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. --------------------------------------------------------------------------------------------- Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. --------------------------------------------------------------------------------------------- Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: New.net Domains 7.48 RelevantKnowledge --------------------------------------------------------------------------------------------- Run a scan in HijackThis. Check each of the following and hit 'Fix checked' if they still exist (make sure not to miss any): R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50026 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file) O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O21 - SSODL: Microsoft DirectXb - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Bdmfao32.dll (file missing) Close HijackThis now. --------------------------------------------------------------------------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. --------------------------------------------------------------------------------------------- Delete the following if they exist: C:\Program Files\NewDotNet c:\windows\system32\ossproxy.exe C:\Program Files\Toolbar C:\Program Files\Common Files\WinTools C:\WINDOWS\System32\Bdmfao32.dll<<may not exist already --------------------------------------------------------------------------------------------- Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. --------------------------------------------------------------------------------------------- Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). Restart in normal mode. --------------------------------------------------------------------------------------------- Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------------------------------------- Run a new HijackThis scan. Save the log file and post it here. --------------------------------------------------------------------------------------------- Please return with logs from: AVG Anti-Spyware Panda HJT __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-09-2007, 08:34 AM	#3 (permalink)
jross1943 Registered User Join Date: Jan 2007 Location: Southeast Posts: 70 OS: XP/sp2	Re: An apple from the same tree Hi Bob, sorry for the delay in responding but I have a problem. I realize the importance of following the instructions in sequence so the first thing I did was install AVG . . . no problem . . . but when I tried to update the definitions I was presented with; "ERROR - The server is not ready to serve. Please try again later". I have tried in both normal and safe mode with networking. After two days of attempts (including the automatic updates set to 30 minutes), I decided to ask' ; "Is there a workaround"? Thanks, John

05-09-2007, 09:04 AM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,239 OS: 2000 Pro; XP Pro; XP Home	Re: An apple from the same tree Hi John - That happens from time to time with the AVG servers...try again, or use this link to get the full, manual updates. Download the file, and run it. It will want to install to the same directory as AVG AS. http://download.ewido.net/avgas-sign...ll-current.exe __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-10-2007, 10:52 AM	#5 (permalink)
jross1943 Registered User Join Date: Jan 2007 Location: Southeast Posts: 70 OS: XP/sp2	Re: An apple from the same tree Here are the logs you requested. Thanks John ---------------------- Logfile of HijackThis v1.99.1 Scan saved at 12:46:46 PM, on 5/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\WINDOWS\System32\svchost.exe C:\windows\system\hpsysdrv.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50026 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.comp...bio5_2_3_0.cab O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE O23 - Service: WUSB54Gv42SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing) ----------------------------------------------- --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 8:47:19 AM 5/10/2007 + Scan result: C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\SeekmoTBInstaller.exe -> Adware.Agent : Cleaned with backup (quarantined). C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1146\A0124375.dll -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP1146\A0124376.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINDOWS\NDNuninstall6_90.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINDOWS\NDNuninstall7_14.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\WINDOWS\NDNuninstall7_48.exe -> Adware.NewDotNet : Cleaned with backup (quarantined). HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined). HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined). HKU\S-1-5-21-2495073255-3652652152-3399203189-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined). C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\hotfix.exe -> Adware.WebSearch : Cleaned with backup (quarantined). HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup (quarantined). HKLM\SOFTWARE\Classes\toolbar.IToolbarScriptClass -> Adware.WebSearch : Cleaned with backup (quarantined). HKLM\SOFTWARE\Classes\toolbar.IToolbarScriptClass\Clsid -> Adware.WebSearch : Cleaned with backup (quarantined). HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Adware.WebSearch : Cleaned with backup (quarantined). HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO -> Adware.WebSearch : Cleaned with backup (quarantined). C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\MediaGateway.exe -> Adware.WinAD : Cleaned with backup (quarantined). C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@2o7[2].txt -> TrackingCookie.2o7 : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@educationsuccess.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@www.adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@vip.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@e-2dj6wgk4qhdpweo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@e-2dj6wgkiwhc5mho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@e-2dj6wjliapdzogq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@c.goclick[1].txt -> TrackingCookie.Goclick : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ehg-advanceauto.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ehg-airtran.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ehg-cskautocorporation.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ehg-milesmediagroup.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ehg-wachovia.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@revsci[2].txt -> TrackingCookie.Revsci : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@counter13.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned. C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@zedo[1].txt -> TrackingCookie.Zedo : Cleaned. ::Report end -------------------------------------- Panda Active Scan Incident Status Location Spyware:spyware/marketscore Not disinfected c:\windows\system32\osconfig.dll Virus:trj/goldun.fz Disinfected Operating system Adware:adware/wintools Not disinfected Windows Registry Spyware:Cookie/adultfriendfinder Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@adultfriendfinder[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@apmebf[1].txt Spyware:Cookie/Atwola Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@atwola[1].txt Spyware:Cookie/Belnk Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@belnk[1].txt Spyware:Cookie/Ccbill Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@ccbill[1].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@cgi-bin[1].txt Spyware:Cookie/Belnk Not disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Owner\LOCALS~1\Temp\Cookies\owner@dist.belnk[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe Spyware:Spyware/MarketScore Not disinfected C:\WINDOWS\SYSTEM32\osmim.dll end of report

05-10-2007, 11:07 AM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,239 OS: 2000 Pro; XP Pro; XP Home	Re: An apple from the same tree Hi John - Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50026 Close HijackThis now. --------------------------------------------------------------------------------------------- Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. Delete the following: C:\WINDOWS\SYSTEM32\osmim.dll c:\windows\system32\osconfig.dll If they resist, boot to safe mode and delete from there. --------------------------------------------------------------------------------------------- Let's run this additional online scan, to look for remnants. Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. --------------------------------------------------------------------------------------------- Post a new HJT log as well. How's the system behaving? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-14-2007, 08:00 AM	#9 (permalink)
jross1943 Registered User Join Date: Jan 2007 Location: Southeast Posts: 70 OS: XP/sp2	Re: An apple from the same tree Sorry for the delay. It's been an "interesting" week. Lots of opportunity for ME to excel in my chosen profession. In response to your question about "Drive F"; Yes, that is my USB Drive. Should I empty the recycle bin now? Anyway, here's the logs you requested. ------------------------------------ "Owner" - 2007-05-14 9:49:39 Service Pack 2 ComboFix 07-05.14.3.V - Running from: "C:\Documents and Settings\Owner\Desktop\" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\Owner\Desktop.\internet explorer.lnk C:\install.log ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-14 )))))))))))))))))))))))))))))))))) 2007-05-11 09:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab 2007-05-10 09:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan 2007-05-09 09:29 3,968 --a------ C:\WINDOWS\SYSTEM32\drivers\AvgAsCln.sys 2007-05-08 10:21 <DIR> d-------- C:\Deckard (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-10 14:52:00 -------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor 2007-05-10 14:37:41 -------- d-----w C:\Program Files\Google 2007-05-02 13:19:37 -------- d-----w C:\Program Files\DesignPro 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys 2007-03-05 05:21:54 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM 2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2005-11-22 14:46] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2003-03-16 02:02] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe" "Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE" "IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe" "HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe" "PS2"="C:\\WINDOWS\\system32\\ps2.exe" "checktime"="c:\\program files\\HPSelect\\Frontend\\ct.exe" "HPGamesActiveMenu"="C:\\Program Files\\WildTangent\\ActiveMenu\\HP\\Games\\ActiveMenu.exe" @="" "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe" "RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER" "KBD"="C:\\HP\\KBD\\KBD.EXE" "MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe" "tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 12:04] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-06-15 18:34] "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2001-08-07 20:25] "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2001-08-07 19:36] "PS2"="C:\WINDOWS\system32\ps2.exe" [] "checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2001-08-13 23:23] "HPGamesActiveMenu"="C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe" [] "@"="" []) "vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 02:21] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [] "KBD"="C:\HP\KBD\KBD.EXE" [] "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [] "tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 08:20] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24] "Acme.PCHButton"="C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe" [2001-09-05 04:46] "MoneyAgent"="C:\Program Files\Microsoft Money\System\Money Express.exe" [] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-01-25 11:05] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "Acme.PCHButton"="C:\\PROGRA~1\\HPINST~1\\plugin\\bin\\PCHButton.exe" "MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\"" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages msv1_0 Security Packages kerberos msv1_0 schannel wdigest Notification Packages scecli [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV NetworkService DnsCache rpcss RpcSs imgsvc StiSvc termsvcs TermService HTTPFilter HTTPFilter DcomLaunch DcomLaunch TermService WudfServiceGroup WUDFSvc HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost netsvcs newlycreated -PROCEXP90 ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20070511-091637-704 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50026 Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\ISP signup reminder 1.job C:\WINDOWS\tasks\ISP signup reminder 2.job C:\WINDOWS\tasks\ISP signup reminder 3.job C:\WINDOWS\tasks\Registration reminder 2.job C:\WINDOWS\tasks\Registration reminder 3.job ****************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-14 09:54:15 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 2007-05-14 9:54:33 C:\ComboFix-quarantined-files.txt ... 2007-05-14 09:54 --------------------------- Logfile of HijackThis v1.99.1 Scan saved at 9:55:09 AM, on 5/14/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\windows\system\hpsysdrv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe C:\WINDOWS\System32\ScsiAccess.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\explorer.exe C:\ComboFix\nircmd.cfexe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.comp...bio5_2_3_0.cab O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE O23 - Service: WUSB54Gv42SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv42.exe (file missing) -----------------

05-14-2007, 08:22 AM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,239 OS: 2000 Pro; XP Pro; XP Home	Re: An apple from the same tree Hi John - Logs look clean, though it appears AVG Anti-Spyware is still scheduled to run at startup. Yes, empty recycle bin if it has items in it. ComboFix didn't find anything which leads me to want to investigate malware further....so if the system is still slow, do a defrag, see if disabling some items from startup can help. Let me know how you get along. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-14-2007, 02:10 PM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,239 OS: 2000 Pro; XP Pro; XP Home	Re: An apple from the same tree Does Ad-Aware give you the option of fixing those finds? If so, do so. Cookies are really no big deal, and the other finds seem to be orphaned registry entries or false positives. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009 Last edited by tetonbob; 05-14-2007 at 02:16 PM.

05-14-2007, 02:25 PM	#13 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,239 OS: 2000 Pro; XP Pro; XP Home	Re: An apple from the same tree To further my comments about false positives....this entry relates to IE7's popup blocker: CoolWebSearch Object Recognized! Type : RegValue Data : TAC Rating : 10 Category : Malware Comment : Rootkey : HKEY_CURRENT_USER Object : software\microsoft\internet explorer\new windows Value : PopupMgr I have the same registry entry on my machine. Turn on IE7 popup blocker, and the value data for PopupMgr is "yes", turn it off, and the value data is "no" I have a couple of those other entries as well on my machine. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

05-14-2007, 02:40 PM	#14 (permalink)
jross1943 Registered User Join Date: Jan 2007 Location: Southeast Posts: 70 OS: XP/sp2	Re: An apple from the same tree Bob, thanks so much for the detailed explanation. Yes, I fixed the items found in Ad-Aware. Since there seem to be no more concerns, I'll consider this thread closed. Thanks again for all you do. John

05-14-2007, 03:01 PM	#15 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,239 OS: 2000 Pro; XP Pro; XP Home	Re: An apple from the same tree Well done, John. Don't forget to flush old system restore points, and create a new one. I'll give you "the clean log speech", though I think you have it saved by now... Well done. Your logs appear clean.You should be good to go. We still have a few items to address. AVG Anti-Spyware would be a good program to keep, update and run a scan with once a week or so. It adds another layer of protection to your system's security tools. You may want to prevent AVG Anti-Spyware from running at Windows startup, and just call it into service when needed. This may help with system boot times. To do so, right click on the AVG A/S system tray icon, and uncheck Start with Windows. Also disable it's real time protection, as this will also use system resources, and will time out at the end of the trial period in 30 days. To do so: Open AVG Anti-Spyware. On the main screen under Your Computer's security. Click on Change state next to Resident shield. It should now change to inactive. Click on Change state next to Automatic updates. It should now change to inactive. Reset hidden/system files and folders Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Clear & Reset System Restore's Cache click Start >> Run - type SYSDM.CPL & press Enter select the System Restore Tab tick on the checkbox - "Turn off System Restore on all drives" click Apply then untick the same checkbox & click OK Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs if you don't have them already: SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items SpywareGuard to catch and block spyware before it can execute. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here IE-SPYAD - IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Download IE-SpyAD - Extract the contents to a new folder From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Here are a few very good free Antivirus products which are available: AOL Active Virus Shield (powered by Kaspersky Antivirus) Avast! AVG Avira PersonalEdition Classic Select one of these, or another of your choice. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial FIREWALL If you do not have a firewall, here are a couple of great free ones available for personal use. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice: Do not install more than one firewall program because they will conflict with each other. Comodo Personal Firewall ZoneAlarm In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. Glad to have helped. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009