Infected computer

[jordanl]

File C:\WINDOWS\Bolger.dll infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File c:\windows\system32\atdmvq.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\svcproc.exe infected by "Trojan.Win32.Stervis.b" Virus. Action Taken: No Action Taken.
File System Found infected by "Visicom Media Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "autoloader Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\flnlhkh.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\wpvwdiqga.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\AfcicuO.exe infected by "Trojan-Downloader.Win32.VB.em" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Ihjc.exe infected by "Trojan-Downloader.Win32.VB.em" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Lun8r9.exe infected by "Trojan-Downloader.Win32.VB.em" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\LwiPYK.exe infected by "Trojan-Downloader.Win32.VB.em" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\LISAAN~1\LOCALS~1\Temp\all_files7.exe infected by "not-a-virus:AdWare.EZula.ar" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\LISAAN~1\LOCALS~1\Temp\LEL\aurareco.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\LISAAN~1\LOCALS~1\Temp\pacificpokersetup.exe tagged as not-a-virus:RiskWare.Tool.PrcView.3725. No Action Taken.
File C:\DOCUME~1\LISAAN~1\LOCALS~1\Temp\pop_eu.exe infected by "Trojan-Downloader.Win32.Apropo.h" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\LISAAN~1\LOCALS~1\Temp\SEPInst.exe infected by "Trojan.Win32.Septic.a" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\LISAAN~1\LOCALS~1\Temp\temp.fr3EA5 infected by "Trojan-Downloader.Win32.Apropo.w" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\LISAAN~1\LOCALS~1\Temp\WBCM_Installer.exe infected by "Trojan.Win32.Agent.az" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\LISAAN~1\LOCALS~1\TEMPOR~1\Content.IE5\GD6JWHMR\Nail[1].exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\LISAAN~1\LOCALS~1\TEMPOR~1\Content.IE5\R6QIEEPY\svcproc[1].exe infected by "Trojan.Win32.Stervis.b" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06380000.VBN infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C300000.VBN infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C300001.VBN infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C300002.VBN infected by "Trojan.Java.ClassLoader.h" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C300003.VBN infected by "Trojan.Java.ClassLoader.h" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Lisa and Jimmy\Local Settings\Temp\all_files7.exe infected by "not-a-virus:AdWare.EZula.ar" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Lisa and Jimmy\Local Settings\Temp\LEL\aurareco.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Lisa and Jimmy\Local Settings\Temp\pacificpokersetup.exe tagged as not-a-virus:RiskWare.Tool.PrcView.3725. No Action Taken.
File C:\Documents and Settings\Lisa and Jimmy\Local Settings\Temp\pop_eu.exe infected by "Trojan-Downloader.Win32.Apropo.h" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Lisa and Jimmy\Local Settings\Temp\SEPInst.exe infected by "Trojan.Win32.Septic.a" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Lisa and Jimmy\Local Settings\Temp\temp.fr3EA5 infected by "Trojan-Downloader.Win32.Apropo.w" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Lisa and Jimmy\Local Settings\Temp\WBCM_Installer.exe infected by "Trojan.Win32.Agent.az" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Lisa and Jimmy\Local Settings\Temporary Internet Files\Content.IE5\GD6JWHMR\Nail[1].exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Lisa and Jimmy\Local Settings\Temporary Internet Files\Content.IE5\R6QIEEPY\svcproc[1].exe infected by "Trojan.Win32.Stervis.b" Virus. Action Taken: No Action Taken.
File C:\Downloads\PedalToTheMetalSetup-dm[1].exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No Action Taken.
File C:\iMeshInst.exe infected by "not-a-virus:AdWare.WinFetcher.g" Virus. Action Taken: No Action Taken.
File C:\MemoryWatcher_b.exe infected by "Backdoor.Win32.VB.oq" Virus. Action Taken: No Action Taken.
File C:\Program Files\AOL 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Common Files\aolback\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\PacificPoker\pv.exe tagged as not-a-virus:RiskWare.Tool.PrcView.3725. No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058109.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058123.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058151.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058180.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058181.dll infected by "Trojan.Win32.Septic.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058196.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058214.exe infected by "Trojan.Win32.Stervis.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058222.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058229.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058247.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058252.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058280.exe infected by "Trojan-Downloader.Win32.Apropo.aa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058281.exe infected by "not-a-virus:AdWare.Apropos.i" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058282.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058283.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058284.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058290.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058344.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058384.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058434.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058469.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP318\A0058517.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{38D6DCA9-0982-4880-B163-4A0F5FD5EC88}\RP319\A0058550.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\flnlhkh.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\AfcicuO.exe infected by "Trojan-Downloader.Win32.VB.em" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Ihjc.exe infected by "Trojan-Downloader.Win32.VB.em" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Lun8r9.exe infected by "Trojan-Downloader.Win32.VB.em" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\LwiPYK.exe infected by "Trojan-Downloader.Win32.VB.em" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\wpvwdiqga.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.



FIND IT LOG:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


* Todo C:\WINDOWS\System32\VHXVFB.EXE
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

* 1 aurora C:\WINDOWS\FLNLHKH.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidence
Even then back them up first

* UPX! C:\WINDOWS\System32\VHXVFB.EXE
* UPX! C:\WINDOWS\SVCPROC.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\WPVWDI~1.EXE
* Sniffed C:\WINDOWS\System32\DRPMON.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Possible SAHAgent Files found »»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* buddy C:\WINDOWS\WPVWDI~1.EXE

Volume in drive C has no label.
Volume Serial Number is 841C-FF6B

Directory of C:\WINDOWS\system32

16/08/2001 15:42 2,238 Autorun.ico
1 File(s) 2,238 bytes
0 Dir(s) 32,336,273,408 bytes free
svcproc.exe
DrPMon.dll
Volume in drive C has no label.
Volume Serial Number is 841C-FF6B

Directory of C:\WINDOWS\SYSTEM32

Volume in drive C has no label.
Volume Serial Number is 841C-FF6B

Directory of C:\WINDOWS\SYSTEM

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon\Driver SZ DrPMon.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon\Driver SZ DrPMon.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon\Driver SZ DrPMon.dll

[MicroBell]

Ok Lisa...here we go. Please print these instructions out so you can following along.

Please empty any Quarantine folder in your antivirus and purge all recovery items in the spybot program if you use it before continuing.

DO NOT REBOOT once you post the new set of logs at the end of this fix. Doing so will render those logs incomplete as the filenames will change.

Download KillBox http://www.atribune.org/downloads/KillBox.exe
Download and install CleanUp http://cleanup.stevengould.org/

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn ON System Restore. Once your clean we will turn this off and then create a new restore point.

Download ewido security suite from here… http://www.ewido.net/en/download/

Update it’s database from here.. http://www.ewido.net/en/download/updates/
Run a scan and let it clean the PC. Delete what it finds.

Close out all open windows and disconnect the PC from any internet access.


1. Delete this file... C:\WINDOWS\system32\Autorun.ico


2. Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: System Startup Service (SvcProc)
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

3. Run the cleanup utility and when prompted to reboot/logoff select NO


4. Run KILL box. Go to Tools > Delete Temp Files > Click *OK* Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click NO when it asks you to reboot.

C:\Windows\System32\svcproc.exe
C:\Windows\System32\ Nail.exe
C:\WINDOWS\System32\VHXVFB.EXE
C:\WINDOWS\FLNLHKH.EXE
C:\WINDOWS\WPVWDI~1.EXE
C:\WINDOWS\System32\DRPMON.DLL
C:\WINDOWS\Bolger.dll
c:\windows\system32\atdmvq.exe
C:\WINDOWS\woinstall.exe
C:\WINDOWS\wpvwdiqga.exe
C:\WINDOWS\System32\AfcicuO.exe
C:\WINDOWS\System32\Ihjc.exe
C:\WINDOWS\System32\Lun8r9.exe
C:\WINDOWS\System32\LwiPYK.exe
c:\windows\system32\eII.exe
C:\windows\system32\QP.exe
c:\windows\system32\ogszrsd.exe
c:\windows\system32\ipcrv.exe
c:\windows\system32\extredir.exe


5. Now, click on Start, then Run ... type cmd and press "OK".

In the next box that opens, type cd\
and press "Enter". Now you'll see the C: prompt ... looks like this: C:\>

Type cd\windows
and then Enter.

Next, type nail.exe /FullRemove
(make sure there is a space between nail.exe and the /) ... then Enter.

6. Run Hiajckthis and fix the following entrys...

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O4 - HKLM\..\Run: [eII.exe] c:\windows\system32\eII.exe
O4 - HKLM\..\Run: [QP] C:\windows\system32\QP.exe
O4 - HKLM\..\Run: [x37i3pe] extredir.exe
O4 - HKLM\..\Run: [imoxxl] c:\windows\system32\ogszrsd.exe
O4 - HKCU\..\Run: [g0osRfK5i] ipcrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


7. Reboot the PC reconnect your internet access and post another FindIt’s log and hijackthis log.

[jordanl]

Hi,
I have now completed all of the steps listed.
Here are the new find-its and hjt logs:
Many Thanks for your help on this.

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidence
Even then back them up first

»»»»»»»»»»»»»»»»»»»»»»»» Possible SAHAgent Files found »»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Volume in drive C has no label.
Volume Serial Number is 841C-FF6B

Directory of C:\WINDOWS\system32

Volume in drive C has no label.
Volume Serial Number is 841C-FF6B

Directory of C:\WINDOWS\SYSTEM32

Volume in drive C has no label.
Volume Serial Number is 841C-FF6B

Directory of C:\WINDOWS\SYSTEM

-----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 17:36:59, on 22/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\PayPal\Payment Wizard\Outlook Express\OEHook.exe
C:\Documents and Settings\Lisa and Jimmy\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.co.uk/ws/eBayISAPI.dll?MyeBay
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PayPal Plug-In for Outlook Express.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

[MicroBell]

Lisa:

Click start...run...type in regedit. Navigate to each of the following keys and delete the folder/entry in red.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Print\Monitors\ZepMon\Driver SZ DrPMon.dll

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon\Driver SZ DrPMon.dll

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\
Print\Monitors\ZepMon\Driver SZ DrPMon.dll


Your current logs are clean. Any more issues? If not you should be set. Disable system restore and then re-enable it and create a new restore point as this will clean the infection out of your restore folders. It's also CRITICAL for you to visit Windows Update page on the Microsoft site and installed the service packs for both XP and IE6. Failing to do this will result in another infection.

Please read through the spyware prevention section on how to protect yourself from spyware/adware Here and use the recommend programs and methods to protect yourself!

[jordanl]

Thank-you so much. It all seems to be clear now, fingers crossed.
You have done the best job of helping us and we really really appreciate it!
Hope you have a nice weekend,
Lisa.