HJT Log, Trojan found, web pages not connecting or slow and computer freezing!

disco20 · 04-11-2006, 06:40 PM

First off, whomever you are thank you for the help. My computer is running badly. I have AVAST Anti-virus installed and I ran an AdAware and Spybot scan. My computer will not always allow page to be connected to thi internet via Firefox or IE, not allow saves, or completely freeze up, I am waaayyy behind on Microsoft update (I only just installed SP1 yesterday) and I will fully update once this is fixed as well as install a proper firewall. I am on a dial-up modem, so I could not run an internet scan. Several days ago my Word and JPG files disappeared. I knew something was up so I began to search for processes in Windows Task Manager and using google.com I found several virus's, found that the Internet was slow and other virus's were being installed. When I ran CWShredder one CWS was removed. I am currently running McAffee Stinger (it did find a Trojan Virus and ignorantly I closed it in joy without noting the exact virus, sorry), and I'm going to try a program called PREVX1 to solve more problems. In using the Windows Task Mangaer I stop a program called netbtd.exe and I cannot stop Msnweb.exe and it will temporarily allow the Internet to be accessed. Any and all help is greatly appreciated.

Thank You,

Scott Strickler

Logfile of HijackThis v1.99.1
Scan saved at 8:34:50 PM, on 4/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phishhook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.citcom.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\RunServices: [Microsoft schedule] msngrs.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144592695466
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144593165966
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

Ried · 04-12-2006, 07:43 AM

Hello Scott and welcome,

I see that you have msconfig enabled. This may prevent us from seeing everything on your system. Please go to Start>Run type msconfig press Enter and enable all startups by selecting Normal Startup - Load all Device Drivers and Services, reboot and post a new log. We can't remove what we can't see.

If you're going to run PREVX1, wait until you complete that, then run a new scan with HijackThis and post the log here. If you can, save the log from PREVX and post that here as well.

-------------------------------------

You should be able to download the following program as the link should pop up a File Download Dialog Box for you. If you are having trouble downloading , use another PC to download the program to a CD and bring to this PC.

Download Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
Delete Newsgroup Subscriptions
Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

------------------------------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. Ewido is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

------------------------------------------------

Reboot into Safe Mode.

------------------------------------------------

Please post the results of the Ewido scan along with a new HijackThis log and the log from PREVX1.

disco20 · 04-12-2006, 10:44 PM

Reid, thanks for helping! I've taking your advice and done the following:

Ran a normal startup with msconfig, then I installed Ewido. Here is the log right after I did that:

Logfile of HijackThis v1.99.1
Scan saved at 5:55:12 PM, on 4/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\WINDOWS\system32\netbtd.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Msnweb.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\fm.exe
C:\WINDOWS\System32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phishhook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.citcom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\RunServices: [Microsoft schedule] msngrs.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144592695466
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144593165966
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFC1A313-FDED-4C18-8214-67618808CFA9}: NameServer = 204.116.57.2 206.74.254.2
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\Msnweb.exe

Then I ran the CleanUp utility. I restarted and ran Prevx1 (it would not install before this). It did not prduce a log, but several virus's were deleted when it was ran. The names of what was removed is below:

cnkdsk.exe
fm.exe
kl1.exe
MSNGRS.EXE
MSNWEB.EXE
NETBTD.EXE
SETUP_24684.EXE
tool32.exe
TOOL4.EXE
WINSYSTEMS.EXE

Then I ran the CleanUp! Utility again. Once again I restarted this time (for the first time) in safe mode. After restarting I ran Ewido. Here is that log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:00:27 AM, 4/13/2006
+ Report-Checksum: AF26403D

+ Scan result:

C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@specificpop[1].txt -> TrackingCookie.Specificpop : Cleaned with backup
C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\scottstrickler@earthlink.net\Cookies\scott strickler@com[2].txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Coremetrics : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Adorigin : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Adorigin : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Adorigin : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Pro-market : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Pro-market : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Pro-market : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Pro-market : Cleaned with backup
:mozilla.218:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.219:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.242:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.245:C:\Documents and Settings\Heather Strickler\Application Data\Mozilla\Firefox\Profiles\default.511\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Scott Strickler\Application Data\Thunderbird\Profiles\default.xub\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Scott Strickler\Application Data\Thunderbird\Profiles\default.xub\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Scott Strickler\Application Data\Thunderbird\Profiles\default.xub\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.dll -> Trojan.Sinowal.d : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe -> Trojan.Sinowal.d : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0022812.exe -> Backdoor.Rbot.avc : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0022813.exe -> Backdoor.SdBot.apx : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0023796.exe -> Trojan.Sinowal.d : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0023813.exe -> Backdoor.Rbot.arw : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0023814.exe -> Backdoor.Rbot.avc : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0023816.exe -> Backdoor.Agobot.agw : Cleaned with backup
C:\tool5.exe -> Hijacker.Small.kr : Cleaned with backup
C:\WINDOWS\SYSTEM32\setup_20648.exe -> Backdoor.Rbot.avc : Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup

::Report End

Then I rebooted (I did forget to reboot in Safe Mode, sorry I hope this does not hinder this process) and once again rain HiJack This. Here is the final log.

Logfile of HijackThis v1.99.1
Scan saved at 12:14:59 AM, on 4/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe
C:\WINDOWS\SYSTEM32\SOL.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phishhook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.citcom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Microsoft schedule] msngrs.exe
O4 - HKLM\..\RunServices: [cnkdsk] C:\WINDOWS\System32\cnkdsk.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144592695466
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144593165966
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINDOWS\system32\netbtd.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\Msnweb.exe (file missing)

Once Again thanks for the incredible amount of help for solving my virus problems and allowing my system to run better! If in any way you see programs that I need to remove with HiJackThis that you feel will help my sytem run smotther I am all ears (or eyes),

Scott

Ried · 04-13-2006, 07:40 AM

Hi Scott,

If you no longer use Symantec, you can fix these entries in HijackThis. Please close any open browsers and other programs you may have open.

Run a scan in HijackThis. 'Check' each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab

Click 'Fix Checked' and close HijackThis.

-----------------------------------

I'd like to do one more check to make sure nothing is lurking:

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
Click on see report. Then click Save report

Please post that log in your next reply along with a new HijackThis log.

disco20 · 04-13-2006, 10:52 AM

Ried, I will be going out of town this evening, so I will not be able to run that scan until Sunday evening or Monday morning. Would you like me to just post here or PM you when I have posted. Once again thank you for your time and help.

Ried · 04-13-2006, 10:58 AM

Just post the results here when you get that scan done. I am subscribed to this thread so I receive notification when you reply. Enjoy your weekend.

disco20 · 04-16-2006, 09:08 PM

I have been tryin to run the Panda Scan, but I keep getting this message:

Error on downloading ActiveScanAn error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,...

I am allowing ActiveX Controls, My D/L meter is informing me that the connection is on and staying on, and I have enough harddrive space and adminstrator privledges. Do you have any advice? Thanks.

Ried · 04-17-2006, 07:06 AM

Hi disco20,

Let's make sure the IE's ActiveX settings will allow you to access the page properly:

Tools>Internet Options>Security tab

Ensure that default level of medium is in effect.

Also, on the Advanced tab, ensure that "Reuse windows for launching shortcuts" is checked.

If you're still having problems, try this online scanner:

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply along with a new HijackThis log.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

disco20 · 04-19-2006, 10:27 AM

Ried,
I've completed the Kapersky scan and it found 8 virus's and 10 infected files. I will include that log below as well as a rebooted (in normal mode) Hijack This log. Thanks Again! During the Kapersky scan I also encountered this problem (it came up in a new pop-up window):

Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.

These were the documents that were affected in that problem:

C:\DOCUME~1\SCOTTS~1\LOCALS~1\Temp\WER25A5.tmp.dir00\svchost.exe.mdmp
C:\DOCUME~1\SCOTTS~1\LOCALS~1\Temp\WER25A5.tmp.dir00\appcompat.txt

Also the toolbar periodically changed from XP format to the Classic format without prompting and the Internet would disconnect itself, but when I went to reconnect (I'm still on dial-up) the prompt said it was still connected and refused to disconnect.

Below are the Kapersky results:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, April 19, 2006 11:57:40
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 19/04/2006
Kaspersky Anti-Virus database records: 188906
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 73258
Number of viruses found: 8
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 3756 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0022804.exe Infected: Trojan-Downloader.Win32.Harnig.bg
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0022814.exe Infected: Trojan-Proxy.Win32.Small.bo
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0023797.exe Infected: Trojan-Downloader.Win32.Harnig.bh
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0023815.exe Infected: Trojan-Proxy.Win32.Small.bo
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0024797.dll Infected: Trojan-PSW.Win32.Sinowal.d
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0024798.exe Infected: Trojan-PSW.Win32.Sinowal.d
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0024799.exe Infected: Trojan-Clicker.Win32.Small.kr
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0024801.exe Infected: not-virus:Hoax.Win32.Renos.cn
C:\WINDOWS\SYSTEM32\eraseme_63476.exe Infected: Backdoor.Win32.SdBot.xd
C:\WINDOWS\SYSTEM32\i Infected: Trojan-Downloader.BAT.Ftp.ab

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 12:16:26 PM, on 4/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phishhook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.citcom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [cnkdsk] C:\WINDOWS\System32\cnkdsk.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\RunServices: [Microsoft schedule] msngrs.exe
O4 - HKLM\..\RunServices: [cnkdsk] C:\WINDOWS\System32\cnkdsk.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144592695466
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144593165966
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINDOWS\system32\netbtd.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\Msnweb.exe (file missing)

I know I've said it many times, but you are really helping me out and I greatly appreciate it.

Ried · 04-19-2006, 06:29 PM

Hi disco,

Ok, let's go after all of it now.

Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Please disable the following program as it may hinder our fixes below:

Right-click on the Microsoft Anti-Spyware icon in the system tray [it's the one with the red and yellow bulls-eye].
Click on "Security Agents Status".
Click on "Disable real-time protection".
Next right-click on the Microsoft Anti-Spyware icon in the system tray again to open Microsoft Anti-Spyware.
Click on the Options menu and choose Settings. In the left pane column click on "Real Time Protection".
Under Startup Options, uncheck "Enable (MSAS) Security Agents on startup (recommended)"
Under Real-time spyware threat protection, uncheck and "Enable real-time spyware threat protection" (recommended).
Click the Save button and close Microsoft AntiSpyware.
Finally, right-click on the MSAS icon in the system tray and select "Shutdown Microsoft Antispyware".

Click Start->Run - type SERVICES.MSC & then click on the OK button
*Locate the service - NetBTD(ntbtd)
*Double-click on it to open the Properties dialog.
*Under the General tab: : <--Take note and write down the *Service name given --It is case sensitive, note which one it is using, either ntbtd or NetBTD as we will need it shortly.
*Stop the service by using the Stop button.
*Change the Startup type to Disabled & then click on the OK button

Still within services.msc:
*Locate the service - Windows web messenger
*Double-click on it to open the Properties dialog.
*Under the General tab: <--Take note and write down the *Service name given as we will need it shortly.
*Stop the service by using the Stop button.
*Change the Startup type to Disabled & then click on the OK button

Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
*In the popup box that appears, type in the *Service Name you found in the General Tab for Windows web messenger . Do NOT allow a reboot yet.

Still within Delete an NT service, type in the exact *service name as it appeared under the General tab for NetBTD. Click OK and allow the reboot.

---------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

---------------------------

Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [cnkdsk] C:\WINDOWS\System32\cnkdsk.exe
O4 - HKLM\..\RunServices: [Microsoft schedule] msngrs.exe
O4 - HKLM\..\RunServices: [cnkdsk] C:\WINDOWS\System32\cnkdsk.exe
O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINDOWS\system32\netbtd.exe (file missing)
O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\Msnweb.exe (file missing)

Click 'Fix Checked' and close HijackThis.

---------------------------

Delete the following Files and Folders if they still exist.

C:\WINDOWS\System32\ cnkdsk.exe
C:\WINDOWS\system32\ netbtd.exe
C:\WINDOWS\ Msnweb.exe
C:\WINDOWS\SYSTEM32\ eraseme_63476.exe
C:\WINDOWS\SYSTEM32\ i
msngrs.exe <--Do a search via Start>Search>All files and folders and delete if found.

---------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

---------------------------

Run Ewido again with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

---------------------------

Reboot into Normal Mode.

---------------------------

Run another scan at Kaspersky and post the results here along with the Ewido results and a new HijackThis log.

disco20 · 04-22-2006, 11:35 AM

Reid,
I've done the following processes:

1.) Everything with the MSAS (do you recommend I do not use this service
from now on?)

2.) Went to NETBTD via SERVICES.MSC, it was already stopped, but I followed through with your directions.

3.) Went to Windows web messenger via SERVICES.MSC, it was already
stopped, but I followed through with your directions.

4.) I went to Hijack This and when deleting both services the end of the
line said the (file missing).

5.) I rebooted in Safe Mode and ran Hijack This. I deleted the following
files:

O4 - HKLM\..\Run: [cnkdsk]
C:\WINDOWS\System32\cnkdsk.exe

O4 - HKLM\..\RunServices: [Microsoft schedule] msngrs.exe

O4 - HKLM\..\RunServices: [cnkdsk]
C:\WINDOWS\System32\cnkdsk.exe

These files were not present (I triple checked):

O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner -
C:\WINDOWS\system32\netbtd.exe (file missing)

O23 - Service: Windows web messenger - Unknown owner -
C:\WINDOWS\Msnweb.exe (file missing)

6.) I searched for all the files and deleted this:

C:\WINDOWS\SYSTEM32\eraseme_63476.exe

I had a question about one of the files you asked me to search for. When I
copied to Notepad the file looked like this:

C:\WINDOWS\SYSTEM32\i
msngrs.exe

I thought that was not what I was supposed to search for so I searched
for this:

C:\WINDOWS\SYSTEM32\imsngrs.exe

I hope that was correct. (PS on this area - At the end of this procedure I realized what you were asking and deleted C:\WINDOWS\SYSTEM32\i, but when I searched for msngrs.exe it did not exist)

7.) I ran Cleanup.

8.) I then ran Ewido. Below are the scan results

---------------------------------

------------------------
ewido anti-malware - Scan report
---------------------------------

------------------------

+ Created on:

12:28:28 PM, 4/20/2006
+ Report-Checksum:

778A0EEC

+ Scan result:

C:\System Volume
Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A
0024797.dll -> Trojan.Sinowal.d :

Cleaned with backup

C:\System Volume
Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A
0024798.exe -> Trojan.Sinowal.d :

Cleaned with backup

C:\System Volume
Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A
0024799.exe -> Hijacker.Small.kr :

Cleaned with backup

C:\System Volume
Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A
0024800.exe -> Backdoor.Rbot.avc :

Cleaned with backup

C:\System Volume Information\_restore{21D7D692-4662
-421F-93B0-877BC3820711}\RP30\A0024801.exe ->
Not-A-Virus.Hoax.Win32.Renos.bw :

Cleaned with backup

C:\System Volume
Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP32\A
0031981.exe -> Backdoor.SdBot.xd :

Cleaned with backup

::Report End

9.) When I rebooted in normal mode I was unsure that I gotten the updates
for Ewido, so I updated and ran again. Below are the results for that scan.

---------------------------------

------------------------
ewido anti-malware - Scan report
---------------------------------

------------------------

+ Created on:

5:49:15 PM, 4/20/2006
+ Report-Checksum:

81112F9C

+ Scan result:

C:\System Volume

Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A
0022814.exe -> Proxy.Small.bo :

Cleaned with backup

C:\System Volume Information\_restore{21D7D692-4662
-421F-93B0-877BC3820711}\RP30\A0023815.exe -> Proxy.Small.bo :

Cleaned with backup

::Report End

10.) When Ewido was running Avast popped up with a virus alert, I told it
to ignore the threat as not to interupt Ewido, so I then ran an Avast scan of
my system. Below are the results of that scan.

(PS on this area - I had originally placed the Ewido scan
results here, but they disappeared, along with the scan file saved on my
harddrive, and after several restarts, I once again scanned and place them in
this message in the correct chronolgocial order of this message.

11.) I then ran an Avast scan. After the scan was complete two Trojans
were found:

A.) country.exe
B.) c:\System Volume Information\_restore
{21D7D692-4662-421F-93B0-877BC3820711}\RP33\A0032005.exe

12.) Then I was forced to restart as the computer froze. Upon restart
Prevx1 found Msnweb.exe and I told the program to send it to jail, once
again the machine froze and I restarted. Upon this restart I pulled
up Windows Task Manager to look for Msnweb.exe, but it was not there. I
then pulled up Avast to check the files I had "Sent to the Chest" two start's
ago were still in the chest, they were not. This file had also been changed
(even though I had previously saved it) as the last Ewido scan was not
included in this text file.

13.) After the last Ewido scan msyteriously disappeared I thought I
would run another one. Those results are below.

---------------------------------

------------------------
ewido anti-malware - Scan report
---------------------------------

------------------------

+ Created on:

3:29:28 PM, 4/21/2006
+ Report-Checksum:

B3CB6891

+ Scan result:

:mozilla.16:C:\Documents and Settings\Scott
Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt ->
TrackingCookie.Tacoda : Cleaned with backup

:mozilla.17:C:\Documents and Settings\Scott Strickler\Application
Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt ->
TrackingCookie.Tacoda : Cleaned with backup

:mozilla.18:C:\Documents and Settings\Scott Strickler\Application
Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup

:mozilla.19:C:\Documents and Settings\Scott Strickler\Application
Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt ->
TrackingCookie.Tacoda : Cleaned with backup

:mozilla.20:C:\Documents and Settings\Scott Strickler\Application
Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt ->
TrackingCookie.Tacoda : Cleaned with backup

C:\System Volume Information\_restore{21D7D692-4662
-421F-93B0-877BC3820711}\RP33\A0032995.exe -> Backdoor.Rbot.avc :
Cleaned with backup

C:\WINDOWS\SYSTEM32\eraseme_61568.exe -> Backdoor.SdBot.aoy :
Cleaned with backup

::Report End

14.) I ran Kapersky and it found three virus'. Below is the report (I actually
had to run this scan three times as each time when the scan was
complete and I hit the 'Save As Text' Button the Window froze). So the
information below is all I could get. Sorry I could not complete the
instructions exactly as you had asked.

File Name Virus Name Send

C:\System Volum...}\RP30\A0022804.exe
Trojan-Down...in32.Harnig.bg send
(went to this file and deleted it)

C:\System Volum...}\RP30\A0023797.exe
Trojan-Down...in32.Harnig.bh send
(went to this file and deleted it)

C:\WINDOWS\SYSTEM32\i Trojan-Down...der.BAT.Ftp.ab
(went to this file and deleted it)

15.) Next I ran the Hijack this log and it is below:

Logfile of HijackThis v1.99.1
Scan saved at 12:48:24 PM, on 4/22/2006
Platform: Windows XP SP1 (WinNT
5.01.2600)
MSIE: Internet Explorer v6.00 SP1
(6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\BroadJump\ClientFoundation\CFD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\Notepad.exe
C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.phishhook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.citcom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D
6BE0B3} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309
A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [type32]
"C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DU Meter]
C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent]
C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PrevxOne]
C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UpdReg]
C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hppwrsav]
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client
Foundation\CFD.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit]
C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C
608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C57
1A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0
318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046D
EA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F7
95683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/download
s/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF:
{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner)
-http://security.symantec.com/sscv6/S
haredContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF3
3E833C} (WUWebControl Class) -
http://update.microsoft.com/windows
update/v6/V5Controls/en/x86/client/wuweb_site.cab?1144592695466
O16 - DPF:
{644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)
- http://security.symantec.com/sscv6/S
haredContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof
tupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144593165966
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -
http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives
can/as5free/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha
redContent/common/bin/cabsa.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) -
http://dgl.microsoft.com/downloads/outc.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner
- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus -
Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program
Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology
Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks -
C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NeatReceipts Auto Backup - Digital Business Processes -
C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation -
C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP
- C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner -
C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sandra Data Service
(SandraDataSrv) - SiSoftware - C:\Program
Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc)
- TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Windows web messenger - Unknown owner -
C:\WINDOWS\Msnweb.exe (file missing)

16.) Just to let you know I am still having several problems with my
computer:

A.) It freezes a LOT
B.) It either refuses to save things (I hit the save button, but it is
unresponsive) or when I save something the machine freezes.
C.) Items pull up in the System Tray (that's what I call the area beside the
clock, I'm unsure if that is what it's univserally called) freeze and I cannot double click and pull them up - this happens most often with Windows
Task Manager
D.) The taskbar freezes and I cannot open programs from their.
I have begin to download all of the Mocrosoft Updates up to Service Pack
2 so my machine will be safer.

Thanks Again,

Scott

PS - When I copied this file from Notepad it was full of crazy spaces between the lines, if you have any question because I have incorerectly "corrected" a line please let me know.

Ried · 04-22-2006, 12:38 PM

You did great, Scott.

Please do not attempt to download SP2 until your system is more stable and all infections are cleaned.

To correct the spacing in Notepad, with Notepad open click on View and turn Word Wrap off.

Please copy these instructions to Notepad and save to your desktop for easy reference.

****************************************

Regarding your question about Microsoft Anti-Spyware, there are quite a few anti malware programs that we need to disable before performing fixes. They're just doing their job and not allowing changes to your system. I do recommend uninstalling MSAS, but for the following reason:

Special Note:
MicroSoft AntiSpyware Program:
Because of recent changes in the way this program now defines and detects spyware/adware, it is no longer recommended as a spyware removal tool. Microsoft has downgraded several adware/spyware programs that it used to detect and remove and now lists them simply as “Ignore”

These are some of the adware/spyware programs that this program will NOT prompt you to remove. Claria, 180Solutions, WhenU, New.net, most WhenU apps, eZula,TopText, Gain/Gator, and Webhancer. These are all known adware/spyware programs and hijackers. Basically this product can no longer be trusted. We recommend you uninstall it.

Here are some other tools which will do the job quite well:

AdawareSE (free)
Spybot Search and Destroy (Teatimer Enabled) (free)
IESpy-Ad (free)
SpywareBlaster (free)
WinPatrol (free)
CounterSpy (free trial).

If you choose to keep it, please disable it as it may hinder our fixes below:

Right-click on the Microsoft Anti-Spyware icon in the system tray [it's the one with the red and yellow bulls-eye].
Click on "Security Agents Status".
Click on "Disable real-time protection".
Next right-click on the Microsoft Anti-Spyware icon in the system tray again to open Microsoft Anti-Spyware.
Click on the Options menu and choose Settings. In the left pane column click on "Real Time Protection".
Under Startup Options, uncheck "Enable (MSAS) Security Agents on startup (recommended)"
Under Real-time spyware threat protection, uncheck and "Enable real-time spyware threat protection" (recommended).
Click the Save button and close Microsoft AntiSpyware.
Finally, right-click on the MSAS icon in the system tray and select "Shutdown Microsoft Antispyware".

----------------------------------------

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
(Remain connected to the internet) Run the program and click the Web button as shown here:

Use this URL to copy into the address bar of the Download script window:

http://metallica.geekstogo.com/alcanshorty.bfu

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

When it finishes running, click the Save button for a copy of the log.
Post the log created by the script when you have completed the fix.

-------------------------------

We need to repeat this procedure:

Click Start->Run - type SERVICES.MSC & then click on the OK button
*Locate the service - Windows web messenger
*Double-click on it to open the Properties dialog.
*Under the General tab: : <--Take note and write down the *Service name given as we will need it shortly.
*Stop the service by using the Stop button.
*Change the Startup type to Disabled & then click on the OK button

Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
*In the popup box that appears, type in the *Service Name you found in the General Tab for Windows web messenger . [b][color="Red"] click OK and allwo the reboot.

-------------------------------

Reboot into Safe Mode. (tapping F8 or F5)

Make sure the following is still in effect:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

-------------------------------

Disable Microsoft Anti Spyware again if it's running as it will interfere.

-------------------------------

Run a scan in HijackThis. 'Check' the following if it still exists:

O23 - Service: Windows web messenger - Unknown owner -
C:\WINDOWS\Msnweb.exe (file missing)

Click 'Fix Checked' and close HijackThis.

---------------------------

Let's check again for the file and delete it if found:

C:\WINDOWS\ Msnweb.exe

---------------------------

Run Open Cleanup again. Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

---------------------------

Run Ewido again with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

---------------------------

Reboot into Normal Mode.

---------------------------

Run another online scan at Kaspersky and save the report.

In your next reply, I'll need the following:

BFU log
Ewido results
Kaspersky results
New HijackThis log

disco20 · 04-24-2006, 04:23 AM

Reid,
Thanks for the great help! I'm currently running:

AdawareSE
Spybot Search and Destroy (Teatimer Enabled)
IESpy-Ad
SpywareBlaster

I've also uninstalled the Microsoft Spyware Program.

1.) I ran BFU with the script you provided, but the first time I ran it the "Show log after script ends" box was not checked and the version I was using did not have a save button, I did run it again with that button pushed and the log is below. (I do hae a file called alcanshorty.bfu that was produced with the first scan, but I am unsure of how to open it if I need to post that, let me know and I will try to open and post that file.

BFU v1.00.9
Windows XP SP1 (WinNT 5.01.2600 SP1)
Script started at 4:21:52 PM, on 4/23/2006

Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (service not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable cmdService (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (key not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)
Failed: FolderDelete C:\DOCUME~1\SCOTTS~1\LOCALS~1\Temp\hsperfdata_Scott Strickler (operation failed)
Failed: FolderDelete C:\DOCUME~1\SCOTTS~1\LOCALS~1\Temp\Temporary Internet Files (operation failed)
Failed: FileDelete C:\DOCUME~1\SCOTTS~1\LOCALS~1\Temp\~DF4693.tmp (operation failed)
Failed: FileDelete C:\DOCUME~1\SCOTTS~1\LOCALS~1\Temp\~DF6321.tmp (operation failed)
Failed: FileDelete C:\DOCUME~1\SCOTTS~1\LOCALS~1\Temp\~DF74C4.tmp (operation failed)
Failed: FileDelete C:\DOCUME~1\SCOTTS~1\LOCALS~1\Temp\~WRF0000.tmp (operation failed)
Failed: FileDelete C:\WINDOWS\Temp\JETBE9C.tmp (operation failed)
Failed: FileDelete C:\WINDOWS\Temp\Perflib_Perfdata_480.dat (operation failed)
Failed: FileDelete C:\WINDOWS\Temp\Perflib_Perfdata_4e0.dat (operation failed)
Failed: FileDelete C:\WINDOWS\Temp\Perflib_Perfdata_67c.dat (operation failed)
Failed: FolderDelete C:\WINDOWS\Temp\_avast4_ (operation failed)
Failed: FileDelete C:\WINDOWS\Temp\{CE3E6AA4-16A5-44e2-863D-32BA5178BC62}3 (operation failed)
Failed: FileDelete C:\WINDOWS\Temp\{CE3E6AA4-16A5-44e2-863D-32BA5178BC62}4 (operation failed)
Failed: FolderDelete C:\Documents and Settings\Scott Strickler\Local Settings\Temporary Internet Files\Content.IE5\0GNOAN31 (operation failed)
Failed: FolderDelete C:\Documents and Settings\Scott Strickler\Local Settings\Temporary Internet Files\Content.IE5\4H6VKLMN (operation failed)
Failed: FolderDelete C:\Documents and Settings\Scott Strickler\Local Settings\Temporary Internet Files\Content.IE5\8S30VWMO (operation failed)
Failed: FolderDelete C:\Documents and Settings\Scott Strickler\Local Settings\Temporary Internet Files\Content.IE5\8UQM1J6R (operation failed)
Failed: FolderDelete C:\Documents and Settings\Scott Strickler\Local Settings\Temporary Internet Files\Content.IE5\C3K7VMY9 (operation failed)
Failed: FolderDelete C:\Documents and Settings\Scott Strickler\Local Settings\Temporary Internet Files\Content.IE5\MNEVSNE9 (operation failed)
Failed: FolderDelete C:\Documents and Settings\Scott Strickler\Local Settings\Temporary Internet Files\Content.IE5\OFKXKTY3 (operation failed)
Failed: FolderDelete C:\Documents and Settings\Scott Strickler\Local Settings\Temporary Internet Files\Content.IE5\RV7PCM41 (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FolderDelete C:\Program Files\Update03 (folder not found)
Failed: FolderDelete C:\Program Files\Update04 (folder not found)
Failed: FolderDelete C:\Program Files\Update08 (folder not found)
Failed: FolderDelete C:\Program Files\W-Update (folder not found)
Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\Program Files\Cas (folder not found)
Failed: FolderDelete C:\Program Files\CasStub (folder not found)
Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)
Failed: FolderDelete C:\temp (folder not found)
Failed: FolderCreate C:\bintheredunthat (folder already exists)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.

2.) I did the SERVICES.MSC part, the service was already stopped, but I changed the startup type from automatic to disabled. Then I completed the HiJack This procedure which said it removed the file.

3.) Went through the My Computer steps and they were all already correctly done!

4.) When I ran HiJack This and looked for
O23 - Service: Windows web messenger - Unknown owner -
C:\WINDOWS\Msnweb.exe (file missing)
it was not there. I did include the Hijack Log from this scan in case I missed anything.

Logfile of HijackThis v1.99.1
Scan saved at 4:48:42 PM, on 4/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Notepad.exe
C:\WINDOWS\Notepad.exe
C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phishhook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.citcom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Microsoft schedule] msngrs.exe
O4 - HKLM\..\RunServices: [Microsoft schedule] msngrs.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144592695466
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144593165966
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

5.) I then searched for C:\WINDOWS\Msnweb.exe
Fortunately nothing came up.

6.) I then ran CleanUp!

7.) Once again when I restarted in Safe mode I had forgotten to update Ewido with the Internet so I ran a scan in Safe Mode and then rebooted into normal mode and then checked for Updates and ran Ewido again.

This is the Safe Mode/Unupdated since I last scanned log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:17:57 PM, 4/23/2006
+ Report-Checksum: 754A95B4

+ Scan result:

:mozilla.26:C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
C:\WINDOWS\SYSTEM32\msngrs.exe -> Backdoor.Rbot.arw : Cleaned with backup
C:\WINDOWS\SYSTEM32\setup_30403.exe -> Backdoor.Rbot.avc : Cleaned with backup

::Report End

This is the updated Scan:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:17:59 AM, 4/24/2006
+ Report-Checksum: 77905A2B

+ Scan result:

C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP46\A0036065.exe -> Backdoor.Rbot.arw : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP46\A0036066.exe -> Backdoor.Rbot.avc : Cleaned with backup

::Report End

8.) Then came the Kapersky Report posted below. I did forget to turn off the Avast Antiviral Program and an eraseme_6358 (Not sure on the exact name as it showed up at 1:02 AM Monday morning) and I deleted it. Sorry I missed the exact name. I then stopped the scan, restarted it and went to bed hoping it all went well!

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, April 24, 2006 06:13:38
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 24/04/2006
Kaspersky Anti-Virus database records: 189747
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 76999
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 3881 sec

Infected Object Name - Virus Name
C:\WINDOWS\SYSTEM32\i Infected: Trojan-Downloader.BAT.Ftp.ab (I went and deleted this files, AGAIN! I knew that I deleted it before on your instruction.)

Scan process completed.

And this may be a dumb question, but does it interfere with Kapersky if I am running other programs while it runs, today is the first time I have done that and I was just downlaoding a Window Security update. Let me know if other process interfer with how it runs, I've noticed you always mention not to run anything else while using Ewido, so I make sure not to when I am using that program.

9.) Finally I ran another HiJack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:19:06 AM, on 4/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\Dit.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Notepad.exe
C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phishhook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.citcom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144592695466
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144593165966
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

10.) Most system problems are disappearing, but it is still near impossible to save anything. If I go to a pull down menu to change locations from where the computer wants me to save it is going to crash the program.

Ried · 04-24-2006, 07:10 AM

Hi Scott,

We need to create a new System Restore point:

Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK

----------------------------------

I'd like you to try again to get an online scan at Panda, it may reveal files that Kaspersky is not. Check your Firewall settings, and make sure your Firewall is not blocking the download of the Active X.

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
Click on see report. Then click Save report

Please post that log in your next reply along with a new HijackThis log.

----------------------------------

Download WinPFInd http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Do Not run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found. Save that log and post it here.

Restart one more time back into Normal Mode, run a scan with HijackThis and save the log to post here.

disco20 · 04-24-2006, 03:09 PM

Hello Ried,
Hope you are doing well. I am posting while Panda Activescan 5.53.00 is downloading the files it needs, hopefully it will work this time. But anyway I wanted to post before I forgot that I accidentally forgot to turn off Avast while the download was starting and a virus alert popped up for:

Win32.CTX

I found this info from Kapersky:

http://www.avp.ch/avpve/newexe/win32/ctx.stm

And I was wandering if I should worry about this because I did turn off Avast and restarted the downlaod process, hopefully this won't cause furthur problems since I assuming that it will find its way onto my computer. Oh, and I do not have a firewall yet, but I will be downloading ZoneAlarm as soon as all this mess is cleaned up. or should I go ahead and downlaod it now?

Thanks Again!

Scott

Ried · 04-24-2006, 03:34 PM

Hi Scott,

I need to know where Avast found that infection. If it produces a log for you, post the location of the infection here along with the Panda results.

After the Panda scan has completed, go ahead and download and install ZoneAlarm.

After you download the ActiveX for Panda, you do not need to remain online, it will continue to scan your computer. You do need to reconnect to Panda to view and Save the report.

disco20 · 04-24-2006, 04:00 PM

Ried,
Here are excerpt from the log (I tried to save it, but the program froze

)

Application Description

System 1160 Sign of "Win32:Sdbot-3015 [Trj]" has been found in
"C:\Windows\System32\eraseme_62078.exe" file

System 1156 Sign of "Win32:CTX has been found in
"http://acs.pandasoftware.com/activescan/ac5free/motor.cab/pskavs.DLL" file

Another virus I have been wondering about is C:\Windows\country.exe that avast stopped a while ago.

Ried · 04-24-2006, 04:15 PM

Hi Scott,

Quote:

Another virus I have been wondering about is C:\Windows\country.exe that avast stopped a while ago.

That entry is why I had you download and run the BFU script. That script took care of that entry as well as many others associated with that infection that may not have been visible to us at that point.

This entry keeps turning up in these online scans:C:\Windows\System32\eraseme_62078.exe We need to find what's holding it in place. Follow my instructions in Post #14 for WinPFind and post that log here along with a new HijackThis log.

disco20 · 04-25-2006, 05:35 PM

Ried,

1.) I created a restore point (while I was downloading the Panda Scan files).

2.) Several weird things happened while I was downlaoding the files, the first is from the post above, the second was when my connection failed and a box came up saying "winscntrl has encountered a problem and needs to close. We are sorry for the inconvenience." I looked up some material on this and it seems like ANOTHER virus!

http://fileinfo.prevx.com/QQfaf01768...CNTRL.EXE.html

http://www.bleepingcomputer.com/star...exe-14688.html

I let the scan finish (I scanned My Computer) and here are the results:

Incident Status Location

Adware:adware/24-7-search Not disinfected c:\windows\system32\unPPC.exe
Adware:adware/secure32 Not disinfected c:\program files\secure32.html
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@banner[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\heatherstrickler@earthlink.net\Cookies\heather strickler@ct.360i[1].txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\scottstrickler@earthlink.net\Cookies\heather strickler@www.affiliatefuel[1].txt
Spyware:Cookie/Pollstar Not disinfected C:\Documents and Settings\Heather Strickler\Application Data\Earthlink\6.0\scottstrickler@earthlink.net\Cookies\scott strickler@pollstar[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies-1.txt[.realmedia.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies-1.txt[.apmebf.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt[.com.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt[.atwola.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt[.toplist.cz/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt[.gostats.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt[.apmebf.com/]
Virus:W32/Sdbot.FOJ.worm (Located at C:\WINDOWS\eraseme_30426) Disinfected C:\WINDOWS\SYSTEM32\eraseme_30426.exe
Virus:W32/Sdbot.ftp (Located at C:\WINDOWS\i) Disinfected C:\WINDOWS\SYSTEM32\i

3.) Next I ran a Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 9:12:25 PM, on 4/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\Dit.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phishhook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.citcom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144592695466
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144593165966
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFC1A313-FDED-4C18-8214-67618808CFA9}: NameServer = 204.116.57.2 206.74.254.2
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

4.) I installed ZoneAlarm (I had to do a little Registry Editing, but I finally got it to work. One of the first things that pooped up was:

ZoneAlarm blocked traffic to port 0 on your machine from port 0 on a remote computer whose IP address is 207.144.84.193. This communication attempt may have been a port scan, or simply one of the millions of unsolicited commercial or network control messages that are routinely sent out over the Internet. Such unsolicited messages are often called Internet background noise.

Hope that was something that needed to be stopped.

5.) I resterted in Safe Mode and ran WinPFind.exe below is the log.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
PEC2 8/21/2005 12:52:26 PM 746600 C:\Program Files\GoogleDesktopSearchSetup.exe
PECompact2 8/21/2005 12:52:26 PM 746600 C:\Program Files\GoogleDesktopSearchSetup.exe
PEC2 8/24/2005 10:55:28 PM 1384536 C:\Program Files\GoogleDesktopSetup.exe
PECompact2 8/24/2005 10:55:28 PM 1384536 C:\Program Files\GoogleDesktopSetup.exe
UPX! 8/24/2005 10:53:46 PM 921280 C:\Program Files\googletalk-setup.exe
UPX! 4/23/2003 9:39:08 PM 49152 C:\Program Files\Install EclipseCrossword.exe
UPX! 9/6/2004 7:30:40 PM 6192499 C:\Program Files\ThunderbirdSetup-0.7.3.exe

Checking %WinDir% folder...
UPX! 12/21/1999 7:58:02 AM 21312 C:\WINDOWS\choice.exe

Items found in C:\WINDOWS\hosts

Checking %System% folder...
UPX! 1/27/2006 6:38:10 PM 503296 C:\WINDOWS\SYSTEM32\aswBoot.exe
PEC2 8/18/2001 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
Umonitor 5/15/2002 6:09:14 PM 324096 C:\WINDOWS\SYSTEM32\ipebase11.dll
PTech 2/14/2006 9:20:14 AM 550120 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 3/9/2006 4:21:10 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/9/2006 4:21:10 PM 4799320 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 8/29/2002 6:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/18/2001 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU
PTech 1/30/2003 12:12:26 PM 239623 C:\WINDOWS\SYSTEM32\~

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
4/24/2006 11:58:38 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
4/9/2006 9:55:18 AM H 0 C:\WINDOWS\INF\oem14.inf
4/9/2006 10:30:18 AM H 0 C:\WINDOWS\INF\oem15.inf
4/10/2006 6:10:20 PM H 0 C:\WINDOWS\INF\oem38.inf
4/23/2006 6:37:28 PM H 0 C:\WINDOWS\LastGood\INF\Iesetup.inf
4/23/2006 6:37:28 PM H 0 C:\WINDOWS\LastGood\INF\Iesetup.PNF
4/12/2006 7:22:14 PM H 0 C:\WINDOWS\LastGood\INF\oem35.inf
4/12/2006 7:22:14 PM H 0 C:\WINDOWS\LastGood\INF\oem35.PNF
4/11/2006 8:46:26 AM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem29.inf
4/11/2006 8:46:26 AM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem29.PNF
4/11/2006 8:32:10 AM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem40.inf
4/11/2006 8:32:10 AM H 0 C:\WINDOWS\LastGood.Tmp\INF\oem40.PNF
4/11/2006 8:38:30 AM H 10703680 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0b6d86f526d6a471e29c08891cfb70fb\BIT3.tmp
4/9/2006 9:01:58 PM H 5319000 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\483b14dfd4304c14bae99ca9db08dab8\BITB.tmp
4/11/2006 8:38:30 AM H 10111792 C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\76cb1410d4a5bc8898a76fb79f48d383\BIT1.tmp
4/24/2006 11:26:12 PM H 35876 C:\WINDOWS\SYSTEM32\vsconfig.xml
4/24/2006 11:19:20 PM H 4212 C:\WINDOWS\SYSTEM32\zllictbl.dat
3/13/2006 4:45:34 PM S 7898 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911565.cat
3/8/2006 3:59:38 AM S 9341 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914798.cat
4/24/2006 11:55:50 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
4/24/2006 11:59:10 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
4/24/2006 11:58:42 PM H 20480 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
4/25/2006 12:00:56 AM H 90112 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
4/24/2006 11:54:40 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
4/9/2006 11:11:04 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
4/11/2006 4:14:32 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\5c5fa4e7-e5e1-4a36-8dae-1dea57ec69e8
4/11/2006 4:14:32 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
4/10/2006 6:10:40 PM RHS 13698 C:\WINDOWS\SYSTEM32\Restore\filelist.xml
4/24/2006 11:54:28 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/18/2001 7:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/29/2002 6:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Creative Technology Ltd. 3/19/1998 2:00:00 AM 18432 C:\WINDOWS\SYSTEM32\Audiohq.cpl
5/24/2002 12:45:48 PM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Creative Technology Ltd. 8/24/2000 2:56:00 AM 228352 C:\WINDOWS\SYSTEM32\CTDetect.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
12/17/2002 1:00:50 PM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/6/2004 10:31:48 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/18/2001 7:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/18/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/18/2001 7:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 8/18/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Oracle 5/8/2003 3:35:36 PM 45153 C:\WINDOWS\SYSTEM32\plugincpl13113.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
RealNetworks, Inc. 11/6/2002 8:21:06 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Intel Corporation 8/16/2002 4:52:12 PM 774144 C:\WINDOWS\SYSTEM32\PROSetp.cpl
SiSoftware 6/29/2005 6:00:10 PM 53248 C:\WINDOWS\SYSTEM32\SanCpl.cpl
Microsoft Corporation 8/29/2002 6:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/18/2001 7:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
WIBU-SYSTEMS AG 12/27/2001 10:59:22 AM 716800 C:\WINDOWS\SYSTEM32\Wibuke32.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/18/2001 7:00:00 AM 66048 C:\WINDOWS\SYSTEM32\DLLCACHE\access.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
3/15/2006 1:35:28 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
11/15/2001 8:31:16 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
12/16/2002 6:44:06 PM 1323 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/15/2001 8:23:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
9/15/2003 8:59:30 PM 15 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt
5/1/2005 7:19:52 PM 15 C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt
1/23/2006 5:32:26 PM 1047 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
11/15/2001 8:31:16 AM HS 84 C:\Documents and Settings\Scott Strickler\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
3/29/2005 9:59:32 PM 1256 C:\Documents and Settings\Scott Strickler\Application Data\AdobeDLM.log
11/15/2001 8:23:32 AM HS 62 C:\Documents and Settings\Scott Strickler\Application Data\DESKTOP.INI
3/29/2005 9:59:32 PM 0 C:\Documents and Settings\Scott Strickler\Application Data\dm.ini
4/4/2006 10:39:22 PM 2112 C:\Documents and Settings\Scott Strickler\Application Data\evpro32.prf
9/6/2004 9:31:14 PM 64208 C:\Documents and Settings\Scott Strickler\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
INFOAVE5 = IEAKInfo Avenue Internet Servic

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TuneUp Shredder
{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TuneUp Shredder
{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Program Files\TuneUp Utilities 2006\sdshelex.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{00020000-0000-1011-8004-0000C06B5161}
= C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{FED7043D-346A-414D-ACD7-550D052499A7}
= C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class =
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}
= C:\Program Files\Microsoft Money\System\mnyside.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{4D5C8C2A-D075-11D0-B416-00C04FB90376} = Microsoft CommBand : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
type32 "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
IntelliPoint "C:\Program Files\Microsoft IntelliPoint\point32.exe"
DU Meter C:\Program Files\DU Meter\DUMeter.exe
WinampAgent C:\Program Files\Winamp\winampa.exe
Google Desktop Search "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
PrevxOne C:\Program Files\Prevx1\PXConsole.exe
avast! C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
UpdReg C:\WINDOWS\Updreg.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
RoxioDragToDisc "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
RoxioAudioCentral "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
hppwrsav C:\SCANJET\PrecisionScanLT\hppwrsav.exe
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
Dit Dit.exe
BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
BCMSMMSG BCMSMMSG.exe
AHQInit C:\Program Files\Creative\SBLive\Program\AHQInit.exe
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk
backup C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\DIGITA~1\DLG.exe
item Digital Line Detect
backup C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\DIGITA~1\DLG.exe
item Digital Line Detect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
location Common Startup
item Microsoft Office
location Common Startup
item Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk
backup C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\wkcalrem.exe
item Microsoft Works Calendar Reminders
backup C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\wkcalrem.exe
item Microsoft Works Calendar Reminders

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AutoUpdater
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aupdate
hkey HKCU
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aupdate
hkey HKCU
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Bart Station
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item station
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item station
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ConMgr.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ConMgr
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ConMgr
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\E6TaskPanel
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TaskPanl
hkey HKCU
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item TaskPanl
hkey HKCU
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft Works Update Detection
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WkDetect
hkey HKCU
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WkDetect
hkey HKCU
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NAV Agent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item navapw32
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item navapw32
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\rb32 lptt01
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rb32
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rb32
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun _

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 4/25/2006 12:11:15 AM

6.) Last, but not least I restarted in Normal mode and ran a Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 7:29:24 PM, on 4/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phishhook.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.citcom.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144592695466
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144593165966
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) -
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

If you see any programs that could be removed to make startup quicker I am all about that!

Thanks Again!

PS - I will once again be out of town Tommorrow morning til Friday evening, I will try to complete whatever helpful instructions you have for this round, but I may be able to post them tonight or it may have to wait until the end of week.

Ried · 04-25-2006, 08:43 PM

Hi Scott,

Once again, nice work.

Download these 3 programs first, then disconnect from the internet and run them in the same sequence as listed for download:

Download RapidBlaster Killer. Save it to your desktop but do not run it yet.

Download McAfee AVERT Stinger. Save it to your desktop but do not run it yet.

Download KillBox. (it's important that you get version v2.0.0.175)

----------------------------------------

Disconnect from the internet.

----------------------------------------

Disable the following anti-malware programs as they may interfere with the following fixes:

Open ewido by double-clicking the yellow 'e' icon in the system tray.
In the 'Your security status' section, toggle the ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'.
When you reboot, ewido will prompt you as to whether you would like to "Restart the guard?". Reply "No" and set it to ''inactive'' for the duration of your cleanup.

Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose "Show Management Console".
On the Management Console click the Protection Level drop-down menu. You will see three levels:
Maximum

Off

User Defined
To disable all protection set the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.
Click the X on the upper right hand corner to exit the Management console.

----------------------------------------

Run RapidBlaster Killer

Run Stinger

----------------------------------------

Reboot into Safe Mode.

----------------------------------------

Launch KillBox.exe & select the following options:

delete on Reboot
All files (if available)

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

c:\windows\system32\unPPC.exe
c:\program files\secure32.html
C:\Windows\System32\winscntrl.exe

Go to the File menu, and choose Paste from Clipboard
*Click on the dropdown menu next to Full Path of File to Delete field.
*Verify that the filenames you pasted are found there

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click Yes at the 'Delete on Reboot' prompt. Click NO at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

--------------------------------

Clear Mozilla Firefox cookies:
Open the Mozilla Browser, (you do not need to be online to do this) Click Tools>Options>Privacy>Cookies>Clear

Clear Internet Explorer Cookies:
Launch Internet Explorer>Tools>Internet Options>Delete Cookies

--------------------------------

Run Ewido again allowing it to clean/remove anything it finds.

--------------------------------

Reboot into Normal Mode.

--------------------------------

Run another online scan at Panda and post the results here along with the Ewido results and a new HijackThis log.

04-11-2006, 06:40 PM	#1 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	HJT Log, Trojan found, web pages not connecting or slow and computer freezing! First off, whomever you are thank you for the help. My computer is running badly. I have AVAST Anti-virus installed and I ran an AdAware and Spybot scan. My computer will not always allow page to be connected to thi internet via Firefox or IE, not allow saves, or completely freeze up, I am waaayyy behind on Microsoft update (I only just installed SP1 yesterday) and I will fully update once this is fixed as well as install a proper firewall. I am on a dial-up modem, so I could not run an internet scan. Several days ago my Word and JPG files disappeared. I knew something was up so I began to search for processes in Windows Task Manager and using google.com I found several virus's, found that the Internet was slow and other virus's were being installed. When I ran CWShredder one CWS was removed. I am currently running McAffee Stinger (it did find a Trojan Virus and ignorantly I closed it in joy without noting the exact virus, sorry), and I'm going to try a program called PREVX1 to solve more problems. In using the Windows Task Mangaer I stop a program called netbtd.exe and I cannot stop Msnweb.exe and it will temporarily allow the Internet to be accessed. Any and all help is greatly appreciated. Thank You, Scott Strickler Logfile of HijackThis v1.99.1 Scan saved at 8:34:50 PM, on 4/11/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\WINDOWS\System32\devldr32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\DU Meter\DUMeter.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\SCANJET\PrecisionScanLT\hppwrsav.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\WINDOWS\Dit.exe C:\WINDOWS\DitExp.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\WINDOWS\BCMSMMSG.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/mor...on/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mor...on/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phishhook.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.citcom.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file) O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [Dit] Dit.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\RunServices: [Microsoft schedule] msngrs.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144592695466 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144593165966 O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

04-12-2006, 07:43 AM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,794 OS: WinXP and Vista	Hello Scott and welcome, I see that you have msconfig enabled. This may prevent us from seeing everything on your system. Please go to Start>Run type msconfig press Enter and enable all startups by selecting Normal Startup - Load all Device Drivers and Services, reboot and post a new log. We can't remove what we can't see. If you're going to run PREVX1, wait until you complete that, then run a new scan with HijackThis and post the log here. If you can, save the log from PREVX and post that here as well. ------------------------------------- You should be able to download the following program as the link should pop up a File Download Dialog Box for you. If you are having trouble downloading , use another PC to download the program to a CD and bring to this PC. Download Ewido Security Suite Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. NOTE Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility. Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will not create any backups!! ------------------------------------------------ Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. ------------------------------------------------ Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop ** Ewido scan would require at least an hour. Ewido is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner. ------------------------------------------------ Reboot into Safe Mode. ------------------------------------------------ Please post the results of the Ewido scan along with a new HijackThis log and the log from PREVX1. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-13-2006, 07:40 AM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,794 OS: WinXP and Vista	Hi Scott, If you no longer use Symantec, you can fix these entries in HijackThis. Please close any open browsers and other programs you may have open. Run a scan in HijackThis. 'Check' each of the following: R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab Click 'Fix Checked' and close HijackThis. ----------------------------------- I'd like to do one more check to make sure nothing is lurking: Perform an online scan using Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report Please post that log in your next reply along with a new HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-13-2006, 10:58 AM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,794 OS: WinXP and Vista	Just post the results here when you get that scan done. I am subscribed to this thread so I receive notification when you reply. Enjoy your weekend. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-17-2006, 07:06 AM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,794 OS: WinXP and Vista	Hi disco20, Let's make sure the IE's ActiveX settings will allow you to access the page properly: Tools>Internet Options>Security tab Ensure that default level of medium is in effect. Also, on the Advanced tab, ensure that "Reuse windows for launching shortcuts" is checked. If you're still having problems, try this online scanner: Please perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply along with a new HijackThis log. * Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-13-2006, 10:52 AM	#5 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	Ried, I will be going out of town this evening, so I will not be able to run that scan until Sunday evening or Monday morning. Would you like me to just post here or PM you when I have posted. Once again thank you for your time and help.

04-16-2006, 09:08 PM	#7 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	I have been tryin to run the Panda Scan, but I keep getting this message: Error on downloading ActiveScanAn error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are: Not allowing the application's ActiveX control to be downloaded. Problems with the Internet connection. The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,... I am allowing ActiveX Controls, My D/L meter is informing me that the connection is on and staying on, and I have enough harddrive space and adminstrator privledges. Do you have any advice? Thanks.

04-19-2006, 10:27 AM	#9 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	Ried, I've completed the Kapersky scan and it found 8 virus's and 10 infected files. I will include that log below as well as a rebooted (in normal mode) Hijack This log. Thanks Again! During the Kapersky scan I also encountered this problem (it came up in a new pop-up window): Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience. These were the documents that were affected in that problem: C:\DOCUME~1\SCOTTS~1\LOCALS~1\Temp\WER25A5.tmp.dir00\svchost.exe.mdmp C:\DOCUME~1\SCOTTS~1\LOCALS~1\Temp\WER25A5.tmp.dir00\appcompat.txt Also the toolbar periodically changed from XP format to the Classic format without prompting and the Internet would disconnect itself, but when I went to reconnect (I'm still on dial-up) the prompt said it was still connected and refused to disconnect. Below are the Kapersky results: ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Wednesday, April 19, 2006 11:57:40 Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 19/04/2006 Kaspersky Anti-Virus database records: 188906 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 73258 Number of viruses found: 8 Number of infected objects: 10 Number of suspicious objects: 0 Duration of the scan process: 3756 sec Infected Object Name - Virus Name C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0022804.exe Infected: Trojan-Downloader.Win32.Harnig.bg C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0022814.exe Infected: Trojan-Proxy.Win32.Small.bo C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0023797.exe Infected: Trojan-Downloader.Win32.Harnig.bh C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0023815.exe Infected: Trojan-Proxy.Win32.Small.bo C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0024797.dll Infected: Trojan-PSW.Win32.Sinowal.d C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0024798.exe Infected: Trojan-PSW.Win32.Sinowal.d C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0024799.exe Infected: Trojan-Clicker.Win32.Small.kr C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A0024801.exe Infected: not-virus:Hoax.Win32.Renos.cn C:\WINDOWS\SYSTEM32\eraseme_63476.exe Infected: Backdoor.Win32.SdBot.xd C:\WINDOWS\SYSTEM32\i Infected: Trojan-Downloader.BAT.Ftp.ab Scan process completed. Logfile of HijackThis v1.99.1 Scan saved at 12:16:26 PM, on 4/19/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe C:\Program Files\Prevx1\PXAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\devldr32.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\DU Meter\DUMeter.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Prevx1\PXConsole.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\WINDOWS\System32\cidaemon.exe C:\SCANJET\PrecisionScanLT\hppwrsav.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\WINDOWS\Dit.exe C:\WINDOWS\DitExp.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Palm\HOTSYNC.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phishhook.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.citcom.net R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file) O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [Dit] Dit.exe O4 - HKLM\..\Run: [cnkdsk] C:\WINDOWS\System32\cnkdsk.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\RunServices: [Microsoft schedule] msngrs.exe O4 - HKLM\..\RunServices: [cnkdsk] C:\WINDOWS\System32\cnkdsk.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1144592695466 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144593165966 O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha.../bin/cabsa.cab O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINDOWS\system32\netbtd.exe (file missing) O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing) O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\Msnweb.exe (file missing) I know I've said it many times, but you are really helping me out and I greatly appreciate it.

04-19-2006, 06:29 PM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,794 OS: WinXP and Vista	Hi disco, Ok, let's go after all of it now. Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Please disable the following program as it may hinder our fixes below: Right-click on the Microsoft Anti-Spyware icon in the system tray [it's the one with the red and yellow bulls-eye]. Click on "Security Agents Status". Click on "Disable real-time protection". Next right-click on the Microsoft Anti-Spyware icon in the system tray again to open Microsoft Anti-Spyware. Click on the Options menu and choose Settings. In the left pane column click on "Real Time Protection". Under Startup Options, uncheck "Enable (MSAS) Security Agents on startup (recommended)" Under Real-time spyware threat protection, uncheck and "Enable real-time spyware threat protection" (recommended). Click the Save button and close Microsoft AntiSpyware. Finally, right-click on the MSAS icon in the system tray and select "Shutdown Microsoft Antispyware". Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - NetBTD(ntbtd)* Double-click on it to open the Properties dialog. Under the General tab: : *<--Take note and write down the Service name given --It is case sensitive, note which one it is using, either ntbtd or NetBTD as we will need it shortly.** Stop the service by using the Stop* button. Change the Startup type to Disabled* & then click on the OK button Still within services.msc: Locate the service - Windows web messenger* Double-click on it to open the Properties dialog. Under the General tab: *<--Take note and write down the Service name given as we will need it shortly.** Stop the service by using the Stop* button. Change the Startup type to Disabled* & then click on the OK button Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in the Service Name you found in the General Tab for Windows web messenger . Do NOT allow a reboot yet. Still within Delete an NT service, type in the exact service name as it appeared under the General tab for NetBTD. Click OK and allow the reboot. --------------------------- Next, please reboot your computer in Safe Mode* by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. --------------------------- Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [cnkdsk] C:\WINDOWS\System32\cnkdsk.exe O4 - HKLM\..\RunServices: [Microsoft schedule] msngrs.exe O4 - HKLM\..\RunServices: [cnkdsk] C:\WINDOWS\System32\cnkdsk.exe O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINDOWS\system32\netbtd.exe (file missing) O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\Msnweb.exe (file missing) Click 'Fix Checked' and close HijackThis. --------------------------- Delete the following Files and Folders if they still exist. C:\WINDOWS\System32\ cnkdsk.exe C:\WINDOWS\system32\ netbtd.exe C:\WINDOWS\ Msnweb.exe C:\WINDOWS\SYSTEM32\ eraseme_63476.exe C:\WINDOWS\SYSTEM32\ i msngrs.exe <--Do a search via Start>Search>All files and folders and delete if found. --------------------------- Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Standard CleanUp!" *Uncheck the following: -Delete Newsgroup cache -Delete Newsgroup Subscriptions -Scan local drives for temporary files Click OK Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted. --------------------------- Run Ewido again with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop --------------------------- Reboot into Normal Mode. --------------------------- Run another scan at Kaspersky and post the results here along with the Ewido results and a new HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-22-2006, 11:35 AM	#11 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	Reid, I've done the following processes: 1.) Everything with the MSAS (do you recommend I do not use this service from now on?) 2.) Went to NETBTD via SERVICES.MSC, it was already stopped, but I followed through with your directions. 3.) Went to Windows web messenger via SERVICES.MSC, it was already stopped, but I followed through with your directions. 4.) I went to Hijack This and when deleting both services the end of the line said the (file missing). 5.) I rebooted in Safe Mode and ran Hijack This. I deleted the following files: O4 - HKLM\..\Run: [cnkdsk] C:\WINDOWS\System32\cnkdsk.exe O4 - HKLM\..\RunServices: [Microsoft schedule] msngrs.exe O4 - HKLM\..\RunServices: [cnkdsk] C:\WINDOWS\System32\cnkdsk.exe These files were not present (I triple checked): O23 - Service: NetBTD(ntbtd) (NetBTD) - Unknown owner - C:\WINDOWS\system32\netbtd.exe (file missing) O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\Msnweb.exe (file missing) 6.) I searched for all the files and deleted this: C:\WINDOWS\SYSTEM32\eraseme_63476.exe I had a question about one of the files you asked me to search for. When I copied to Notepad the file looked like this: C:\WINDOWS\SYSTEM32\i msngrs.exe I thought that was not what I was supposed to search for so I searched for this: C:\WINDOWS\SYSTEM32\imsngrs.exe I hope that was correct. (PS on this area - At the end of this procedure I realized what you were asking and deleted C:\WINDOWS\SYSTEM32\i, but when I searched for msngrs.exe it did not exist) 7.) I ran Cleanup. 8.) I then ran Ewido. Below are the scan results --------------------------------- ------------------------ ewido anti-malware - Scan report --------------------------------- ------------------------ + Created on: 12:28:28 PM, 4/20/2006 + Report-Checksum: 778A0EEC + Scan result: C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A 0024797.dll -> Trojan.Sinowal.d : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A 0024798.exe -> Trojan.Sinowal.d : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A 0024799.exe -> Hijacker.Small.kr : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A 0024800.exe -> Backdoor.Rbot.avc : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662 -421F-93B0-877BC3820711}\RP30\A0024801.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP32\A 0031981.exe -> Backdoor.SdBot.xd : Cleaned with backup ::Report End 9.) When I rebooted in normal mode I was unsure that I gotten the updates for Ewido, so I updated and ran again. Below are the results for that scan. --------------------------------- ------------------------ ewido anti-malware - Scan report --------------------------------- ------------------------ + Created on: 5:49:15 PM, 4/20/2006 + Report-Checksum: 81112F9C + Scan result: C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP30\A 0022814.exe -> Proxy.Small.bo : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662 -421F-93B0-877BC3820711}\RP30\A0023815.exe -> Proxy.Small.bo : Cleaned with backup ::Report End 10.) When Ewido was running Avast popped up with a virus alert, I told it to ignore the threat as not to interupt Ewido, so I then ran an Avast scan of my system. Below are the results of that scan. (PS on this area - I had originally placed the Ewido scan results here, but they disappeared, along with the scan file saved on my harddrive, and after several restarts, I once again scanned and place them in this message in the correct chronolgocial order of this message. 11.) I then ran an Avast scan. After the scan was complete two Trojans were found: A.) country.exe B.) c:\System Volume Information\_restore {21D7D692-4662-421F-93B0-877BC3820711}\RP33\A0032005.exe 12.) Then I was forced to restart as the computer froze. Upon restart Prevx1 found Msnweb.exe and I told the program to send it to jail, once again the machine froze and I restarted. Upon this restart I pulled up Windows Task Manager to look for Msnweb.exe, but it was not there. I then pulled up Avast to check the files I had "Sent to the Chest" two start's ago were still in the chest, they were not. This file had also been changed (even though I had previously saved it) as the last Ewido scan was not included in this text file. 13.) After the last Ewido scan msyteriously disappeared I thought I would run another one. Those results are below. --------------------------------- ------------------------ ewido anti-malware - Scan report --------------------------------- ------------------------ + Created on: 3:29:28 PM, 4/21/2006 + Report-Checksum: B3CB6891 + Scan result: :mozilla.16:C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup :mozilla.17:C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup :mozilla.18:C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup :mozilla.19:C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup :mozilla.20:C:\Documents and Settings\Scott Strickler\Application Data\Mozilla\Firefox\Profiles\default.axe\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup C:\System Volume Information\_restore{21D7D692-4662 -421F-93B0-877BC3820711}\RP33\A0032995.exe -> Backdoor.Rbot.avc : Cleaned with backup C:\WINDOWS\SYSTEM32\eraseme_61568.exe -> Backdoor.SdBot.aoy : Cleaned with backup ::Report End 14.) I ran Kapersky and it found three virus'. Below is the report (I actually had to run this scan three times as each time when the scan was complete and I hit the 'Save As Text' Button the Window froze). So the information below is all I could get. Sorry I could not complete the instructions exactly as you had asked. File Name Virus Name Send C:\System Volum...}\RP30\A0022804.exe Trojan-Down...in32.Harnig.bg send (went to this file and deleted it) C:\System Volum...}\RP30\A0023797.exe Trojan-Down...in32.Harnig.bh send (went to this file and deleted it) C:\WINDOWS\SYSTEM32\i Trojan-Down...der.BAT.Ftp.ab (went to this file and deleted it) 15.) Next I ran the Hijack this log and it is below: Logfile of HijackThis v1.99.1 Scan saved at 12:48:24 PM, on 4/22/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Microsoft SQL Server\MSSQL$NR2005\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe C:\WINDOWS\System32\cidaemon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\devldr32.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\DU Meter\DUMeter.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\SCANJET\PrecisionScanLT\hppwrsav.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe C:\WINDOWS\Dit.exe C:\WINDOWS\DitExp.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\BroadJump\ClientFoundation\CFD.exe C:\WINDOWS\BCMSMMSG.exe C:\Palm\HOTSYNC.EXE C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe C:\WINDOWS\System32\cmd.exe C:\WINDOWS\System32\taskmgr.exe C:\WINDOWS\Notepad.exe C:\Documents and Settings\Scott Strickler\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phishhook.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.citcom.net R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D 6BE0B3} - (no file) O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309 A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [Dit] Dit.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C 608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C57 1A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0 318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046D EA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F7 95683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.citcom.net O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/download s/kws/kavwebscan_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -http://security.symantec.com/sscv6/S haredContent/vc/bin/AvSniff.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF3 3E833C} (WUWebControl Class) - http://update.microsoft.com/windows update/v6/V5Controls/en/x86/client/wuweb_site.cab?1144592695466 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S haredContent/common/bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof tupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144593165966 O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives can/as5free/asinst.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sha redContent/common/bin/cabsa.cab O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: NeatReceipts Auto Backup - Digital Business Processes - C:\Program Files\NeatReceipts Professional\exec\NeatReceiptsAutoBackup.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing) O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\Msnweb.exe (file missing) 16.) Just to let you know I am still having several problems with my computer: A.) It freezes a LOT B.) It either refuses to save things (I hit the save button, but it is unresponsive) or when I save something the machine freezes. C.) Items pull up in the System Tray (that's what I call the area beside the clock, I'm unsure if that is what it's univserally called) freeze and I cannot double click and pull them up - this happens most often with Windows Task Manager D.) The taskbar freezes and I cannot open programs from their. I have begin to download all of the Mocrosoft Updates up to Service Pack 2 so my machine will be safer. Thanks Again, Scott PS - When I copied this file from Notepad it was full of crazy spaces between the lines, if you have any question because I have incorerectly "corrected" a line please let me know.

04-22-2006, 12:38 PM	#12 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,794 OS: WinXP and Vista	You did great, Scott. Please do not attempt to download SP2 until your system is more stable and all infections are cleaned. To correct the spacing in Notepad, with Notepad open click on View and turn Word Wrap off. Please copy these instructions to Notepad and save to your desktop for easy reference. ************************************** Regarding your question about Microsoft Anti-Spyware, there are quite a few anti malware programs that we need to disable before performing fixes. They're just doing their job and not allowing changes to your system. I do recommend uninstalling MSAS, but for the following reason: Special Note: MicroSoft AntiSpyware Program: Because of recent changes in the way this program now defines and detects spyware/adware, it is no longer recommended as a spyware removal tool. Microsoft has downgraded several adware/spyware programs that it used to detect and remove and now lists them simply as “Ignore” These are some of the adware/spyware programs that this program will NOT prompt you to remove. Claria, 180Solutions, WhenU, New.net, most WhenU apps, eZula,TopText, Gain/Gator, and Webhancer. These are all known adware/spyware programs and hijackers. Basically this product can no longer be trusted. We recommend you uninstall it. Here are some other tools which will do the job quite well: AdawareSE (free) Spybot Search and Destroy (Teatimer Enabled) (free) IESpy-Ad (free) SpywareBlaster (free) WinPatrol (free) CounterSpy (free trial). If you choose to keep it, please disable it as it may hinder our fixes below: Right-click on the Microsoft Anti-Spyware icon in the system tray [it's the one with the red and yellow bulls-eye]. Click on "Security Agents Status". Click on "Disable real-time protection". Next right-click on the Microsoft Anti-Spyware icon in the system tray again to open Microsoft Anti-Spyware. Click on the Options menu and choose Settings. In the left pane column click on "Real Time Protection". Under Startup Options, uncheck "Enable (MSAS) Security Agents on startup (recommended)" Under Real-time spyware threat protection, uncheck and "Enable real-time spyware threat protection" (recommended). Click the Save button and close Microsoft AntiSpyware. Finally, right-click on the MSAS icon in the system tray and select "Shutdown Microsoft Antispyware". ---------------------------------------- Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip (Remain connected to the internet) Run the program and click the Web button as shown here: Use this URL to copy into the address bar of the Download script window: http://metallica.geekstogo.com/alcanshorty.bfu Execute the script by clicking the Execute button. If you have any questions about the use of BFU please read here: http://metallica.geekstogo.com/BFUinstructions.html When it finishes running, click the Save button for a copy of the log. Post the log created by the script when you have completed the fix. ------------------------------- We need to repeat this procedure: Click Start->Run - type SERVICES.MSC** & then click on the OK button Locate the service - Windows web messenger* Double-click on it to open the Properties dialog. Under the General tab: : *<--Take note and write down the Service name given as we will need it shortly.** Stop the service by using the Stop* button. Change the Startup type to Disabled* & then click on the OK button Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in the Service Name you found in the General Tab for Windows web messenger . [b][color="Red"] click OK and allwo the reboot. ------------------------------- Reboot into Safe Mode. (tapping F8 or F5) Make sure the following is still in effect: Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. ------------------------------- Disable Microsoft Anti Spyware again if it's running as it will interfere. ------------------------------- Run a scan in HijackThis. 'Check' the following if it still exists: O23 - Service: Windows web messenger - Unknown owner - C:\WINDOWS\Msnweb.exe (file missing) Click 'Fix Checked' and close HijackThis. --------------------------- Let's check again for the file and delete it if found: C:\WINDOWS\ Msnweb.exe --------------------------- Run Open Cleanup again. Set the program up as follows: Click "Options..." Move the arrow down to "Standard CleanUp!" *Uncheck the following: -Delete Newsgroup cache -Delete Newsgroup Subscriptions -Scan local drives for temporary files Click OK Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted. --------------------------- Run Ewido again with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop --------------------------- Reboot into Normal Mode. --------------------------- Run another online scan at Kaspersky and save the report. In your next reply, I'll need the following: BFU log Ewido results Kaspersky results New HijackThis log __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-24-2006, 07:10 AM	#14 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,794 OS: WinXP and Vista	Hi Scott, We need to create a new System Restore point: Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK ---------------------------------- I'd like you to try again to get an online scan at Panda, it may reveal files that Kaspersky is not. Check your Firewall settings, and make sure your Firewall is not blocking the download of the Active X. Perform an online scan using Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report Please post that log in your next reply along with a new HijackThis log. ---------------------------------- Download WinPFInd http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Do Not run it yet. Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found. Save that log and post it here. Restart one more time back into Normal Mode, run a scan with HijackThis and save the log to post here. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-24-2006, 03:09 PM	#15 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	Hello Ried, Hope you are doing well. I am posting while Panda Activescan 5.53.00 is downloading the files it needs, hopefully it will work this time. But anyway I wanted to post before I forgot that I accidentally forgot to turn off Avast while the download was starting and a virus alert popped up for: Win32.CTX I found this info from Kapersky: http://www.avp.ch/avpve/newexe/win32/ctx.stm And I was wandering if I should worry about this because I did turn off Avast and restarted the downlaod process, hopefully this won't cause furthur problems since I assuming that it will find its way onto my computer. Oh, and I do not have a firewall yet, but I will be downloading ZoneAlarm as soon as all this mess is cleaned up. or should I go ahead and downlaod it now? Thanks Again! Scott

04-24-2006, 03:34 PM	#16 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,794 OS: WinXP and Vista	Hi Scott, I need to know where Avast found that infection. If it produces a log for you, post the location of the infection here along with the Panda results. After the Panda scan has completed, go ahead and download and install ZoneAlarm. After you download the ActiveX for Panda, you do not need to remain online, it will continue to scan your computer. You do need to reconnect to Panda to view and Save the report. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-24-2006, 04:00 PM	#17 (permalink)
disco20 Registered User Join Date: Apr 2006 Posts: 35 OS: XP	Ried, Here are excerpt from the log (I tried to save it, but the program froze ) Application Description System 1160 Sign of "Win32:Sdbot-3015 [Trj]" has been found in "C:\Windows\System32\eraseme_62078.exe" file System 1156 Sign of "Win32:CTX has been found in "http://acs.pandasoftware.com/activescan/ac5free/motor.cab/pskavs.DLL" file Another virus I have been wondering about is C:\Windows\country.exe that avast stopped a while ago.

04-25-2006, 08:43 PM	#20 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,794 OS: WinXP and Vista	Hi Scott, Once again, nice work. Download these 3 programs first, then disconnect from the internet and run them in the same sequence as listed for download: Download RapidBlaster Killer. Save it to your desktop but do not run it yet. Download McAfee AVERT Stinger. Save it to your desktop but do not run it yet. Download KillBox. (it's important that you get version v2.0.0.175) ---------------------------------------- Disconnect from the internet. ---------------------------------------- Disable the following anti-malware programs as they may interfere with the following fixes: Open ewido by double-clicking the yellow 'e' icon in the system tray. In the 'Your security status' section, toggle the ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'. When you reboot, ewido will prompt you as to whether you would like to "Restart the guard?". Reply "No" and set it to ''inactive'' for the duration of your cleanup. Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose "Show Management Console". On the Management Console click the Protection Level drop-down menu. You will see three levels: Maximum Off User Defined To disable all protection set the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes. Click the X on the upper right hand corner to exit the Management console. ---------------------------------------- Run RapidBlaster Killer Run Stinger ---------------------------------------- Reboot into Safe Mode. ---------------------------------------- Launch KillBox.exe & select the following options: delete on Reboot All files (if available) Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C: c:\windows\system32\unPPC.exe c:\program files\secure32.html C:\Windows\System32\winscntrl.exe Go to the File menu, and choose Paste from Clipboard Click on the dropdown menu next to Full Path of File to Delete field. Verify that the filenames you pasted are found there Select/tick the following: * Delete on Reboot * End Explorer Shell While Killing File * Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click Yes at the 'Delete on Reboot' prompt. Click NO at the Pending Operations prompt. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again. -------------------------------- Clear Mozilla Firefox cookies: Open the Mozilla Browser, (you do not need to be online to do this) Click Tools>Options>Privacy>Cookies>Clear Clear Internet Explorer Cookies: Launch Internet Explorer>Tools>Internet Options>Delete Cookies -------------------------------- Run Ewido again allowing it to clean/remove anything it finds. -------------------------------- Reboot into Normal Mode. -------------------------------- Run another online scan at Panda and post the results here along with the Ewido results and a new HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."