[andro360]

I've noticed a large amount of downloading/uploading going on through my LAN (ie, 1 Mb in 5 mins) when it should be idle. I've read the stickies and followed the directions given.
Here is my HJT log. I do not use IE, by the way, unless necessary. I use Firefox. So anything I can remove pertaining to that I would like to remove.

Thanks in advance for looking at it and taking the time to evaluate it.

Logfile of HijackThis v1.99.1
Scan saved at 10:36:16 PM, on 2/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133298043958
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_2.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133851008502
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E3F2C8F-2466-4A58-983D-D943D34E80EE}: NameServer = 205.171.3.65,205.171.2.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{123FFA03-2CD2-461C-A0D1-21BB6D46650F}: NameServer = 205.171.3.65,205.171.2.65
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E3F2C8F-2466-4A58-983D-D943D34E80EE}: NameServer = 205.171.3.65,205.171.2.65
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E3F2C8F-2466-4A58-983D-D943D34E80EE}: NameServer = 205.171.3.65,205.171.2.65
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

 

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

I don't see much showing in that log, we can try to see what may be the cause by running some diagnostic tools. First, though....

You don't seem to have a firewall program installed. Using a third-party firewall will allow you to give/deny access for applications that want to go online. Select one of these, or another of your choice:

• Comodo Personal Firewall
• ZoneAlarm

.

Then do this:

1. Download combofix.exe to your desktop.
2. Double click on combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan using Internet Explorer at http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
      [*]Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save Report As button.
• Select txt file from the dropdown menu, to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with results from:

C:\ComboFix.txt
Kaspersky online scan

 

[andro360]

Working on it

First of all, thank you for putting in the time to help me. I know you do this in your time off and I appreciate it very much. I have been unable to successfully run the kaspersky scan. I don't know why. The separate window comes up and cannot finish do to something I'm not allowing to install I think, but I can't understand how to approve the install. I "accept" and it never finishes.

Here is the Combofix log:

"Chris Kennedy" - 07-02-06 16:42:38 Service Pack 2
ComboFix 07.02.02 - Running from: "C:\Documents and Settings\Chris Kennedy\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\autorun.inf


((((((((((((((((((((((((((((((( Files Created from 2007-01-06 to 2007-02-06 ))))))))))))))))))))))))))))))))))


2007-02-06 15:14 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-02-06 15:13 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-02-06 15:13 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-02-06 15:13 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-02-03 00:07 <DIR> d-------- C:\rename_this_folder_back_to_sUBs_
2007-02-01 22:39 <DIR> d-------- C:\HJT
2007-02-01 20:39 <DIR> d-------- C:\DOCUME~1\CHRISK~1\.housecall6.6
2007-02-01 19:34 <DIR> d-------- C:\Program Files\Hijack This
2007-01-23 14:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-01-09 14:57 <DIR> d-------- C:\WINDOWS\ie7updates


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-06 16:41 -------- d-------- C:\Program Files\mozilla firefox
2007-02-06 16:40 -------- d-------- C:\Program Files\diablo ii
2007-02-06 15:23 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2007-02-06 08:31 -------- d-------- C:\Program Files\quickenw
2007-02-03 09:23 -------- d-------- C:\Program Files\antivir personaledition classic
2007-02-01 22:46 -------- d-------- C:\Program Files\spywareblaster
2007-02-01 21:21 -------- d-a------ C:\Program Files\icqtoolbar
2007-02-01 21:12 -------- d-------- C:\DOCUME~1\CHRISK~1\Application Data\yahoo!
2007-02-01 21:11 -------- d-------- C:\Program Files\stock screener pro trial
2007-01-28 12:05 -------- d-------- C:\Program Files\quicktime
2007-01-28 12:03 -------- d-------- C:\Program Files\apple software update
2007-01-11 00:43 -------- d--h----- C:\Program Files\installshield installation information
2006-12-21 04:03 -------- d-------- C:\Program Files\java
2006-12-17 19:26 -------- d-------- C:\Program Files\d2hackmap
2006-12-09 19:23 21840 --a--c-t- C:\WINDOWS\system32\sintfnt.dll
2006-12-09 19:23 17212 --a--c-t- C:\WINDOWS\system32\sintf32.dll
2006-12-09 19:23 12067 --a--c-t- C:\WINDOWS\system32\sintf16.dll
2006-12-09 18:58 94208 --a------ C:\WINDOWS\diiunin.exe
2006-12-09 18:58 2829 --a------ C:\WINDOWS\diiunin.pif
2006-12-09 14:13 -------- d-------- C:\Program Files\yahoo!
2006-12-09 12:03 -------- d-------- C:\Program Files\online services
2006-12-08 20:57 -------- d-------- C:\Program Files\itunes
2006-12-08 20:57 -------- d-------- C:\Program Files\ipod
2006-12-07 10:49 -------- d-------- C:\Program Files\stock screener lite
2006-12-07 10:22 -------- d-------- C:\Program Files\marketbrowser
2006-12-06 22:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-06 02:34 -------- d-------- C:\Program Files\mbtrading
2006-12-01 10:31 1441792 --a------ C:\WINDOWS\system32\rlvknlg.exe
2006-12-01 10:30 319488 --a------ C:\WINDOWS\system32\rlls.dll
2006-11-20 01:42 33280 --a------ C:\WINDOWS\system32\snmp.exe
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"SoundMan"="SOUNDMAN.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk"
"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item"="QuickBooks Update Agent"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility HW.51.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Wireless Configuration Utility HW.51.lnk"
"backup"="C:\\WINDOWS\\pss\\Wireless Configuration Utility HW.51.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\802~1.11W\\80211G~1.00\\WlanCU.exe "
"item"="Wireless Configuration Utility HW.51"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cli"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
p2psvc REG_MULTI_SZ p2psvc\0p2pimsvc\0p2pgasvc\0PNRPSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_SRESCAN
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_VSMON


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-05-06 16:45:13

 

[tetonbob]

Create an uninstall list:

• Open HiJackThis
• Click on the button " Open the Misc Tools section"
• Click on the Box that says "Open Uninstall Manager"
• Click on the button "Save list"
• Copy and past the List from the notepad file into your post

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on
   located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on
  then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Post those results along with a new HJT log, and the uninstall list.

 

[andro360]

Panda attempt failed

I was unable to run the Panda scan. Followed directions up to hitting scan for "My Computer" and nothing happened. Made sure the pop-up blocker was off.

On the Kaspersky scan. I was eventually able to run a successful scan, but couldn't find a "save report" button. It found 3 detections I believe.

Here is the uninstall list.

Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
Adobe SVG Viewer 3.0
Age of Wonders
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI DVD Decoder
ATI Multimedia Center 7.8.0.0
Avance AC'97 Audio
Avira AntiVir PersonalEdition Classic
dammap
DAO
dBpowerAMP iTunes Encode
dBpowerAMP Mp4 Codec
dBpowerAMP Music Converter
Diablo II
EXEtender Player
Google Earth
Google Video Player
Heat
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HydraVision
ICQ Toolbar
ICQ 5.1
IEEE 802.11g Wireless Cardbus/PCI Adapter
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Kaspersky Online Scanner
Lavasoft VX2 Cleaner
MailFrontier Desktop
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Morrowind
Motorola Handset USB Driver
Mozilla Firefox (2.0.0.1)
MSN
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML4 Parser
Nero 6 Ultra Edition
Quicken 2006
QuickTime
RealPlayer
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926247)
Security Update for Windows XP (KB926255)
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
System Requirements Lab
TES Construction Set
tunebite 2.1.1.3
ubi.com
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Support Tools
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Xfire (remove only)
Yahoo! Internet Mail
Yahoo! Messenger
ZoneAlarm

 

[tetonbob]

You didn't see the Save Report As button, like this?

Did you make note of the exact finds by Kaspersky?

 

[andro360]

Kaspersky

No

That looks similar to what I saw, but the section displaying the files found wasn't there. Also, the buttons giving the option to "save report as" or "send" was not there.

I'm going to try it one more time. I know at first there was an issue concerning my security settings where it would not let me choose to accept the ActiveX. Changed that and got further than I first reported. Thanks for staying with me on this tetonbob.

 

[andro360]

Got it!

Finally was able to scan and save report. Had to go into options and severely change default settings to have minimal security for activeX and everything else I can could change.

Here is what I got:

Friday, February 09, 2007 2:34:55 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/02/2007
Kaspersky Anti-Virus database records: 266226
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 44475
Number of viruses found 3
Number of infected objects 4 / 0
Number of suspicious objects 0
Duration of the scan process 00:44:48

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Chris Kennedy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Chris Kennedy\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Chris Kennedy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Chris Kennedy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Chris Kennedy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chris Kennedy\Local Settings\History\History.IE5\MSHist012007020920070210\index.dat Object is locked skipped
C:\Documents and Settings\Chris Kennedy\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Chris Kennedy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chris Kennedy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Chris Kennedy\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DBA8493C-9775-4322-8232-CBEA837218BA}\RP274\A0057311.dll Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{DBA8493C-9775-4322-8232-CBEA837218BA}\RP274\A0057312.exe Infected: not-a-virus:AdTool.Win32.WhenU.i skipped
C:\System Volume Information\_restore{DBA8493C-9775-4322-8232-CBEA837218BA}\RP288\A0058913.exe Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\System Volume Information\_restore{DBA8493C-9775-4322-8232-CBEA837218BA}\RP288\A0058914.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{DBA8493C-9775-4322-8232-CBEA837218BA}\RP315\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\CHRIS.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_684.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT03024.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT0587c.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

 

[tetonbob]

Good job of persistence.

Unfortunately, I can't see anything which might be the cause of your main concern.

The only items found by Kaspersky are in System Restore, easily removed.

CLEAR & RESET SYSTEM RESTORE'S CACHE

Go to Start >> Run - type or copy/paste control sysdm.cpl,,4 & press Enter

* Tick on the checkbox - Turn off System Restore on all drives
* Click Apply

Turn it back 'On' by unticking the same checkbox & click Apply, and then OK

---------------------------------------------------------------------------------------------

You should also uninstall these older versions of Java, as they present a security risk by still being installed:

J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9

You may want to post a new thread in the Security and Firewalls section. The staff and members there will be better able to respond to your concern. Let them know you've been here, and your system appears free from malware.

 

[andro360]

Thank you

Just a last note to say thank you for your time and effort. I followed your last directions and I'm moving on to the Security & Firewalls section.

 

[tetonbob]

Hi andro360 -

Apologies, but I overlooked a couple of files in your ComboFix log.

These malware files should be deleted:

C:\WINDOWS\system32\rlvknlg.exe
C:\WINDOWS\system32\rlls.dll

If they resist, boot to safe mode and delete them from there.