Here we go again!

[Thepunkinator]

Well guys, its been a while since I've been here but it seems I've gotten one of those nasty hijackers back! Here's my log. Any help is greatly appreciated!

------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:16:52 PM, on 7/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\sdwork\issimsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\javamn.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\apiys.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Darrell Miley\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iswiw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iswiw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\iswiw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iswiw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iswiw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iswiw.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iswiw.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {08BE22CD-C122-B80D-DF7B-507913C3706E} - C:\WINDOWS\ietr.dll
O2 - BHO: Class - {D6EF05C6-13C4-35B7-58BF-46C5B6FB102B} - C:\WINDOWS\netgg.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [javamn.exe] C:\WINDOWS\system32\javamn.exe
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\RunOnce: [javasy32.exe] C:\WINDOWS\javasy32.exe
O4 - HKLM\..\RunOnce: [apiys.exe] C:\WINDOWS\apiys.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Ried]

Hello Thepunkinator,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean.

Download AboutBuster 5 www.malwarebytes.biz/AboutBuster5.zip and uncompress the files to a folder on your the Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one if they are still listed (they shouldn't be - but double check it):(You must kill them one at a time).

C:\WINDOWS\system32\javamn.exe
C:\WINDOWS\apiys.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iswiw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iswiw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\iswiw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iswiw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iswiw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iswiw.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iswiw.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {08BE22CD-C122-B80D-DF7B-507913C3706E} - C:\WINDOWS\ietr.dll
O2 - BHO: Class - {D6EF05C6-13C4-35B7-58BF-46C5B6FB102B} - C:\WINDOWS\netgg.dll
O4 - HKLM\..\Run: [javamn.exe] C:\WINDOWS\system32\javamn.exe
O4 - HKLM\..\RunOnce: [javasy32.exe] C:\WINDOWS\javasy32.exe
O4 - HKLM\..\RunOnce: [apiys.exe] C:\WINDOWS\apiys.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

Using Windows Explorer, delete the following Files indicated in RED if they still exist:

C:\WINDOWS\iswiw.dll
C:\WINDOWS\ietr.dll
C:\WINDOWS\netgg.dll
C:\WINDOWS\system32\javamn.exe
C:\WINDOWS\javasy32.exe
C:\WINDOWS\apiys.exe

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Reboot into Normal Mode. Run a scan with HijackThis and post the log here as well.

[Thepunkinator]

Here ya go.

----------
Logfile of HijackThis v1.99.1
Scan saved at 9:55:39 AM, on 7/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\sdwork\issimsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Darrell Miley\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Ried]

Nice job Although your HijackThis log is clean, I'm still concerned there may be files hiding.

Run an online scan at http://www.pandasoftware.com/activescan/

Save the results from the scan and post them here.

[Thepunkinator]

Here's the log from Panda.
-----------------------


Incident Status Location

Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Darrell Miley\Application Data\onar.exe
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Darrell Miley\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-15e7fb5b.zip[Dummy.class]
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.east.cox.net\Inbox[~000192.@x@]
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.east.cox.net\Trash[~000060.@x@]
Virus:Trj/Downloader.AEE Disinfected C:\Documents and Settings\Darrell Miley\Desktop\backups\backup-20050716-094932-122.inf
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\ainlnhh9\ainlnhh9.exe
Possible Virus. No disinfected C:\Program Files\ainlnhh9\uhc1ap0d.DLL
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch\bar\2.bin\NPMYSRCH.DLL
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch\bar\2.bin\S42NS.EXE
Adware:Adware/MyWay No disinfected C:\Program Files\MySearch\bar\2.bin\S4BAR.DLL
Adware:Adware/SearchRelevancy No disinfected C:\Program Files\SearchRelevant\SearchRelevant.dll
Adware:Adware/SearchRelevancy No disinfected C:\Program Files\SearchRelevant\uninstall.exe
Adware:Adware/WebSpecials No disinfected C:\Program Files\WebSpecials\uninst.exe
Adware:Adware/WebSpecials No disinfected C:\Program Files\WebSpecials\webspec.dll
Adware:Adware/Startpage.VQ No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc11.dll
Adware:Adware/Startpage.VQ No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc18.dll
Virus:Trj/Agent.ACM Disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc19.exe
Virus:Trj/Agent.ACM Disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc21.exe
Virus:Trj/Agent.ACM Disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc22.exe
Virus:Trj/Agent.ACM Disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc24.exe
Adware:Adware/Startpage.VQ No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc30.dll
Virus:Trj/Agent.ACM Disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc34.exe
Virus:Trj/Agent.ACM Disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc35.exe
Virus:Trj/Agent.ACM Disinfected C:\WINDOWS\addix32.exe
Virus:Trj/Agent.ACM Disinfected C:\WINDOWS\apixj.exe
Virus:Trj/Agent.ACM Disinfected C:\WINDOWS\d3mw.exe
Virus:Trj/Agent.ACM Disinfected C:\WINDOWS\javaou.exe
Virus:Trj/Agent.ACM Disinfected C:\WINDOWS\msaq32.exe
Virus:Trj/Agent.ACM Disinfected C:\WINDOWS\ntis.exe
Virus:Trj/Agent.ACM Disinfected C:\WINDOWS\sysdd32.exe
Adware:Adware/NetPals No disinfected C:\WINDOWS\system32\14yf08fg.exe
Virus:Trj/Agent.ACM Disinfected C:\WINDOWS\system32\addmh32.exe
Virus:Trj/Agent.ACM Disinfected C:\WINDOWS\system32\applm32.exe
Virus:Trj/Agent.ACM Disinfected C:\WINDOWS\system32\appyv32.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\Cache\InstallAPS.exe
Virus:Trj/CPR.A Disinfected C:\WINDOWS\system32\Cache\setup.exe
Virus:Trj/Downloader.AZI Disinfected C:\WINDOWS\system32\Cache\SSK_B5 MVSSK 3.EXE
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\Cache\thin-8-3-x-x.exe
Adware:Adware/Antivirus-gold No disinfected C:\WINDOWS\system32\hookdump.exe
Possible Virus. No disinfected C:\WINDOWS\system32\jlra.dll
Virus:Trj/Agent.ACM Disinfected C:\WINDOWS\system32\sysbz32.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmltok.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\??plorer.exe

[Ried]

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

AntiVirus Gold
MySearch
SearchRelevant
WebSpecials
ainlnhh9

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\Documents and Settings\Darrell Miley\Application Data\onar.exe
C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.eas t.cox.net\Inbox[~000192.@x@]
C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.eas t.cox.net\Trash[~000060.@x@]
C:\Program Files\ainlnhh9\ainlnhh9.exe
C:\Program Files\MySearch\bar\2.bin\NPMYSRCH.DLL
C:\Program Files\MySearch\bar\2.bin\S42NS.EXE
C:\Program Files\MySearch\bar\2.bin\S4BAR.DLL
C:\Program Files\SearchRelevant\SearchRelevant.dll
C:\Program Files\SearchRelevant\uninstall.exe
C:\Program Files\WebSpecials\uninst.exe
C:\Program Files\WebSpecials\webspec.dll
C:\WINDOWS\system32\14yf08fg.exe
C:\WINDOWS\system32\Cache\InstallAPS.exe
C:\WINDOWS\system32\Cache\thin-8-3-x-x.exe
C:\WINDOWS\system32\hookdump.exe
C:\WINDOWS\system32\jlra.dll
C:\WINDOWS\system32\sysbz32.exe
C:\WINDOWS\system32\xmlparse.dll
C:\WINDOWS\system32\xmltok.dll
C:\WINDOWS\system32\??plorer.exe

Using Windows Explorer, delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Documents and Settings\Darrell Miley\Application Data\onar.exe
C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.eas t.cox.net\Inbox[~000192.@x@]
C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.eas t.cox.net\Trash[~000060.@x@]
C:\WINDOWS\system32\14yf08fg.exe
C:\WINDOWS\system32\Cache\InstallAPS.exe
C:\WINDOWS\system32\Cache\thin-8-3-x-x.exe
C:\WINDOWS\system32\hookdump.exe
C:\WINDOWS\system32\jlra.dll
C:\WINDOWS\system32\sysbz32.exe
C:\WINDOWS\system32\xmlparse.dll
C:\WINDOWS\system32\xmltok.dll
C:\WINDOWS\system32\[color=Red]??plorer.exe[/COLOR]--Careful here--those ?? could be any character.
C:\Program Files\AntiVirus Gold
C:\Program Files\ainlnhh9
C:\Program Files\MySearch\bar\2.bin\NPMYSRCH.DLL
C:\Program Files\SearchRelevant
C:\Program Files\WebSpecials

Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK.

Reboot into Normal Mode.

Run another scan with Panda ActiveScan and save the log.
Restart and post a new HijackThis log along with the results from ActiveScan.

[Thepunkinator]

Ok here we go. I forgot to empty the recycle bin before I ran the Panda scan so some of those files showed up in the scan.

Panda Scan
----------------------------------------

Incident Status Location

Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.east.cox.net\Inbox[~000192.@x@]
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.east.cox.net\Trash[~000060.@x@]
Adware:Adware/Startpage.VQ No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc11.dll
Adware:Adware/Startpage.VQ No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc18.dll
Adware:Adware/Startpage.VQ No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc30.dll
Adware:Adware/PurityScan No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc34.exe
Adware:Adware/NetPals No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc35.exe
Adware:Adware/PortalScan No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc36.exe
Spyware:Spyware/BetterInet No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc37.exe
Adware:Adware/Antivirus-gold No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc38.exe
Possible Virus. No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc39.dll
Adware:Adware/SAHAgent No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc40.dll
Adware:Adware/SAHAgent No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc41.dll
Spyware:Spyware/ClearSearch No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc42\ainlnhh9.exe
Possible Virus. No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc42\uhc1ap0d.DLL
Adware:Adware/MyWay No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc43\bar\2.bin\S4BAR.DLL
Adware:Adware/WebSpecials No disinfected C:\RECYCLER\S-1-5-21-1390067357-1450960922-682003330-1004\Dc44\uninst.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\??plorer.exe

HJT Log
---------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:33:11 PM, on 7/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\sdwork\issimsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Documents and Settings\Darrell Miley\Desktop\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks!!

[Thepunkinator]

Also the two files in the Firebird directory and the ??plorer.exe I was unable to find to delete. Thanks again!!

[MicroBell]

Please visit this website - virusscan.jotti.org
Submit these file(s) for a comprehensive scan & then post the results back here.

C:\WINDOWS\SYSTEM32\Winlognotif.dll

Since you had the AntiVirus Gold infection please run the following fix.


Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

• Click [Scanner]
• Click [Complete System Scan] to begin scanning.
• Click [OK] when prompted to clean files
• With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
• Once finished, click the [Save report] button
• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply.

[Thepunkinator]

Ok, all done with the latest sweep. Here are the logs!

Jotti:
---------------
jotti.org scan result:
----------------------------------
Service load:
0% 100%
File: Winlognotif.dll
Status:
OK
MD5 4572fd08f8d0e338ada4d81cf4d94289
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

--------------
ewido log
--------------
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:00:40 PM, 7/18/2005
+ Report-Checksum: 2E838479

+ Scan result:

C:\Program Files\AC Tool\ACTool.exe -> Heuristic.Win32.Backdoor.IrcBot : Cleaned without backup
C:\Program Files\AT&T Network Client\NetClient.dll -> Heuristic.Win32.Dialer : Cleaned without backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned without backup
C:\WINDOWS\doom3.ini:pruscj -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\wininit.ini:xkwawt -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\_default.pif:deeiip -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\_default.pif:yehxji -> Trojan.Agent.bi : Cleaned without backup
C:\WINDOWS\_default.pif:yklbag -> Trojan.Agent.bi : Cleaned without backup


::Report End

------------------------
Panda
------------------------

Incident Status Location

Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.east.cox.net\Inbox[~000192.@x@]
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.east.cox.net\Trash[~000060.@x@]
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\??plorer.exe

-------------------------
HJT
-------------------------
Logfile of HijackThis v1.99.1
Scan saved at 2:10:13 PM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\sdwork\issimsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Darrell Miley\Desktop\Security and Spyware Programs\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TNE~1\NetCfgSv.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks guys!!!

[POADB]

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot):

C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.eas t.cox.net\Inbox[~000192.@x@]
C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.eas t.cox.net\Trash[~000060.@x@]
C:\WINDOWS\system32\??plorer.exe

Reboot now.

Make sure those files no longer exist on yuor system. Run a new Panda Scan when complete.

I'd like to discuss Download Accelerator Plus (DAP) with you. I have quoted part of the products Privacy Statement and would like you to review it, and perhaps consider removing the program. I'll leave the decision to you.

Quote:

Advertisements

During the use of the Product, Services and/or Add-Ons, you may be shown advertising, marketing offers, and other promotional information, made available by SpeedBit or by third parties.

This Agreement does not cover the information practices exercised by other providers of products or services, advertisers, or other websites SpeedBit is not responsible for the privacy practices exercised by any such providers. Please consult the privacy statement of these providers to learn more about their privacy practices.

Unless otherwise stated, SpeedBit has no ownership or interest in any products, services, or other advertised items and does not check, verify or moderate the content or the nature of the advertisements or the products and services advertised on the Product or through the Services. SpeedBit makes no warranty, either express or implied, as to these other products, services, or other advertised items and the use thereof. Advertisements are shown by using your Internet connection. SpeedBit may use an embedded Internet Explorer web browser control, email or any other methods to show advertisements. You hereby acknowledge and agree to SpeedBit's advertising practices as described hereunder.

[Thepunkinator]

I'm running the Panda scan now and will post the results. As for the DAP issue. I thought I had uninstalled that long ago. I looked in the add/remove programs control panel and did not see it listed. I also looked for the directory and/or files in the c:\program files directory but did not see it there either. Is this something I can just remove with HJT since I have uninstalled it (or thought I did) a while ago? Thanks for the advice!

[POADB]

In which case you may fix these in HJT:

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

Delete the following folder:

C:\PROGRA~1\DAP\

[Thepunkinator]

Here's the latest Panda scan. I have no idea where these files are its finding. I have triple checked and can't find them anywhere.

-----------------------------

Incident Status Location

Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.east.cox.net\Inbox[~000192.@x@]
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.east.cox.net\Trash[~000060.@x@]
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\??plorer.exe

[POADB]

Copy and paste the following into kill box. Use the options as we have before:

C:\WINDOWS\system32\??plorer.exe

Reboot when prompted.

Now return to Windows. I need to know how far you can navigate through this directory path: C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.eas t.cox.net\Inbox[~000192.@x@]

Perhaps there is an option within ThunderBird. Perhaps emptying the trash or what not Have a snoop around as the above path belongs to ThunderBird, and this seems to have backed up the adware of Media Tickets.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

• Save it to your desktop.
• Double-click the new icon on your desktop (tmas-web-scan.exe)
• It will say "Loading TrendMicro definitions".
• Once the definitions are loaded, the program will appear to close then re-open.
• Click "Start Scan"
• After it's done scanning, click "Scan Results"
• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next post.

[Thepunkinator]

Thanks! I ran killbox.exe again with the file information. As for the path for thunderbird I can navigate to: C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.east.cox.net. There is a file called inbox (my mail inbox) in this directory. I went into thunderbird and emptied my inbox and my trash. Hopefully this will do it. Running the scan now and will post the log as soon as it is done.

[Thepunkinator]

Ok here's the log from the Trend Micro scan:

-------------------------------------
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'Software\SpeedBit\Download Accelerator\IEBar'
Found '' in 'SOFTWARE\Classes\DAPIE.DownloadAcceleratorIE.1'
Found '' in 'SOFTWARE\Classes\DAPIE.DownloadAcceleratorIE.1\CLSID'
Found '' in 'SOFTWARE\Classes\DAPIE.DownloadAcceleratorIE\CLSID'
Found '' in 'SOFTWARE\Classes\DAPIE.DownloadAcceleratorIE\CurVer'
Found '' in 'SOFTWARE\Classes\DAPNS.Protocol.1'
Found '' in 'SOFTWARE\Classes\DAPNS.Protocol.1\CLSID'
Found '' in 'SOFTWARE\Magnet'
Found '' in 'SOFTWARE\Classes\Catalyst.HttpClientCtrl.1'
Found '' in 'SOFTWARE\Classes\Catalyst.HttpClientCtrl.1\CLSID'
Found '' in 'SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}'
Found '' in 'SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\Control'
Found '' in 'SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\InprocServer32'
Found '' in 'SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\MiscStatus'
Found '' in 'SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\MiscStatus\1'
Found '' in 'SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\ProgID'
Found '' in 'SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\ToolboxBitmap32'
Found '' in 'SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\TypeLib'
Found '' in 'SOFTWARE\Classes\CLSID\{EDD6BA26-9EBB-11D2-B89C-00104B30757B}\Version'
Found '' in 'SOFTWARE\Classes\CLSID\{EDD6BA27-9EBB-11D2-B89C-00104B30757B}'
Found '' in 'SOFTWARE\Classes\CLSID\{EDD6BA27-9EBB-11D2-B89C-00104B30757B}\InprocServer32'
Found '' in 'SOFTWARE\Classes\Interface\{EDD6BA24-9EBB-11D2-B89C-00104B30757B}'
Found '' in 'SOFTWARE\Classes\Interface\{EDD6BA24-9EBB-11D2-B89C-00104B30757B}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{EDD6BA24-9EBB-11D2-B89C-00104B30757B}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{EDD6BA24-9EBB-11D2-B89C-00104B30757B}\TypeLib'
Found '' in 'SOFTWARE\Classes\Interface\{EDD6BA25-9EBB-11D2-B89C-00104B30757B}'
Found '' in 'SOFTWARE\Classes\Interface\{EDD6BA25-9EBB-11D2-B89C-00104B30757B}\ProxyStubClsid'
Found '' in 'SOFTWARE\Classes\Interface\{EDD6BA25-9EBB-11D2-B89C-00104B30757B}\ProxyStubClsid32'
Found '' in 'SOFTWARE\Classes\Interface\{EDD6BA25-9EBB-11D2-B89C-00104B30757B}\TypeLib'
Found '' in 'SOFTWARE\Classes\TypeLib\{EDD6BA23-9EBB-11D2-B89C-00104B30757B}\1.0'
Found '' in 'SOFTWARE\Classes\TypeLib\{EDD6BA23-9EBB-11D2-B89C-00104B30757B}\1.0\0\win32'
Found '' in 'SOFTWARE\Classes\TypeLib\{EDD6BA23-9EBB-11D2-B89C-00104B30757B}\1.0\FLAGS'
Found '' in 'SOFTWARE\Classes\TypeLib\{EDD6BA23-9EBB-11D2-B89C-00104B30757B}\1.0\HELPDIR'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'SOFTWARE\Classes\Remove'
Found '' in 'SOFTWARE\MySearch\bar'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run'
Internet URL Shortcuts
Files and Directories
Found 'kwv2.dat' in 'C:\WINDOWS'
Found 'chat.dat' in 'C:\WINDOWS\system32'
Found 'CSHTP32.OCX' in 'C:\WINDOWS\system32'
Found 'home.dat' in 'C:\WINDOWS\system32'
Found 'VIC32.DLL' in 'C:\WINDOWS\system32'
Found 'ydn5055.dat' in 'C:\WINDOWS\winskw'
Found 'DAP.exe' in 'D:\Download Accelerator'
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\WINDOWS\kwv2.dat' in shortcut areas.
Checking for 'C:\WINDOWS\kwv2.dat' in startup areas.
Cleaning 'C:\WINDOWS\kwv2.dat'
Checking for 'C:\WINDOWS\system32\chat.dat' in shortcut areas.
Checking for 'C:\WINDOWS\system32\chat.dat' in startup areas.
Cleaning 'C:\WINDOWS\system32\chat.dat'
Checking for 'C:\WINDOWS\system32\CSHTP32.OCX' in shortcut areas.
Checking for 'C:\WINDOWS\system32\CSHTP32.OCX' in startup areas.
Cleaning 'C:\WINDOWS\system32\CSHTP32.OCX'
Checking for 'C:\WINDOWS\system32\home.dat' in shortcut areas.
Checking for 'C:\WINDOWS\system32\home.dat' in startup areas.
Cleaning 'C:\WINDOWS\system32\home.dat'
Checking for 'C:\WINDOWS\system32\VIC32.DLL' in shortcut areas.
Checking for 'C:\WINDOWS\system32\VIC32.DLL' in startup areas.
Cleaning 'C:\WINDOWS\system32\VIC32.DLL'
Checking for 'C:\WINDOWS\winskw\ydn5055.dat' in shortcut areas.
Checking for 'C:\WINDOWS\winskw\ydn5055.dat' in startup areas.
Cleaning 'C:\WINDOWS\winskw\ydn5055.dat'
Checking for 'D:\Download Accelerator\DAP.exe' in shortcut areas.
Checking for 'D:\Download Accelerator\DAP.exe' in startup areas.
Cleaning 'D:\Download Accelerator\DAP.exe'
Finished Cleaning

[POADB]

That's great.

Is Panda coming back clean now also??

[Thepunkinator]

Unfortunately it isn't. I'm stumped on this. Here's the log.

-----------------------------

Incident Status Location

Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\Darrell Miley\Application Data\Thunderbird\Profiles\default.hbf\Mail\pop.east.cox.net\Inbox[~000192.@x@]
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\??plorer.exe

[POADB]

Clearing your Trash folder seemed to have done the trick. But the inbox still seems infected with something. It could be a false positive, and i'm not convinced this is causing your system any harm. Keep looking around ThunderBird

C:\WINDOWS\system32\??plorer.exe This file is becoming a pain. As you have probably realised.

Launch Notepad, and copy/paste the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.

Code:

dir <insert mask> /a h > files.txt 
notepad files.txt

Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.