Tech Support banner
Status
Not open for further replies.
1 - 17 of 17 Posts

·
Registered
Joined
·
43 Posts
Discussion Starter · #1 ·
Hello,
Was surfing the web with IE and had several windows open. My Norton comes up and says I got a Downloader Virus. Norton says cannot clean, qurantine, or delete. I open Norton AV, update and scan. Scan doesn't pick up the virus but virus history shows I got it at that time and no action was taken.

Did the 5 step process indicated in the sticky. Ran Spybot S/D, CW Shredder, Ad-Aware SE but could not get VX2 Add-on to work. Ran Norton AV again, didn't pick up the virus. Ran some of the online Virus scans. Picked up Ad/Spyware (EnhSrch, MBKWBar, + others) and a Trojan Virus (Trojan.Imiserv.192107.A). I can post the results of those scans if neccessary. Did Windows update. Only thing updated was a newer version of IE. No symptoms going on with my PC but if there's a virus & Ad/Spyware I'd like to get rid of it.
Appreciate your help!

Logfile of HijackThis v1.99.1
Scan saved at 4:15:55 PM, on 12/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotwheelsshop.com/mb/plsql/hw1.cat?catid=54438
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotwheelsshop.com/mb/plsql/hw1.cat?catid=54438
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Reminder-hpc40415.lnk = C:\Program Files\HP PhotoSmart\C200 Camera\Registration\Remind32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hi ss95chevy,

There is nothing readily apparent in your HijackThis log. Could you please post what Norton had previously reported as the trojan? I'd also like to see the results of your online scan at Panda.
 

·
Registered
Joined
·
43 Posts
Discussion Starter · #3 ·
Hi Ried,
I forgot to mention in my first post, the only weird thing going on with my PC is when I use IE, many times pictures will not load even when I right click and select Show Picture. This has been ongoing for 5 or 6 months and don't think it's related to a virus. Searched but never found a fix for it.
Thank you!

Here is what the Norton Virus History says: Tried to clean or qurantine but says the file has been moved or deleted. (I typed it so maybe it'll be easier to read)

Date-12/25/2006 9:58:10 PM
File Name- count[1].htm
Virus Name- Downloader
Virus Type- File
Action Taken- Left Alone
Computer- Kevin
User- KevinCone
Original Location- C:\Documents and Settings\KevinCone\Local Settings\Temporary Internet Files\Content.IE5\1WV63B1F\
Satus- Infected
Current Location- C:\Documents and Settings\KevinCone\Local Settings\Temporary Internet Files\Content.IE5\1WV63B1F\
Primary Action- Clean Virus from File
Secondary Action- Quarantine Infected File
Scan Type- Realtime Scan


Here is Panda Scan rusults:

Incident Status Location
Adware:Adware/EnhSrch Not disinfected C:\Documents and Settings\KevinCone\Application Data\Ahead\Nero BackItUp\Info Files\20061911_095534_My Documents-Progran Files-IE Favorites-HJT\C\HJT\backups\backup-20050327-095202-276.dll.nco[20061911_095534_My Documents-Progran Files-IE Favorites-HJT\C\HJT\
Adware:Adware/EnhSrch Not disinfected C:\Documents and Settings\KevinCone\Application Data\Ahead\Nero BackItUp\Info Files\20061911_172027_Mydocuments-iefavs-programfiles\C\HJT\backups\BACKUP~1.DLL.nco[20061911_172027_Mydocuments-iefavs-programfiles\C\HJT\backups\BACKUP~1.DLL]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][2].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/Freehqvideos Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected][2].txt
Spyware:Cookie/Freehqvideos Not disinfected C:\Documents and Settings\KevinCone\Cookies\[email protected]_mov[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\KevinCone\Local Settings\Temp\Cookies\[email protected][2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\KevinCone\Local Settings\Temp\Cookies\[email protected][2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\KevinCone\Local Settings\Temp\Cookies\[email protected][1].txt
Adware:Adware/EnhSrch Not disinfected C:\RECYCLER\S-1-5-21-4148787569-2861402161-3125434738-1005\Dc3969\backup-20050327-095202-276.dll
Adware:Adware/EnhSrch Not disinfected C:\WINDOWS\enhuninstall.exe
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\inf\conscorr.inf
Adware:Adware/Transponder Not disinfected C:\WINDOWS\inf\dlmax.inf
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
Adware:Adware/MBKWBar Not disinfected C:\WINDOWS\mbkwnst.exe[MBKWBar.exe]
Adware:Adware/MBKWBar Not disinfected C:\WINDOWS\mbkwnst.exe[MBKWBar.exe][IEToolBar.dll]
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hiya,

Ok, let's give this system a thorough cleaning. :sayyes:

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

******************************************************

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"


  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

--------------------------------------------------------------------

Download and install CleanUp! but do not run it yet. (Not Recommended for XP64).

-------------------------------------------------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Files

C:\WINDOWS\enhuninstall.exe
C:\WINDOWS\inf\conscorr.inf
C:\WINDOWS\inf\dlmax.inf
C:\WINDOWS\kwv2.dat
C:\WINDOWS\mbkwnst.exe


--------------------------------------------------------------------

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

--------------------------------------------------------------------

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).
**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

--------------------------------------------------------------------

Reboot into Normal Mode.

--------------------------------------------------------------------

Run another online scan at Panda and save the report.

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

AVG Anti-Spyware results
Panda results
New HijackThis log
 

·
Registered
Joined
·
43 Posts
Discussion Starter · #5 ·
Here is the AVG Scan and the HJT Log. The Panda Scan didn't pick up anything so there was no log to save.
Thanks!

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:22:22 PM 1/1/2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ISTbarISTbar -> Adware.HotBar : Cleaned with backup (quarantined).
C:\Documents and Settings\KevinCone\Application Data\Ahead\Nero BackItUp\Info Files\20061911_095534_My Documents-Progran Files-IE Favorites-HJT\C\HJT\backups\backup-20050327-095202-276.dll.nco/20061911_095534_My Documents-Progran Files-IE Favorites-HJT\C\HJT\backups\BACKUP~1.DLL -> Adware.NoName : Cleaned with backup (quarantined).
C:\Documents and Settings\KevinCone\Application Data\Ahead\Nero BackItUp\Info Files\20061911_172027_Mydocuments-iefavs-programfiles\C\HJT\backups\BACKUP~1.DLL.nco/20061911_172027_Mydocuments-iefavs-programfiles\C\HJT\backups\BACKUP~1.DLL -> Adware.NoName : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9E7AC67-19F8-468F-9C9B-80B5FCF2ABCE}\RP650\A0053676.exe -> Adware.NoName : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9E7AC67-19F8-468F-9C9B-80B5FCF2ABCE}\RP650\A0053726.exe -> Adware.NoName : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{C9E7AC67-19F8-468F-9C9B-80B5FCF2ABCE}\RP650\A0053732.dll -> Adware.NoName : Cleaned with backup (quarantined).


::Report end



Logfile of HijackThis v1.99.1
Scan saved at 11:26:04 PM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotwheelsshop.com/mb/plsql/hw1.cat?catid=54438
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotwheelsshop.com/mb/plsql/hw1.cat?catid=54438
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Reminder-hpc40415.lnk = C:\Program Files\HP PhotoSmart\C200 Camera\Registration\Remind32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 

·
Registered
Joined
·
43 Posts
Discussion Starter · #6 ·
Forgot to mention, the problem with my pictures not loading in IE was fixed but while I was changing my home page, under internet options-Advanced tab I clicked reset and now the pictures are not loading again. Not sure why.
Thank you!
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
At what point did the issue with the pics begin working again? Other than the issue with pictures in IE, how is the system behaving? Are you still getting alerts from any AV's?
 

·
Registered
Joined
·
43 Posts
Discussion Starter · #8 ·
They immediately started working after I did everything you asked in your second post. (Coincidence maybe?). When I go to those same pages through AOL they load fine. This is how it's been since the begining.
Also noticed that after the pictures started working again words and text on web pages looked purplish in color. Not like a "visited " link though. After I hit the Reset button under internet options-Advanced tab the words and text went back to black color and pics didn't load.
Havn't gotten any AV alerts at all. System seems fine other than I have to wait just a couple of seconds longer for a program to open.
Thanks
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
The programs will take a little longer to open since we've cleared your Prefetch and Temp folders. The speed will improve. :wink:

I realize these online scans are time consuming, but I'd like to run another online scanner and see if it picks up anything further.

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
        [*]Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
 

·
Registered
Joined
·
43 Posts
Discussion Starter · #10 ·
Hi there,
When I went to the link you gave it wouldn't download the Active X and Virus updates for some reason. Went to AOL, let it download and virus update. Closed AOL, opened it in IE and scanned but there was no way to save the log. the page didn't come up. Closed it all out and scanned again and was able to save the log. A couple of the online scans in the sticky wouldn't work either. Didn't try those in AOL. Here is the Kapersky Log. I don't mind the time consuming part. I appreciate you helping me out. Would have gotten this to you sooner but had to replace the radiator in my car.

Tuesday, January 02, 2007 7:50:58 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/01/2007
Kaspersky Anti-Virus database records: 255658


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 110343
Number of viruses found 2
Number of infected objects 7 / 0
Number of suspicious objects 0
Duration of the scan process 02:33:21

Infected Object Name Virus Name Last Action
C:\Documents and Settings\KevinCone\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Temp\hpodvd09.log Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Temp\~DF30FE.tmp Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Temp\~DF310B.tmp Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Temp\~DF74C.tmp Object is locked skipped

C:\Documents and Settings\KevinCone\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\KevinCone\ntuser.dat Object is locked skipped

C:\Documents and Settings\KevinCone\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{C9E7AC67-19F8-468F-9C9B-80B5FCF2ABCE}\RP650\A0053729.exe/data0002/data0002 Infected: not-a-virus:AdWare.Win32.MBKWBar.a skipped

C:\System Volume Information\_restore{C9E7AC67-19F8-468F-9C9B-80B5FCF2ABCE}\RP650\A0053729.exe/data0002 Infected: not-a-virus:AdWare.Win32.MBKWBar.a skipped

C:\System Volume Information\_restore{C9E7AC67-19F8-468F-9C9B-80B5FCF2ABCE}\RP650\A0053729.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{C9E7AC67-19F8-468F-9C9B-80B5FCF2ABCE}\RP650\A0054001.exe/data.rar/xpkey.exe Infected: not-a-virus:pSWTool.Win32.RAS.a skipped

C:\System Volume Information\_restore{C9E7AC67-19F8-468F-9C9B-80B5FCF2ABCE}\RP650\A0054001.exe/data.rar/officekey.exe Infected: not-a-virus:pSWTool.Win32.RAS.a skipped

C:\System Volume Information\_restore{C9E7AC67-19F8-468F-9C9B-80B5FCF2ABCE}\RP650\A0054001.exe/data.rar Infected: not-a-virus:pSWTool.Win32.RAS.a skipped

C:\System Volume Information\_restore{C9E7AC67-19F8-468F-9C9B-80B5FCF2ABCE}\RP650\A0054001.exe RarSFX: infected - 3 skipped

C:\System Volume Information\_restore{C9E7AC67-19F8-468F-9C9B-80B5FCF2ABCE}\RP651\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

E:\System Volume Information\_restore{C9E7AC67-19F8-468F-9C9B-80B5FCF2ABCE}\RP651\change.log Object is locked skipped

Scan process completed.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Replacing radiators can be a pain...I hope it's warm where you are. :winkgrin:

Kaspersky is only reporting items already locked away in your System Restore. We'll clear those in a moment.

What version of IE7 do you have? Is it beta? Click the Help button in IE and select 'About'. Note the version and post that here please.
 

·
Registered
Joined
·
43 Posts
Discussion Starter · #12 ·
Was about 63 degrees here today but it's supposed to get colder later so I figured I knock out the radiator quick since I was off. It's an older car and wasn't too bad.

The version of IE I have is 7.0.5730.11 Doesn't say anything about being a beta version. I got it in the windows update before I started this thread. The pics not loading was happening while I still had IE 6.0
Thanks!
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
This may turn out to be a browser issue and not malware related, but to be certain I'd like you to run one more diagnostic tool. It will only take you a few minutes.

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**


-------------------------------------

Close any open browsers.

-------------------------------------


Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Post the ComboFix.txt in your next reply.
 

·
Registered
Joined
·
43 Posts
Here's the log. After I ran it my IE homepage was reset to msn.com and put an IE icon on my desktop. Is that normal? Gotta get to bed. Will check back in the morning. Thank you!

"Kevin***" - 07-01-02 22:24:27.32 Service Pack 2
ComboFix 06-12-29W-BetaE2 - Running from: "C:\Documents and Settings\Kevin**edited surname for privacy\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-02 to 2007-01-02 ))))))))))))))))))))))))))))))))))


2007-01-02 12:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-01-01 21:30 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-01-01 13:33 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-01 13:33 <DIR> d-------- C:\Program Files\Grisoft
2006-12-29 11:43 <DIR> d-------- C:\WINDOWS\WBEM
2006-12-29 11:43 <DIR> d-------- C:\WINDOWS\system32\en-US
2006-12-29 11:41 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-12-29 11:39 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-12-29 11:39 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-12-28 22:59 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2006-12-28 15:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2006-12-28 15:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2006-12-28 15:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Adobe
2006-12-27 21:57 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2006-12-27 20:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-27 18:47 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-27 18:45 <DIR> d-------- C:\DOCUME~1\KEVINC~1\.housecall6.6
2006-12-14 14:29 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2006-12-14 14:29 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-02 22:06 -------- d-------- C:\Program Files\america online 7.0
2007-01-02 12:13 -------- d-------- C:\Program Files\peerguardian2
2007-01-01 22:44 -------- d-------- C:\Program Files\navnt
2007-01-01 22:37 -------- d-------- C:\Program Files\google
2006-12-31 13:40 -------- d-------- C:\Program Files\bittorrent
2006-12-25 12:31 -------- d-------- C:\Program Files\kodak
2006-12-14 14:32 -------- d-------- C:\Program Files\windows media connect 2
2006-12-04 19:03 -------- d-------- C:\Program Files\winmx
2006-11-18 03:02 -------- d-------- C:\Program Files\msxml 4.0
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 08:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-18 21:58 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 21:58 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2006-10-18 21:47 99840 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-10-18 21:47 991744 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-10-18 21:47 937984 --a------ C:\WINDOWS\system32\wmnetmgr.dll
2006-10-18 21:47 8231936 --a------ C:\WINDOWS\system32\wmploc.dll
2006-10-18 21:47 767488 --------- C:\WINDOWS\system32\wmvsencd.dll
2006-10-18 21:47 757248 --a------ C:\WINDOWS\system32\wmadmod.dll
2006-10-18 21:47 7168 --a------ C:\WINDOWS\system32\asferror.dll
2006-10-18 21:47 656896 --------- C:\WINDOWS\system32\wmvxencd.dll
2006-10-18 21:47 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 21:47 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 21:47 613376 --------- C:\WINDOWS\system32\wmpmde.dll
2006-10-18 21:47 603648 --a------ C:\WINDOWS\system32\wmspdmod.dll
2006-10-18 21:47 542720 --a------ C:\WINDOWS\system32\blackbox.dll
2006-10-18 21:47 535040 --------- C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 21:47 429056 --a------ C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 21:47 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvadve.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmvadvd.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\wdfapi.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\mpg4dmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\mp4sdmod.dll
2006-10-18 21:47 4096 --a------ C:\WINDOWS\system32\mp43dmod.dll
2006-10-18 21:47 38400 --------- C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 21:47 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-10-18 21:47 35840 --a------ C:\WINDOWS\system32\wpdconns.dll
2006-10-18 21:47 356352 --a------ C:\WINDOWS\system32\wpdsp.dll
2006-10-18 21:47 348672 --a------ C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 21:47 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 21:47 321536 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-10-18 21:47 317440 --------- C:\WINDOWS\system32\mp4sdecd.dll
2006-10-18 21:47 314880 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-10-18 21:47 295936 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 21:47 284160 --------- C:\WINDOWS\system32\portabledeviceapi.dll
2006-10-18 21:47 276992 --a------ C:\WINDOWS\system32\audiodev.dll
2006-10-18 21:47 27136 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 21:47 2603008 --------- C:\WINDOWS\system32\wpdshext.dll
2006-10-18 21:47 259072 --------- C:\WINDOWS\system32\mpg4decd.dll
2006-10-18 21:47 259072 --------- C:\WINDOWS\system32\mp43decd.dll
2006-10-18 21:47 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-10-18 21:47 242688 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-10-18 21:47 229376 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-10-18 21:47 227328 --a------ C:\WINDOWS\system32\wmerror.dll
2006-10-18 21:47 222208 --a------ C:\WINDOWS\system32\wmasf.dll
2006-10-18 21:47 212992 --------- C:\WINDOWS\system32\mfplat.dll
2006-10-18 21:47 211456 --a------ C:\WINDOWS\system32\qasf.dll
2006-10-18 21:47 204288 --a------ C:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 21:47 199168 --------- C:\WINDOWS\system32\portabledevicewmdrm.dll
2006-10-18 21:47 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-10-18 21:47 175616 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-10-18 21:47 166912 --------- C:\WINDOWS\system32\portabledevicetypes.dll
2006-10-18 21:47 1661440 --a------ C:\WINDOWS\system32\wmpencen.dll
2006-10-18 21:47 1574912 --------- C:\WINDOWS\system32\wmvencod.dll
2006-10-18 21:47 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-10-18 21:47 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 21:47 1543680 --------- C:\WINDOWS\system32\wmvdecod.dll
2006-10-18 21:47 1382912 --------- C:\WINDOWS\system32\wmvsdecd.dll
2006-10-18 21:47 133632 --------- C:\WINDOWS\system32\wpdshserviceobj.dll
2006-10-18 21:47 1329152 --a------ C:\WINDOWS\system32\wmspdmoe.dll
2006-10-18 21:47 132096 --------- C:\WINDOWS\system32\portabledevicewiacompat.dll
2006-10-18 21:47 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-10-18 21:47 11264 --a------ C:\WINDOWS\system32\laprxy.dll
2006-10-18 21:47 1117696 --a------ C:\WINDOWS\system32\wmadmoe.dll
2006-10-18 21:47 101888 --------- C:\WINDOWS\system32\portabledeviceclassextension.dll
2006-10-18 20:03 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-10-18 20:00 249856 --------- C:\WINDOWS\system32\drmupgds.exe
2006-10-18 20:00 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\winfxdocobj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 07:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-02 15:28 312128 --------- C:\WINDOWS\system32\msdelta.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


Completion time: 07-01-02 22:31:34.87
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hi,

Yes, your homepage resetting to the default msn.com is normal after running this tool. You may re-set the homepage to your choice now.

I'm not seeing any malware. If you're still having difficulty with IE, I would suggest you begin a thread in the Internet Explorer Forum and let the experts there try to help you resolve this. Do let them know you've already been cleaned in the HijackThis Forum and tell them what you've told me:
When I use IE, many times pictures will not load even when I right click and select Show Picture. This has been ongoing for 5 or 6 months. When I go to those same pages through AOL they load fine. This is how it's been since the begining.

Pictures did work for a bit the other day but after the pictures started working again, words and text on web pages looked purplish in color. Not like a "visited " link though. After I hit the Reset button under internet options-Advanced tab the words and text went back to black color and pics didn't load. I also had this issue with IE6
------------------------------------------------------------

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

-----------------------------------------------------------

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

-----------------------------------------------------------

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
  • Now navigate to C:\ie-spyad. Double click to open it.
  • From within the folder, double-click install.bat
  • Select Option #2 - Install the new IE-SPYAD list, by typing 2
  • Then return to the main menu.
  • Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Follow this list and your potential for being infected will reduce dramatically. :smile:
 

·
Registered
Joined
·
43 Posts
Discussion Starter · #16 ·
ok. The problem with pictures loading has gotten better today for some reason. About the only picture that isn't showing up now is when I go to ebay, the ebay icon in the top left corner never loads. May have been a coincidence that they started working after I did the fixes you suggested.
Will get to the IE forum and see if anyone is familiar with the issue. It's not really a problem more than it is aggravating. Everything else works fine.
One last question earlier you had stated:

"Kaspersky is only reporting items already locked away in your System Restore. We'll clear those in a moment."

Did we fix this with combofix? Wasn't sure if we had cleared those.

Thanks so much for your help!
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
You're welcome. :grin:

Once you reset your System Restore (see instructions in my last post) that will clear out the items located there and create a clean, new point for you.

I can tell you that I use IE7 and on occassion not all the pics load for me, although they do 98% of the time. If I refresh, they appear. :4-dontkno I hope the folks in IE Forum can help you out--good luck. :smile:
 
1 - 17 of 17 Posts
Status
Not open for further replies.
Top