Where do I go to fix problems before my computer is dead.

[buddycraigg]

Where do I go to fix problems before my computer is dead.

After doing the steps to my PC that I was told to do to my mother-in-laws I have found that I have some problems.

My 2000pro system is still working but I didn’t like what I saw after I used trend micro and kaspersky.

[skate_punk_21]

Hi and welcome to TSF!

HijackThis logs are the weapon we use to dectect malware around here, so post a log please (instructions are at bottom). Before we can help you, please attempt the following, these will help us eliminate the easy spyware problems first, making
the serious fix, as short as possible...

1: Please download Ad-aware and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go Here to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button.Install any updates that are available.

Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Now go to Tools->Resident and make sure that TeaTimer is checked. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings.

Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.


Now the good stuff...
Please download HijackThis - this program will help us determine if there are any spyware/malware

on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post that log here!

[Ried]

Hello buddycraig,

In addition to skate_punk_21's instructions regarding providing a HijackThis log, you said you've done everything on this pc as you did on your mother-in-law's--have you run an online Panda scan with this one? If so, post those results along with the HijackThis log.

[buddycraigg]

Thank you both skate_punk_21and Ried for your response and your assistance.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The machine.

It’s a pretty old home built PC but it works for my needs.
Windows 2000 pro SP4
All updates are current.

I have this software for free from my ISP
Made by this company http://www.ca.com/
eTrust PestPatrol
eTrust EZ Antivirus
eTrust Personal Firewall

I have installed and ran the latest versions of
Spybot S&D
Ad Aware SE

I have ran the online virus scanner from
http://www.kaspersky.com/virusscanner
and
http://www.pandasoftware.com/products/activescan.htm

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
The problem.

my PC is running as it always has, but I discovered that I had some viruses thanks to the suggestions I found on this forum.
I use this PC for my banking, bill paying, and various other personal needs and want it to be safe.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
My logs. Hijackthis, panda, and kaspersky in that order.

Hijackthis.
Logfile of HijackThis v1.99.1
Scan saved at 2:39:36 AM, on 11/30/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/I...ve/HS_live.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex...edia/Swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/p...n/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1124416697379
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124411355883
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {DA04CC86-07A5-11D5-A700-0001031AD955} (TP_live Control) - http://www.homestead.com/~site/Insta...ve/TP_live.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93D6A0F2-013D-4F6F-A325-6D09DCB5F196}: NameServer = 24.94.163.114,24.94.163.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4E3492F-1A47-4D6B-9143-C8F500EAB08B}: NameServer = 24.94.163.114,24.94.163.113
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Panda

Incident Status Location

Adware:adware/keenvalue Not disinfected C:\WINNT\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/statblaster Not disinfected Windows Registry
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-68665048.zip[InstallerApplet.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-31f05170-79eaa883.zip[InstallerApplet.class]

Kaspersky
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, November 30, 2005 02:31:56
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 30/11/2005
Kaspersky Anti-Virus database records: 152455
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 58570
Number of viruses found: 9
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 5954 sec

Infected Object Name - Virus Name
C:\WINNT\system32\TMLib.dll Infected: Trojan-Spy.Win32.AdvancedKeyLogger.17
C:\Documents and Settings\Administrator\Local Settings\Temp\all_files7.exe/data0006 Infected: Trojan-Downloader.Win32.QDown.b
C:\Documents and Settings\Administrator\Local Settings\Temp\all_files7.exe Infected: Trojan-Downloader.Win32.QDown.b
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Sat, 09 Apr 2005 19:03:06 -0700]/UNNAMED/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Sat, 09 Apr 2005 19:03:06 -0700]/UNNAMED/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Sat, 09 Apr 2005 19:03:06 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Sat, 15 Oct 2005 08:52:02 -0500]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Sat, 15 Oct 2005 08:52:02 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Sat, 22 Oct 2005 10:31:28 +0500]/html Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Sat, 05 Nov 2005 09:49:49 -0700]/html Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 18 Nov 2005 16:34:27 -0400]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 18 Nov 2005 16:34:27 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 18 Nov 2005 23:13:33 +0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx/[From PayPal <service@paypal.com>][Date Fri, 18 Nov 2005 23:13:33 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Paylap.ev
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Deleted Items.dbx/[From "update@paypal.com" <update@paypal.com>][Date Thu, 15 Sep 2005 22:18:29 +0000]/html Infected: Trojan-Spy.HTML.Paylap.by
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Paylap.by
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Inbox.dbx/[From CitiBank <supprefnum13@citibank.com>][Date Sat, 02 Oct 2004 18:14:18 +0100]/html Infected: Trojan-Spy.HTML.Citifraud.ai
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Inbox.dbx/[From CITIBANK <antifraud_dep.id.num384730950992@citibank.com>][Date Tue, 19 Oct 2004 13:58:35 +0500]/UNNAMED/html Infected: Trojan-Spy.HTML.Citifraud.bc
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Inbox.dbx/[From CITIBANK <antifraud_dep.id.num384730950992@citibank.com>][Date Tue, 19 Oct 2004 13:58:35 +0500]/UNNAMED Infected: Trojan-Spy.HTML.Citifraud.bc
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Citifraud.bc
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Deleted Items.dbx/[From MAILER-DAEMON <MAILER-DAEMON@kc.rr.com>][Date Mon, 26 Jul 2004 11:50:37 -0500]/UNNAMED/kcfog@kc.rr.com Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Deleted Items.dbx/[From MAILER-DAEMON <MAILER-DAEMON@kc.rr.com>][Date Mon, 26 Jul 2004 11:50:37 -0500]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-68665048.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-68665048.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-31f05170-79eaa883.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-31f05170-79eaa883.zip Infected: Trojan-Downloader.Java.OpenStream.w

Scan process completed.

[Ried]

Hello,

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Reboot into Safe Mode.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK.

Delete this file:

C:\WINNT\SYSTEM32\DRIVERS\ETC\ hosts.bho

Follow these entire paths and empty the Inbox and Deleted Items:

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx <--Empty this folder

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Deleted Items.dbx <--Empty this folder

---------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

Reboot into Normal Mode.

Run another scan with Kaspersky and post the results here along with a new HijackThis log.

[buddycraigg]

Thank you for your help Ried.

I can see I’m going to have to do this like I am a 4 year old.
++++++++++++++++++++++++++++

Quote:

Originally Posted by Ried

Hello,
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

cleanup has been downloaded but not ran.

Quote:

Originally Posted by Ried

Hello,
Reboot into Safe Mode.
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

done.

Quote:

Originally Posted by Ried

Hello,
Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK.

unable to complete this step.
When I would open “Java Plug-in”
A box would flash for a second on the screen and disappear.
I was able to grab the screen as it happened.
you can see the white box here.
http://www.fiero.nl/forum/Forum6/HTML/033462.html

Quote:

Originally Posted by Ried

Hello,
Delete this file:
C:\WINNT\SYSTEM32\DRIVERS\ETC\ hosts.bho

done

Quote:

Originally Posted by Ried

Hello,
Follow these entire paths and empty the Inbox and Deleted Items:

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx <--Empty this folder

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Deleted Items.dbx <--Empty this folder

I’m afraid I don’t understand.
I found these files in windows explorer, but I only saw the option of deleting the file.
How do I empty them?

Quote:

Originally Posted by Ried

Hello,
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

Reboot into Normal Mode.

Run another scan with Kaspersky and post the results here along with a new HijackThis log.

I have not done these steps since I could not get past the few previous steps.

[buddycraigg]

just found the edit button

[Ried]

Those should be folders, are they already empty? You can go ahead and continue with the rest of the steps.

[buddycraigg]

i took a chance and just deleted these files in windows explorer from safemode.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Inbox.dbx <--Empty this folder

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{FCA073A6-0508-482E-A374-FCD3D7E88BB5}\Microsoft\Outlook Express\Deleted Items.dbx <--Empty this folder

when i opened outlook again i still had an inbox and deleted folder but they were empty.

and i hate to say it, but cleanup removed voer 5000 files and freed up 2.5 gigs of hard drive space.

here are my new logs,
kaspersky shows that i still have some problems.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, December 01, 2005 00:00:34
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 1/12/2005
Kaspersky Anti-Virus database records: 152737
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 54106
Number of viruses found: 5
Number of infected objects: 12
Number of suspicious objects: 0
Duration of the scan process: 5986 sec

Infected Object Name - Virus Name
C:\WINNT\system32\TMLib.dll Infected: Trojan-Spy.Win32.AdvancedKeyLogger.17
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Inbox.dbx/[From CitiBank <supprefnum13@citibank.com>][Date Sat, 02 Oct 2004 18:14:18 +0100]/html Infected: Trojan-Spy.HTML.Citifraud.ai
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Inbox.dbx/[From CITIBANK <antifraud_dep.id.num384730950992@citibank.com>][Date Tue, 19 Oct 2004 13:58:35 +0500]/UNNAMED/html Infected: Trojan-Spy.HTML.Citifraud.bc
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Inbox.dbx/[From CITIBANK <antifraud_dep.id.num384730950992@citibank.com>][Date Tue, 19 Oct 2004 13:58:35 +0500]/UNNAMED Infected: Trojan-Spy.HTML.Citifraud.bc
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Citifraud.bc
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Deleted Items.dbx/[From MAILER-DAEMON <MAILER-DAEMON@kc.rr.com>][Date Mon, 26 Jul 2004 11:50:37 -0500]/UNNAMED/kcfog@kc.rr.com Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Deleted Items.dbx/[From MAILER-DAEMON <MAILER-DAEMON@kc.rr.com>][Date Mon, 26 Jul 2004 11:50:37 -0500]/UNNAMED Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C3A059F6-D716-4ECB-A58F-9B08407ED9C1}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Email-Worm.Win32.Mydoom.m
C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-68665048.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-68665048.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-31f05170-79eaa883.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Administrator\.jpi_cache\jar\1.0\javainstaller.jar-31f05170-79eaa883.zip Infected: Trojan-Downloader.Java.OpenStream.w

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 10:07:44 PM, on 11/30/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/I...ve/HS_live.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex...edia/Swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/p...n/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1124416697379
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124411355883
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {DA04CC86-07A5-11D5-A700-0001031AD955} (TP_live Control) - http://www.homestead.com/~site/Insta...ve/TP_live.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93D6A0F2-013D-4F6F-A325-6D09DCB5F196}: NameServer = 24.94.163.114,24.94.163.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4E3492F-1A47-4D6B-9143-C8F500EAB08B}: NameServer = 24.94.163.114,24.94.163.113
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[buddycraigg]

now the edit key is gone???

thanks for the note Ried.

i've done a few more things and am about to run kaspersky again.

i just thought about this.
although i haven't used it for a long time. this is a duel boot system and i still have win98 installed.

should i start up 98 and do everything there also?

[buddycraigg]

these are my logs as of 7:16 am
just one more little nastie to get rid of...

Logfile of HijackThis v1.99.1
Scan saved at 7:15:01 AM, on 12/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/I...ve/HS_live.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex...edia/Swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/p...n/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1124416697379
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124411355883
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {DA04CC86-07A5-11D5-A700-0001031AD955} (TP_live Control) - http://www.homestead.com/~site/Insta...ve/TP_live.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93D6A0F2-013D-4F6F-A325-6D09DCB5F196}: NameServer = 24.94.163.114,24.94.163.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4E3492F-1A47-4D6B-9143-C8F500EAB08B}: NameServer = 24.94.163.114,24.94.163.113
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, December 01, 2005 07:10:20
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 1/12/2005
Kaspersky Anti-Virus database records: 152768
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 52991
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 5268 sec

Infected Object Name - Virus Name
C:\WINNT\system32\TMLib.dll Infected: Trojan-Spy.Win32.AdvancedKeyLogger.17

Scan process completed.

[Ried]

Nice job Buddy

Let's get rid of that Keylogger:

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. (it's important that you get version v2.0.0.175)

Reboot into Safe Mode.(tapping F8 or F5)

Start KillBox and copy/paste the following entry into the box:

C:\WINNT\system32\TMLib.dll

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [YES] at the Pending Operations prompt.

Allow the reboot into Normal Mode.

This system should be clean now. Please continue with these important final instructions:

Reset hidden/system files and folders
Windows 2000

Open My Computer.
*Select the Tools menu and click Folder Options.
*Select the View tab.
*Select the Advanced settings box option.
*Select the Hidden files Folders.
*Deselect the Show all files option.
Click Yes to confirm.
Click OK.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER

Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Microsoft Windows Update
Visit windowsupdate.com http://www.windowsupdate.com/ regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

More information and downloads are available at the following links:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

Update all these programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

Firefox www.mozilla.org/products/firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

Sun's Java http://java.com/en/index.jsp - It's much more secure than Microsoft's Java Virtual Machine.

[buddycraigg]

none of the scanners seem to find everything.
kaspersky said that i was clean.

so i ran http://housecall.trendmicro.com/
which showed i had some tracking cookies.
i cleared out my cookies and i'm running it again
and this poped up again.

COOKIE_2842

This cookie is installed when you visit the following URL: "tribalfusion.com"

[buddycraigg]

yeppie
bitdefender said that i'm good.
http://www.bitdefender.com/scan/license.php

BitDefender Online Scanner - Real Time Virus Report
Generated at: Sat, Dec 03, 2005 - 11:30:26
Scan Info
Scanned Files
289460
Infected Files
0
Virus Detected
No virus found.

[buddycraigg]

well i was able to get through 3 different on line scanners without any problems.
please take one final look at my hjt log.
and if everything looks ok, then his thread can be filed in the
Resolved HJT Threads section

then it's back to working on grandma's computer.

[buddycraigg]

Logfile of HijackThis v1.99.1
Scan saved at 1:16:52 PM, on 12/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust EZ Armor\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/I...ve/HS_live.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex...edia/Swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/p...n/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1124416697379
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124411355883
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {DA04CC86-07A5-11D5-A700-0001031AD955} (TP_live Control) - http://www.homestead.com/~site/Insta...ve/TP_live.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...42/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93D6A0F2-013D-4F6F-A325-6D09DCB5F196}: NameServer = 24.94.163.114,24.94.163.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4E3492F-1A47-4D6B-9143-C8F500EAB08B}: NameServer = 24.94.163.114,24.94.163.113
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

[MicroBell]

Clean it be...go make Grandma happy!