Fighting Spy Strike and spyware popup

[ccpc]

will do - THANK YOU!! and get some sleep....

[ccpc]

Good morning (afternoon?), sUBs, hope you got some sleep!

Restarted (just because I hadn't for a while) before running regdel.reg -> shortcut to http://securitylist.net/ back on desktop (sigh) but at least no pop-ups!

-ran regdel.reg

-online Kaspersky scan with your settings -> 19 viruses, 81 infected objects (another sigh)


ÿþ- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

K A S P E R S K Y O N - L I N E S C A N N E R R E P O R T

S a t u r d a y , J a n u a r y 0 7 , 2 0 0 6 1 6 : 5 3 : 2 4

O p e r a t i n g S y s t e m : M i c r o s o f t W i n d o w s X P H o m e E d i t i o n , S e r v i c e P a c k 2 ( B u i l d 2 6 0 0 )

K a s p e r s k y O n - l i n e S c a n n e r v e r s i o n : 5 . 0 . 6 7 . 0

K a s p e r s k y A n t i - V i r u s d a t a b a s e l a s t u p d a t e : 8 / 0 1 / 2 0 0 6

K a s p e r s k y A n t i - V i r u s d a t a b a s e r e c o r d s : 1 6 9 7 7 5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



S c a n S e t t i n g s :

S c a n u s i n g t h e f o l l o w i n g a n t i v i r u s d a t a b a s e : e x t e n d e d

S c a n A r c h i v e s : t r u e

S c a n M a i l B a s e s : t r u e



S c a n T a r g e t - M y C o m p u t e r :

A : \

C : \

D : \



S c a n S t a t i s t i c s :

T o t a l n u m b e r o f s c a n n e d o b j e c t s : 3 9 0 9 7

N u m b e r o f v i r u s e s f o u n d : 1 9

N u m b e r o f i n f e c t e d o b j e c t s : 8 1

N u m b e r o f s u s p i c i o u s o b j e c t s : 0

D u r a t i o n o f t h e s c a n p r o c e s s : 2 3 5 0 s e c



I n f e c t e d O b j e c t N a m e - V i r u s N a m e

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 2 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . 1 8 0 S o l u t i o n s

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 2 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l . b

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 3 / d a t a 0 0 0 2 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 3 / d a t a 0 0 0 5 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 3 / d a t a 0 0 0 6 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . P e r f n a v . d

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 3 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . P e r f n a v . d

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . P e r f n a v . d

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 1 4 / d a t a 0 0 0 2 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B a r g a i n B u d d y . a

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 1 4 / d a t a 0 0 0 3 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B a r g a i n B u d d y . a

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 1 4 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B a r g a i n B u d d y . a

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B a r g a i n B u d d y . a

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 2 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . 1 8 0 S o l u t i o n s

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 2 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l . b

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 3 / d a t a 0 0 0 2 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 3 / d a t a 0 0 0 5 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 3 / d a t a 0 0 0 6 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . P e r f n a v . d

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 3 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . P e r f n a v . d

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . P e r f n a v . d

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 1 4 / d a t a 0 0 0 2 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B a r g a i n B u d d y . a

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 1 4 / d a t a 0 0 0 3 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B a r g a i n B u d d y . a

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 1 4 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B a r g a i n B u d d y . a

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B a r g a i n B u d d y . a

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ D a t a \ p o p i n s t l i t e . e x e I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . P o p l i t e . a

C : \ D o c u m e n t s a n d S e t t i n g s \ A d m i n i s t r a t o r \ M y D o c u m e n t s \ D a t a \ p o p i n s t l i t e . e x e I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . P o p l i t e . a

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 2 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . 1 8 0 S o l u t i o n s

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 2 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l . b

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 3 / d a t a 0 0 0 2 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 3 / d a t a 0 0 0 5 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 3 / d a t a 0 0 0 6 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . P e r f n a v . d

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 3 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . P e r f n a v . d

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . P e r f n a v . d

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 1 4 / d a t a 0 0 0 2 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B a r g a i n B u d d y . a

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 1 4 / d a t a 0 0 0 3 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B a r g a i n B u d d y . a

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 1 4 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B a r g a i n B u d d y . a

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ a l l _ f i l e s 3 b . e x e I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B a r g a i n B u d d y . a

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 2 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . 1 8 0 S o l u t i o n s

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 2 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l . b

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 3 / d a t a 0 0 0 2 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 3 / d a t a 0 0 0 5 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 3 / d a t a 0 0 0 6 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . P e r f n a v . d

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 3 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . P e r f n a v . d

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 0 3 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . P e r f n a v . d

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 1 4 / d a t a 0 0 0 2 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B a r g a i n B u d d y . a

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 1 4 / d a t a 0 0 0 3 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B a r g a i n B u d d y . a

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e / d a t a 0 0 1 4 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B a r g a i n B u d d y . a

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ D a t a \ a l l _ f i l e s 3 b . e x e I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B a r g a i n B u d d y . a

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ D a t a \ p o p i n s t l i t e . e x e I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . P o p l i t e . a

C : \ D o c u m e n t s a n d S e t t i n g s \ D e f a u l t U s e r \ M y D o c u m e n t s \ D a t a \ p o p i n s t l i t e . e x e I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . P o p l i t e . a

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ . h o u s e c a l l \ Q u a r a n t i n e \ E l i t e B a r v e r s i o n 4 9 . d l l . b a c _ a 0 1 9 1 2 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . E l i t e B a r . k

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ . h o u s e c a l l \ Q u a r a n t i n e \ n e t s p r y . e x e . b a c _ a 0 1 9 1 2 / d a t a 0 0 0 2 I n f e c t e d : T r o j a n . S t a r t P a g e . a a q

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ . h o u s e c a l l \ Q u a r a n t i n e \ n e t s p r y . e x e . b a c _ a 0 1 9 1 2 I n f e c t e d : T r o j a n . S t a r t P a g e . a a q

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ . h o u s e c a l l \ Q u a r a n t i n e \ s e t u p _ i n c r e d _ 7 . e x e . b a c _ a 0 1 9 1 2 / d a t a 0 0 0 2 / d a t a 0 0 0 2 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ . h o u s e c a l l \ Q u a r a n t i n e \ s e t u p _ i n c r e d _ 7 . e x e . b a c _ a 0 1 9 1 2 / d a t a 0 0 0 2 / d a t a 0 0 0 4 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ . h o u s e c a l l \ Q u a r a n t i n e \ s e t u p _ i n c r e d _ 7 . e x e . b a c _ a 0 1 9 1 2 / d a t a 0 0 0 2 / d a t a 0 0 0 5 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ . h o u s e c a l l \ Q u a r a n t i n e \ s e t u p _ i n c r e d _ 7 . e x e . b a c _ a 0 1 9 1 2 / d a t a 0 0 0 2 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ . h o u s e c a l l \ Q u a r a n t i n e \ s e t u p _ i n c r e d _ 7 . e x e . b a c _ a 0 1 9 1 2 / d a t a 0 0 0 8 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l . e

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ . h o u s e c a l l \ Q u a r a n t i n e \ s e t u p _ i n c r e d _ 7 . e x e . b a c _ a 0 1 9 1 2 / d a t a 0 0 0 9 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l . e

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ . h o u s e c a l l \ Q u a r a n t i n e \ s e t u p _ i n c r e d _ 7 . e x e . b a c _ a 0 1 9 1 2 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l . e

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ . h o u s e c a l l \ Q u a r a n t i n e \ W i n S c h e d . e x e . b a c _ a 0 1 9 1 2 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . W i n A D

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ I d e n t i t i e s \ { B 8 1 8 4 0 D 4 - 1 8 4 4 - 4 D 8 9 - A 3 0 7 - 5 4 0 2 B F C 1 B 3 2 7 } \ M i c r o s o f t \ O u t l o o k E x p r e s s \ D e l e t e d I t e m s . d b x / [ F r o m s e r v i c e @ p a y p a l . c o m ] [ D a t e S u n , 1 0 J u l 2 0 0 5 0 7 : 2 4 : 4 3 - 0 5 0 0 ] / h t m l I n f e c t e d : T r o j a n - S p y . H T M L . P a y l a p . o

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ I d e n t i t i e s \ { B 8 1 8 4 0 D 4 - 1 8 4 4 - 4 D 8 9 - A 3 0 7 - 5 4 0 2 B F C 1 B 3 2 7 } \ M i c r o s o f t \ O u t l o o k E x p r e s s \ D e l e t e d I t e m s . d b x I n f e c t e d : T r o j a n - S p y . H T M L . P a y l a p . o

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ I d e n t i t i e s \ { B 8 1 8 4 0 D 4 - 1 8 4 4 - 4 D 8 9 - A 3 0 7 - 5 4 0 2 B F C 1 B 3 2 7 } \ M i c r o s o f t \ O u t l o o k E x p r e s s \ I n b o x . d b x / [ F r o m s e r v i c e @ p a y p a l . c o m ] [ D a t e T h u , 0 9 J u n 2 0 0 5 2 1 : 4 4 : 1 8 + 0 1 0 0 ] / h t m l I n f e c t e d : T r o j a n - S p y . H T M L . P a y l a p . o

C : \ D o c u m e n t s a n d S e t t i n g s \ W i l l \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ I d e n t i t i e s \ { B 8 1 8 4 0 D 4 - 1 8 4 4 - 4 D 8 9 - A 3 0 7 - 5 4 0 2 B F C 1 B 3 2 7 } \ M i c r o s o f t \ O u t l o o k E x p r e s s \ I n b o x . d b x I n f e c t e d : T r o j a n - S p y . H T M L . P a y l a p . o

C : \ E l i t e B a r v e r s i o n 5 1 . d l l I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . E l i t e B a r . m

C : \ H X D L A Z W M . e x e I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . H e l p E x p r e s s

C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 2 6 9 5 0 7 2 6 4 2 - 2 5 0 1 9 5 4 5 3 5 - 3 6 4 6 1 8 1 6 5 6 - 5 0 0 \ D c 1 . d l l I n f e c t e d : n o t - v i r u s : H o a x . W i n 3 2 . R e n o s . a m

C : \ W I N D O W S \ D o w n l o a d e d P r o g r a m F i l e s \ a s h t o n . i n f I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B e t t e r I n t e r n e t . a s

C : \ W I N D O W S \ D o w n l o a d e d P r o g r a m F i l e s \ t u r b o . i n f I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . B e t t e r I n t e r n e t . a s

C : \ W I N D O W S \ i L y c o s \ s s _ w e b d e v a z _ s e t u p . e x e / d a t a 0 0 0 2 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . S i d e s e a r c h . e

C : \ W I N D O W S \ i L y c o s \ s s _ w e b d e v a z _ s e t u p . e x e I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . S i d e s e a r c h . e

C : \ W I N D O W S \ s i l e n t 4 8 . e x e I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . E l i t e B a r . j

C : \ W I N D O W S \ S Y S T E M 3 2 \ e z S t u b 3 . d l l I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . E Z u l a . a

C : \ W I N D O W S \ S Y S T E M 3 2 \ I n s t a F i n d e r _ i n s t 2 4 5 . e x e / s t r e a m I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . I n s t a F i n d e r . a

C : \ W I N D O W S \ S Y S T E M 3 2 \ I n s t a F i n d e r _ i n s t 2 4 5 . e x e I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . I n s t a F i n d e r . a

C : \ W I N D O W S \ S Y S T E M 3 2 \ K V I F _ 7 . d l l / d a t a 0 0 0 2 / d a t a 0 0 0 2 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ W I N D O W S \ S Y S T E M 3 2 \ K V I F _ 7 . d l l / d a t a 0 0 0 2 / d a t a 0 0 0 4 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ W I N D O W S \ S Y S T E M 3 2 \ K V I F _ 7 . d l l / d a t a 0 0 0 2 / d a t a 0 0 0 5 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ W I N D O W S \ S Y S T E M 3 2 \ K V I F _ 7 . d l l / d a t a 0 0 0 2 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ W I N D O W S \ S Y S T E M 3 2 \ K V I F _ 7 . d l l / d a t a 0 0 0 8 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l . e

C : \ W I N D O W S \ S Y S T E M 3 2 \ K V I F _ 7 . d l l / d a t a 0 0 0 9 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l . e

C : \ W I N D O W S \ S Y S T E M 3 2 \ K V I F _ 7 . d l l I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l . e



S c a n p r o c e s s c o m p l e t e d .

[sUBs]

Since the Desktop shortcut came back, it's fair to assume that the infection still remains. Please post a fresh HJT log.

Before we do anything else, please ensure that you have already patch your system against the recent WMF exploit. Please refer to my sig. No point we fix anything only for it to return tomorrow.

[ccpc]

Quote:

Originally Posted by sUBs

Please post a fresh HJT log.
please ensure that you have already patch your system against the recent WMF exploit.

Good morning (for me - 8:12am here), and thank you for following up on this!!
System is patched (I have him set up on automatic updates, and I just checked to be sure it was done).

I deleted the shortcut on the Desktop and (once again) Deleted "Windows Active Desktop" from Display|Desktop|Customize|Web

Logfile of HijackThis v1.99.1
Scan saved at 8:11:10 AM, on 1/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\SS Tools\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redsox.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\SS Tools\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe

[sUBs]

Let's do a complete fix for it since the desktop shortcut made a re-apperance.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


The author of smitRem.exe updated the tool late yesterday. Please delete your existing copy & download the updated version from here > http://www.downloads.subratam.org/smitRem.exe

Download & install - CleanUp.exe (not recommended for WinXP64)

If you have not already installed Ad-Aware SE 1.06, download and update aawsepersonal.exe


'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding.
It is IMPORTANT that you don't miss a step & perform everything in the correct order.


* * * * * *


Launch Outlook Express & delete this email from the inbox

From - service@paypal.com 09 Jun 2005 21:44

Delete the contents of the deleted items folder before you exit the program


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


Go to Start->Run and type in regsvr32 /u occache.dll and hit OK.


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

• Tick - 'Show hidden files and folder'
• Untick - 'Hide file extensions for known types'
• Untick - 'Hide protected operating system files'
• Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

• C:\DocumentsandSettings\Administrator\MyDocuments\Data\
  C:\DocumentsandSettings\DefaultUser\MyDocuments\Data\
  C:\DocumentsandSettings\Will\.housecall\Quarantine\
  C:\WINDOWS\Downloaded Program Files\ashton.inf
  C:\WINDOWS\Downloaded Program Files\turbo.inf
  C:\WINDOWS\iLycos\
  C:\WINDOWS\silent48.exe
  C:\WINDOWS\SYSTEM32\ezStub3.dll
  C:\WINDOWS\SYSTEM32\InstaFinder_inst245.exe
  C:\WINDOWS\SYSTEM32\KVIF_7.dll
  C:\EliteBarversion51.dll
  C:\HXDLAZWM.exe
  C:\RECYCLER\S-1-5-21-2695072642-2501954535-3646181656-500\Dc1.dll

Go to Start->Run and type in regsvr32 occache.dll and hit OK.


* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!

* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


* * * *


Next go to Control Panel click Display>Desktop>Customize Desktop>Website
Under the 'Web pages' box, Uncheck everything present.


* * * *

Open Ad-aware and close ALL other windows.

1. Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:

1. In the General window make sure the following are selected in green:
   • Automatically save log-file
   • Automatically quarantine objects prior to removal
   • Safe Mode (always request confirmation)
   • Prompt to update outdated definitions - set the number of days = 7
   
   
2. Click on the Scanning button on the left and select in green:
   • Scan Within Archives
   • Under Select drives & folders to scan:
     • choose all hard drives
   • Scan Active Processes
   • Scan Registry
   • Deep Scan Registry
   • Scan my IE favorites for banned URL’s
   • Scan my Hosts file
   
   
3. Click on the Advanced button on the left and select in green:
   • Move deleted files to recycle bin
   • include addtional object information
   • DeSelect - include negligible objects information
   • Don't log streams smaller than 0 bytes
   • Don't log ADS with the following names: CA_INOCULATEIT
   
   
4. Click the Tweak button:
   1. Under Scanning Engine:
      • Unload recognized processes during scanning
      • Ignore spanned files when scanning cab archives
      • Scan registry for all users instead of current user only
   2. Under Cleaning Engine:
      • Let Windows remove files in use at next reboot
   3. Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Include computer & username in logfile
      • Please DeSelect: Include Module list in logfile

2. Click on Proceed to save the settings.
3. Click Start
4. Choose - Perform Full System Scan
5. DeSelect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
6. Click Next and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
7. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
8. Right-click on the list and choose Select All
9. Click Next to finish removing the items that were found

* * * * *

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• .Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh copies of:

• HiJackThis log
• Online scan
• Smitfiles.txt
• Ewido's log

Let us know if any problems persist.

[ccpc]

will do - and thank you again -

While awaiting your reply I did these:

-SpyBot S&D -> Windows.Active.Desktop found (again) and fixed (we hope)

-Ad-Aware (I use Greyknight17 settings) -> clean

-AVG -> clean

-Ewido ->
ÿþ- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

e w i d o a n t i - m a l w a r e - S c a n r e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



+ C r e a t e d o n : 1 0 : 0 8 : 0 3 A M , 1 / 8 / 2 0 0 6

+ R e p o r t - C h e c k s u m : 5 2 8 3 6 3 9 C



+ S c a n r e s u l t :



C : \ R E C Y C L E R \ S - 1 - 5 - 2 1 - 2 6 9 5 0 7 2 6 4 2 - 2 5 0 1 9 5 4 5 3 5 - 3 6 4 6 1 8 1 6 5 6 - 5 0 0 \ D c 1 . d l l - > N o t - A - V i r u s . H o a x . W i n 3 2 . R e n o s . a m : C l e a n e d w i t h b a c k u p





: : R e p o r t E n d

*************
I'll follow your suggestions and get back to you.... many thanks again (and again...

[sUBs]

Please do me a favor. Try using Notepad when you're saving the logs.

Whatever text editor you're using, distorts the logs with added spaces.

[ccpc]

sorry, but it's Notepad I'm using...???

working away on your suggestions...

[ccpc]

Quote:

Originally Posted by sUBs

* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *

C:\RECYCLER\S-1-5-21-2695072642-2501954535-3646181656-500\Dc1.dll [/b][/list]
Go to Start->Run and type in regsvr32 occache.dll and hit OK.

working on this... could not delete file above - "cannot delete...being used by another person or program...) tried reboot (safe mode) but same message.
Waiting to continue with
Go to Start->Run and type in regsvr32 occache.dll and hit OK.
until I hear from you.
Thanks!

(and any suggestions on your having problems with my Notepad use, let me know!)

[ccpc]

also, I now have icon on Desktop "desktop.ini" - is this ok?
thanks

[sUBs]

Desktop.ini is okay. You're able to view it because you have unhidden system files.

If you're haviing difficulties deleting Dc1.dll, skip it & proceed with the rest of the fix.

[ccpc]

Quote:

Originally Posted by sUBs

Desktop.ini is okay. You're able to view it because you have unhidden system files.

If you're haviing difficulties deleting Dc1.dll, skip it & proceed with the rest of the fix.

oh duh on me on the desktop.ini thing ... I've been working on this machine waaaay too long... but then so have you!!

thanks very much for the quick reply... I'll skip the Dc1.dll and move on......
(and I'll try to delete some of those blanks in the Ewido results before I post one again)

[ccpc]

All steps completed, logs below.
I was an idiot and forgot to turn off system restore again this morning, so the listings on the Kaspersky and Ewido reports should be taken care of now.
Duh.

Logfile of HijackThis v1.99.1
Scan saved at 3:05:58 PM, on 1/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\SS Tools\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redsox.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\SS Tools\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe


********************

ÿþ- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

K A S P E R S K Y O N - L I N E S C A N N E R R E P O R T

S u n d a y , J a n u a r y 0 8 , 2 0 0 6 1 5 : 0 2 : 2 5

O p e r a t i n g S y s t e m : M i c r o s o f t W i n d o w s X P H o m e E d i t i o n , S e r v i c e P a c k 2 ( B u i l d 2 6 0 0 )

K a s p e r s k y O n - l i n e S c a n n e r v e r s i o n : 5 . 0 . 6 7 . 0

K a s p e r s k y A n t i - V i r u s d a t a b a s e l a s t u p d a t e : 8 / 0 1 / 2 0 0 6

K a s p e r s k y A n t i - V i r u s d a t a b a s e r e c o r d s : 1 6 9 9 9 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



S c a n S e t t i n g s :

S c a n u s i n g t h e f o l l o w i n g a n t i v i r u s d a t a b a s e : e x t e n d e d

S c a n A r c h i v e s : t r u e

S c a n M a i l B a s e s : t r u e

S c a n T a r g e t - M y C o m p u t e r :

A : \

C : \

D : \

S c a n S t a t i s t i c s :

T o t a l n u m b e r o f s c a n n e d o b j e c t s : 4 0 5 1 7

N u m b e r o f v i r u s e s f o u n d : 8

N u m b e r o f i n f e c t e d o b j e c t s : 1 5

N u m b e r o f s u s p i c i o u s o b j e c t s : 0

D u r a t i o n o f t h e s c a n p r o c e s s : 2 3 5 4 s e c

I n f e c t e d O b j e c t N a m e - V i r u s N a m e

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 1 D 7 D 6 9 2 - 4 6 6 2 - 4 2 1 F - 9 3 B 0 - 8 7 7 B C 3 8 2 0 7 1 1 } \ R P 3 \ A 0 0 0 0 0 6 7 . d l l / d a t a 0 0 0 2 / d a t a 0 0 0 2 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 1 D 7 D 6 9 2 - 4 6 6 2 - 4 2 1 F - 9 3 B 0 - 8 7 7 B C 3 8 2 0 7 1 1 } \ R P 3 \ A 0 0 0 0 0 6 7 . d l l / d a t a 0 0 0 2 / d a t a 0 0 0 4 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 1 D 7 D 6 9 2 - 4 6 6 2 - 4 2 1 F - 9 3 B 0 - 8 7 7 B C 3 8 2 0 7 1 1 } \ R P 3 \ A 0 0 0 0 0 6 7 . d l l / d a t a 0 0 0 2 / d a t a 0 0 0 5 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 1 D 7 D 6 9 2 - 4 6 6 2 - 4 2 1 F - 9 3 B 0 - 8 7 7 B C 3 8 2 0 7 1 1 } \ R P 3 \ A 0 0 0 0 0 6 7 . d l l / d a t a 0 0 0 2 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 1 D 7 D 6 9 2 - 4 6 6 2 - 4 2 1 F - 9 3 B 0 - 8 7 7 B C 3 8 2 0 7 1 1 } \ R P 3 \ A 0 0 0 0 0 6 7 . d l l / d a t a 0 0 0 8 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l . e

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 1 D 7 D 6 9 2 - 4 6 6 2 - 4 2 1 F - 9 3 B 0 - 8 7 7 B C 3 8 2 0 7 1 1 } \ R P 3 \ A 0 0 0 0 0 6 7 . d l l / d a t a 0 0 0 9 I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l . e

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 1 D 7 D 6 9 2 - 4 6 6 2 - 4 2 1 F - 9 3 B 0 - 8 7 7 B C 3 8 2 0 7 1 1 } \ R P 3 \ A 0 0 0 0 0 6 7 . d l l I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . K e e n v a l . e

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 1 D 7 D 6 9 2 - 4 6 6 2 - 4 2 1 F - 9 3 B 0 - 8 7 7 B C 3 8 2 0 7 1 1 } \ R P 3 \ A 0 0 0 0 0 6 8 . d l l I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . E l i t e B a r . m

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 1 D 7 D 6 9 2 - 4 6 6 2 - 4 2 1 F - 9 3 B 0 - 8 7 7 B C 3 8 2 0 7 1 1 } \ R P 3 \ A 0 0 0 0 0 6 9 . e x e I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . H e l p E x p r e s s

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 1 D 7 D 6 9 2 - 4 6 6 2 - 4 2 1 F - 9 3 B 0 - 8 7 7 B C 3 8 2 0 7 1 1 } \ R P 3 \ A 0 0 0 0 0 7 0 . e x e I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . E l i t e B a r . j

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 1 D 7 D 6 9 2 - 4 6 6 2 - 4 2 1 F - 9 3 B 0 - 8 7 7 B C 3 8 2 0 7 1 1 } \ R P 3 \ A 0 0 0 0 0 7 1 . d l l I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . E Z u l a . a

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 1 D 7 D 6 9 2 - 4 6 6 2 - 4 2 1 F - 9 3 B 0 - 8 7 7 B C 3 8 2 0 7 1 1 } \ R P 3 \ A 0 0 0 0 0 7 2 . e x e / s t r e a m I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . I n s t a F i n d e r . a

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 1 D 7 D 6 9 2 - 4 6 6 2 - 4 2 1 F - 9 3 B 0 - 8 7 7 B C 3 8 2 0 7 1 1 } \ R P 3 \ A 0 0 0 0 0 7 2 . e x e I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . I n s t a F i n d e r . a

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 1 D 7 D 6 9 2 - 4 6 6 2 - 4 2 1 F - 9 3 B 0 - 8 7 7 B C 3 8 2 0 7 1 1 } \ R P 3 \ A 0 0 0 0 0 7 4 . e x e / d a t a 0 0 0 2 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . S i d e s e a r c h . e

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 1 D 7 D 6 9 2 - 4 6 6 2 - 4 2 1 F - 9 3 B 0 - 8 7 7 B C 3 8 2 0 7 1 1 } \ R P 3 \ A 0 0 0 0 0 7 4 . e x e I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . S i d e s e a r c h . e

S c a n p r o c e s s c o m p l e t e d .

*************************


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 01/08/2006
The current time is: 12:52:56.40

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Online Security Guide.url

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 776 'explorer.exe'
Killing PID 776 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :)

*******************

ÿþ- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

e w i d o a n t i - m a l w a r e - S c a n r e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

+ C r e a t e d o n : 2 : 0 8 : 0 5 P M , 1 / 8 / 2 0 0 6

+ R e p o r t - C h e c k s u m : F B C D 6 0 7 C

+ S c a n r e s u l t :

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 1 D 7 D 6 9 2 - 4 6 6 2 - 4 2 1 F - 9 3 B 0 - 8 7 7 B C 3 8 2 0 7 1 1 } \ R P 3 \ A 0 0 0 0 0 5 4 . d l l - > N o t - A - V i r u s . H o a x . W i n 3 2 . R e n o s . a m : C l e a n e d w i t h o u t b a c k u p


: : R e p o r t E n d

*************

[ccpc]

Too embarrassing to leave it with those last scans with the system restore still on.
Kaspersky and Ewido now clean.

[ccpc]

Panda Scan found, and I deleted (doing this with Notepad as I did the others, hope you can read it ok):

Spyware:spyware/whazit C:\WINDOWS\SYSTEM32\fiz1

Adware:adware/ncase C:\PROGRAM FILES\nCase

Adware:adware/keenvalue C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho

Adware:adware/wupd C:\PROGRAM FILES\Windows TaskAd

Adware:adware/sidesearch C:\Documents and Settings\Will\Application Data\Lycos

Spyware:spyware/apropos C:\Documents and Settings\Will\Application Data\POP!

Spyware:Cookie/PointRoll C:\Documents and Settings\Will\Cookies\will@ads.pointroll[2].txt

Spyware:Cookie/Ask C:\Documents and Settings\Will\Cookies\will@ask[1].txt

Spyware:Cookie/Tribalfusion
C:\Documents and Settings\Will\Cookies\will@tribalfusion[2].txt

Adware:Adware/TopRebates
C:\WINDOWS\iNetPal\ezTSetup.exe

Adware:Adware/SAHAgent C:\WINDOWS\INF\biF.inf

Spyware:Spyware/BetterInet C:\WINDOWS\INF\biO.inf

*************************
Also found:

Dialer:dialer.b C:\WINDOWS\DOWNLOADED PROGRAM FILES\EGAUTH.inf
(I couldn't find this one)

Adware:Adware/IST.ISTBar C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
(couldn't find it)

Adware:adware/memorywatcher Windows Registry
OK to delete?

Adware:Adware/EliteBar C:\WINDOWS\blocklist.reg
(ok to delete?)

Spyware:spyware/commonname C:\WINDOWS\SYSTEM32\winnet.ini
(ok to delete?)

Potentially unwanted tool:Application/Processor C:\SS Tools\smitrem\Process.exe
(left it)

Potentially unwanted tool:Application/Processor C:\SS Tools\Will 1-6-06\smitRem.exe[Process.exe]
(left it)

[sUBs]

These files should be deleted.

C:\WINDOWS\DOWNLOADED PROGRAM FILES\EGAUTH.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
C:\WINDOWS\blocklist.reg
C:\WINDOWS\SYSTEM32\winnet.ini

You may have difficulties locating those files from the DOWNLOADED PROGRAM FILES firectory. That's because Windows displays them differently. To find them, you'll need to do this..

Go to Start > Run >> copy/paste into the box - regsvr32 /u occache & hit OK

Then navigate to the DOWNLOADED PROGRAM FILES directory to locate/delete those files. After that's done, you'll need to unhide the directory by doing this..

Start > Run >> copy/paste into the box - regsvr32 occache & hit OK

Let me know how that went

[ccpc]

Quote:

Originally Posted by sUBs

Let me know how that went

Good morning/afternoon!
Got them.

[sUBs]

Let's see one last HJT log before we close the case.

[ccpc]

Logfile of HijackThis v1.99.1
Scan saved at 9:18:51 AM, on 1/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\SS Tools\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.redsox.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\SS Tools\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe

[sUBs]

Well...it's been fun but all good things come to an end.

The system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
   Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
   
   
   
6. Microsoft Windows Update
   Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
   
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
   
   
   
9. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
   
   
   
10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
    
    
    
11. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.