Antivirus Gold/Yahoo.com Issue

[lostxn]

Hello,

I managed to get into the Antivirus Gold trojan, but removed that reading the threads. I am still having issues with search sites such as Yahoo! and Google. Both sites seem to search incorrectly and on Yahoo!, the "popular" searches show XXX information and spyware this and that. The links that used to go to "Movies" now go a "Search" page that has nothing but ads, but in the search engine format (very strange and frustrating). Also, the links at the top of Yahoo!, do not function. The Yahoo! Spyware software no longer works and crashes when I use it even after re-installing it. One more observation, the Yahoo! home page I used to get (http://www.yahoo.com) used to show the Yahoo! icon, but with a little DSL and SBC on either side. No longer. The http://my.yahoo.com page works fine and shows no ill effect. As I said before, the same type issues are happening on Google as well. I had to use Metacrawler to find this forum and register. Please help and the log is below. Thanks.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:33:59 PM, on 6/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Windows Media Connect\mswmcls.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\Time Sync\time.exe
C:\WINDOWS\system32\DNSLoadTester.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\WINDOWS\system32\sccsprx3.exe
C:\Documents and Settings\John Rutherford\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\regedit /s C:\pav.reg,C:\WINDOWS\system32\pavdr.exe,C:\WINDOWS\system32\userinit.exe,
O1 - Hosts: 213.219.251.78 www.google.com
O1 - Hosts: 213.219.251.78 google.com
O1 - Hosts: 213.219.251.78 www.google.co.uk
O1 - Hosts: 213.219.251.78 google.co.uk
O1 - Hosts: 213.219.251.78 www.google.ca
O1 - Hosts: 213.219.251.78 google.ca
O1 - Hosts: 213.219.251.78 www.google.es
O1 - Hosts: 213.219.251.78 google.es
O1 - Hosts: 213.219.251.78 www.google.de
O1 - Hosts: 213.219.251.78 google.de
O1 - Hosts: 213.219.251.78 www.google.fr
O1 - Hosts: 213.219.251.78 google.fr
O1 - Hosts: 213.219.251.78 www.google.com.au
O1 - Hosts: 213.219.251.78 google.com.au
O1 - Hosts: 213.219.251.79 www.yahoo.com
O1 - Hosts: 213.219.251.79 yahoo.com
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 213.219.251.80 www.msn.com
O1 - Hosts: 213.219.251.80 msn.com
O1 - Hosts: 213.219.251.80 search.msn.com
O1 - Hosts: 213.219.251.80 www.search.msn.com
O1 - Hosts: 213.219.251.80 go.com
O1 - Hosts: 213.219.251.80 www.go.com
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - blank (file missing)
O2 - BHO: XNetIEObj Class - {1808648B-3102-4293-8AD3-06AF71D3321B} - blank (file missing)
O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\system32\azesearch4.ocx (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [hmnjdzev] C:\WINDOWS\system32\ixgqakik.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [Time Sync] C:\Program Files\Time Sync\time.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DNSLoadTester] C:\WINDOWS\system32\DNSLoadTester.exe -run http://oss-content.marketscore.com/dnstest/
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKCU\..\Run: [H0oFRTjnR] sccsprx3.exe
O4 - HKCU\..\Run: [Media Server] C:\Program Files\SMC Networks, Inc\SMCWMR-AG\MediaServer.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - blank (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - blank (file missing)
O15 - Trusted Zone: http://acs.pandasoftware.com
O15 - Trusted Zone: http://activescan.pandasoftware.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.pandasoftware.es
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab
O16 - DPF: morfit3dWorld - http://www.3dstate.com/download/plug...fit3dWorld.CAB
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/game...ts/y/vto_x.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/game.../y/t21t0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/game...s/y/dct4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: Yahoo! Sheepshead - http://download.games.yahoo.com/game...ts/y/dt0_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093973968515
O16 - DPF: {9D2EFAC0-0E07-4DA6-908D-54B6EA68D3EE} (SQuidPlayerX Element) - http://www.browserbob.com/squidplaye...erXControl.ocx
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - https://streaming.endeavors.com/micr...loads/OTAI.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/game...utLauncher.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://www.pandasoftware.com/ActiveS.../ASPROinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: ASP.NET Admin Service (aspnet_admin) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe


End of KRC HijackThis Analyzer Log.
====================================================================

[sUBs]

Hi and Welcome to TSF!

Please subscribe to this thread so you'll be notified as soon as we post your fix. To do this, please click here. On the proceeding page, make sure Instant notification by email is selected, then click Add subscription.

In the meanwhile, I suggest that you stop using Interent Explorer until we've fully disinfected your machine. Please download & use an alternative browser like Firefox.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

During the course of disinfection, I may ask you to fix a program that you wish to retain. Please post back to inform me.

Enable the viewing of Hidden files

Windows XP/2000

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Select the Show hidden files and folders option.
• Deselect the Hide file extensions for known types option.
• Deselect the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

=============

Download CleanUp! - Install but do not run it yet.

Download Hoster - Save to desktop.

Download KillBox v2.0.0.175 - Save to desktop.

Download DelO15Domains.inf - Right click & choose "Save As...". Save it to Desktop as DelO15Domains.inf.

Download Smitfraud.reg - Right click & choose "Save As...". Save it to Desktop as Smitfraud.reg.

Disconnect from the internet & close all browsers.


=============

Some Anti-Spyware Programmes are known to intefere with HJT fixes. If you have these programmes, please disable them by doing so ...

Search & Destroy Spybot's TeaTimer

• Go to Tools>Resident - Deselect TeaTimer.

Microsoft AntiSpyware

• Click on Options>Settings.
• In the left pane, click on Real-time Protection.
• Under Startup Options, Deselect Enable the Microsoft AntiSpyware Security Agents on startup.
• Under Real-time spyware threat protection, Deselect Enable real-time spyware threat protection.
• After you've done these, click on the Save button and close Microsoft AntiSpyware.
• Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Webroot SpySweeper

• Go to the Options>Program Options.
• Deselect Load at Windows Startup.
• Click Shields and Deselect all items there.
• Deselect Home page shield.
• Deselect Automaticly restore default without notifiction.

Ad-aware's Ad-Watch

• Right-click on the Ad-Watch icon in the system tray
  At the bottom of the screen you will see 2 options Active and Automatic.
• Deselect Active
• Deselect Automatic
• Go to "Tools & Preferences">Options
• Deselectt "Load Ad-Watch at Windows startup"

=============

Uninstall the following programs using Control Panel>Add/Remove Programs :

• Security IGuard
  Virtual Maid
  Search Maid
  AntivirusGold
  WildTangent

=============

Double click on Smitfraud.reg and answer "Yes" when prompted to merge into the registry.

Right click on your Desktop and go to Properties. Next go to Desktop tab>Customize Desktop button>Web tab. Uncheck everything listed there. Then delete all the entries listed except for "My Current Home Page".


=============

Using KillBox

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

• C:\Program Files\Time Sync\time.exe
  C:\WINDOWS\system32\DNSLoadTester.exe
  C:\WINDOWS\system32\sccsprx3.exe
  C:\WINDOWS\system32\azesearch4.ocx (file
  C:\WINDOWS\system32\ixgqakik.exe
  C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll
  C:\WINDOWS\System32\hp596C.tmp
  C:\WINDOWS\System32\hp5F27.tmp
  C:\WINDOWS\System32\hpC776.tmp
  C:\WINDOWS\System32\hookdump.exe
  C:\wp.exe
  C:\wp.bmp
  C:\bsw.exe
  C:\WINDOWS\sites.ini
  C:\WINDOWS\popuper.exe
  C:\WINDOWS\system32\hhk.dll
  C:\WINDOWS\System32\helper.exe
  C:\WINDOWS\System32\intmonp.exe
  C:\WINDOWS\System32\msmsgs.exe
  C:\WINDOWS\System32\ole32vbs.exe
  C:\WINDOWS\system32\msole32.exe
  C:\WINDOWS\System32\shnlog.exe
  C:\WINDOWS\System32\intmon.exe
  C:\WINDOWS\System32\msmsgs.exe
  C:\WINDOWS\System32\LogFiles\A5281300.so
  C:\WINDOWS\System32\winnook.exe
  C:\WINDOWS\desktop.html
  C:\WINDOWS\screen.html
  C:\WINDOWS\zloader3.exe
  C:\WINDOWS\system32\oleadm.dll
  C:\WINDOWS\system32\oleadm32.dll

Start KillBox.

1. Go to the File menu, and choose "Paste from Clipboard".
   Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there.
2. Select/tick the following:
   • "Delete on Reboot"
   • "End Explorer Shell While Killing File"
   • "Unregister.dll Before Deleting" if it's not grayed out.
3. Click the RED X button.
4. Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the Pending Operations prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


=============

Reboot to Safe Mode

1. Shut Windows down, and then turn off the computer.
2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
   Windows Advanced Options menu appears.
4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

=============

Close all other windows.
Run a HiJackThis Scan & Select(tick) the following, if present:


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 213.219.251.78 www.google.com
O1 - Hosts: 213.219.251.78 google.com
O1 - Hosts: 213.219.251.78 www.google.co.uk
O1 - Hosts: 213.219.251.78 google.co.uk
O1 - Hosts: 213.219.251.78 www.google.ca
O1 - Hosts: 213.219.251.78 google.ca
O1 - Hosts: 213.219.251.78 www.google.es
O1 - Hosts: 213.219.251.78 google.es
O1 - Hosts: 213.219.251.78 www.google.de
O1 - Hosts: 213.219.251.78 google.de
O1 - Hosts: 213.219.251.78 www.google.fr
O1 - Hosts: 213.219.251.78 google.fr
O1 - Hosts: 213.219.251.78 www.google.com.au
O1 - Hosts: 213.219.251.78 google.com.au
O1 - Hosts: 213.219.251.79 www.yahoo.com
O1 - Hosts: 213.219.251.79 yahoo.com
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O1 - Hosts: 213.219.251.80 www.msn.com
O1 - Hosts: 213.219.251.80 msn.com
O1 - Hosts: 213.219.251.80 search.msn.com
O1 - Hosts: 213.219.251.80 www.search.msn.com
O1 - Hosts: 213.219.251.80 go.com
O1 - Hosts: 213.219.251.80 www.go.com
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - blank (file missing)
O2 - BHO: XNetIEObj Class - {1808648B-3102-4293-8AD3-06AF71D3321B} - blank (file missing)
O3 - Toolbar: AZE Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\system32\azesearch4.ocx (file missing)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [hmnjdzev] C:\WINDOWS\system32\ixgqakik.exe
O4 - HKLM\..\Run: [Time Sync] C:\Program Files\Time Sync\time.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DNSLoadTester] C:\WINDOWS\system32\DNSLoadTester.exe -run http://oss-content.marketscore.com/dnstest/
O4 - HKCU\..\Run: [H0oFRTjnR] sccsprx3.exe
O15 - Trusted Zone: http://acs.pandasoftware.com
O15 - Trusted Zone: http://activescan.pandasoftware.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.pandasoftware.es

Click "Fix checked" for HJT to fix them


=============

Locate and delete the following folder(s), if present:

• C:\Program Files\AntivirusGold\
  C:\Program Files\Search Maid\
  C:\Program Files\Virtual Maid\
  C:\Windows\System32\Log Files\
  C:\Program Files\Security iGuard\
  C:\Program Files\WildTangent\
  C:\Program Files\Time Sync\
  C:\Program Files\BazookaBar\

=============

Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen).

Run Hoster.exe. Choose the 'Restore Original Hosts' button and press OK.

Run CleanUp!...Click 'Yes' when asked to logoff.


=============

Reboot to Normal Mode.

Do an online scan at one of the following sites:

• Panda
• BitDefender
• Trend Micro
  
• RAV Antivirus
• McAfee

Take note the names and locations of any file it detects but fails to clean.


* Turn off the real time scanner of any existing antivirus program while performing the online scan


Reboot Again & run a new HiJackThis scan. Save the log file and run KRC HiJackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.

In your next post, please include:

• Copy of KRC HiJackThis Analyzer log
• List of files that online scans failed to disinfect

Please provide details of any problems you encountered whilst performing the above steps.

[lostxn]

Thanks for the quick attention. Here is the requested information below. The only problem I ran into was pasting into Killbox. It only would paste a portion of the files you had listed. I didn't record the ones that did or didn't.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:56:05 AM, on 6/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Windows Media Connect\mswmcls.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\SMC Networks, Inc\SMCWMR-AG\MediaServer.exe
C:\Documents and Settings\John Rutherford\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
F2 - REG:system.ini: UserInit=C:\WINDOWS\regedit /s C:\pav.reg,C:\WINDOWS\system32\pavdr.exe,C:\WINDOWS\system32\userinit.exe,
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: FlashCooker To Go toolbar - {c03f4170-244e-464f-903e-558db9496859} - C:\Program Files\FlashCooker To Go\tbFlas.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKCU\..\Run: [Media Server] C:\Program Files\SMC Networks, Inc\SMCWMR-AG\MediaServer.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - blank (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - blank (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/game...s/y/blt1_x.cab
O16 - DPF: morfit3dWorld - http://www.3dstate.com/download/plug...fit3dWorld.CAB
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/game...ts/y/vto_x.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/game.../y/t21t0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/game...s/y/dct4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: Yahoo! Sheepshead - http://download.games.yahoo.com/game...ts/y/dt0_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093973968515
O16 - DPF: {9D2EFAC0-0E07-4DA6-908D-54B6EA68D3EE} (SQuidPlayerX Element) - http://www.browserbob.com/squidplaye...erXControl.ocx
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - https://streaming.endeavors.com/micr...loads/OTAI.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/game...utLauncher.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://www.pandasoftware.com/ActiveS.../ASPROinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
O23 - Service: ASP.NET Admin Service (aspnet_admin) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe (file missing)
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe


End of KRC HijackThis Analyzer Log.
====================================================================


Bitdefender Report (taken from html - attached html as well) -

BitDefender Online Scanner -Scan ReportBitDefender Online Scanner
Scan report generated at: Mon, Jun 27, 2005 - 21:59:37

Scan path: A:\;C:\;D:\;E:\;F:\;

Statistics
Time00:34:50
Files345211
Folders8551
Boot Sectors2
Archives2378
Packed Files43820

Results
Identified Viruses 4
Infected Files 5
Suspect Files 0
Warnings0
Disinfected0
Deleted Files5

Engines Info
Virus Definitions185777
Engine buildAVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Scan plugins13
Archive plugins39
Unpack plugins4
E-mail plugins6
System plugins1

Scan Settings
First ActionDisinfect
Second ActionDelete
HeuristicsYes
Enable WarningsYes
Scanned
Extensionsexe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;
Exclude Extensions
Scan EmailsYes
Scan ArchivesYes
Scan PackedYes
Scan FilesYes
Scan BootYes

Scanned File Status
C:\Documents and Settings\John
Rutherford\Desktop\Applications\clipartfree.exe=>wise0051Detected
with: Application.Adware.NewDotNet.Dropper
C:\Documents and Settings\John
Rutherford\Desktop\Applications\clipartfree.exe=>wise0051Deleted
C:\Documents and Settings\John
Rutherford\Desktop\Applications\clipartfree.exeUpdate failed
C:\System Volume
Information\_restore{E52666EB-B6EF-42F4-A9CD-FB871736D1BA}\RP263\A0035433.exe=>(NSIS
o)=>lzma_nsis0005Infected with: Trojan.Clicker.Vb.EX
C:\System Volume
Information\_restore{E52666EB-B6EF-42F4-A9CD-FB871736D1BA}\RP263\A0035433.exe=>(NSIS
o)=>lzma_nsis0005Disinfection failed
C:\System Volume
Information\_restore{E52666EB-B6EF-42F4-A9CD-FB871736D1BA}\RP263\A0035433.exe=>(NSIS
o)=>lzma_nsis0005Deleted
C:\System Volume
Information\_restore{E52666EB-B6EF-42F4-A9CD-FB871736D1BA}\RP263\A0035433.exe=>(NSIS
o)Update failed
C:\System Volume
Information\_restore{E52666EB-B6EF-42F4-A9CD-FB871736D1BA}\RP263\A0035433.exe=>(NSIS
o)=>lzma_nsis0006Infected with: Trojan.Multidropper.NB
C:\System Volume
Information\_restore{E52666EB-B6EF-42F4-A9CD-FB871736D1BA}\RP263\A0035433.exe=>(NSIS
o)=>lzma_nsis0006Disinfection failed
C:\System Volume
Information\_restore{E52666EB-B6EF-42F4-A9CD-FB871736D1BA}\RP263\A0035433.exe=>(NSIS
o)=>lzma_nsis0006Deleted
C:\System Volume
Information\_restore{E52666EB-B6EF-42F4-A9CD-FB871736D1BA}\RP263\A0035433.exe=>(NSIS
o)Update failed
C:\System Volume
Information\_restore{E52666EB-B6EF-42F4-A9CD-FB871736D1BA}\RP341\A0049033.exeInfected
with: Trojan.P2e.BR
C:\System Volume
Information\_restore{E52666EB-B6EF-42F4-A9CD-FB871736D1BA}\RP341\A0049033.exeDisinfection
failed
C:\System Volume
Information\_restore{E52666EB-B6EF-42F4-A9CD-FB871736D1BA}\RP341\A0049033.exeDeleted
C:\System Volume
Information\_restore{E52666EB-B6EF-42F4-A9CD-FB871736D1BA}\RP341\A0049034.exeInfected
with: Trojan.P2e.BR
C:\System Volume
Information\_restore{E52666EB-B6EF-42F4-A9CD-FB871736D1BA}\RP341\A0049034.exeDisinfection
failed
C:\System Volume
Information\_restore{E52666EB-B6EF-42F4-A9CD-FB871736D1BA}\RP341\A0049034.exeDeleted



Please let me know if you need anything else or more information. Thanks again!

-Lostxn

[sUBs]

Your log is clean. Well done
Do you have any more problems with your computer? If not, you should be set to go.

However, there still remains a few bits of housekeeping ...

Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start > Settings > Control Panel > System > Automatic Updates
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.


In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL

Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[lostxn]

Hey thanks a lot. One issue though. When following your clean-up advice, the system restore part, I ran into the following error:

RUNDLL:

An exception occurred while trying to run "shell32.dll,Control_RunDLL "C:\WINDOWS\system32\SYSDM.CPL","

Everything else seems to be running like a champ. Thanks for all the continuing support.

-Lostxn

[sUBs]

Here's an alternate method of clearing System Restore's cache..

Quote:

Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Then turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.