Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Nagging problem


  • This topic is locked This topic is locked
9 replies to this topic

#1 Guest_nyankeec_*

Guest_nyankeec_*
  • Guests

Posted 18 June 2006 - 05:21 AM

I am running SpyBot S&D with Teatimer active; AdAware SE, Spyware Blaster, and Windows Defender. System automatically downloads Windows Updates. AVG Free V7.1 is doing the antivirus duty; checks for updates and does a complete system scan every night whilst I sleep. System is sometimes used by one or more teenagers with the usual AIM and obsession with myspace.com :P

Every morning the scan log indicates the presence of "Trojan Horse Downloader.Generic2.ATZ" in a file C:\Program Files\?ecurity\arpa.exe, and further indicates that it has been deleted. Subsequent attempts, both immediately following the scan (well, when I get up) and later in the day, both under normal boot and in safe mode, fail to turn up the file. Yet the next night, same thing. Searches via Google and Grisoft's website as well as a few others like Symantec have not turned up anything useful. HJT Log follows; your advice please?

Logfile of HijackThis v1.99.0
Scan saved at 7:51:43 PM, on 6/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\notes\ntmulti.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Spyware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csc.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\qckb\bagent.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - https://quicken.ehos...s/custappx3.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093688482734
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastacces...bls_speedop.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://webmeeting.a...bex/ieatgpc.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\winlogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 - Unknown - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: X10 Device Network Service - Unknown - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

    Advertisements

Register to Remove


#2 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 19 June 2006 - 05:13 AM

Hello nyankeec and Welcome to TomCoyote,

Please do the following:



STEP 1.
======
SpySweeper

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless you are instructed to.


Download the trial version of Spy Sweeper from Here
  • Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper) You will be prompted to check for updated definitions, please do so.
    (This may take several minutes)
  • Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
  • Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!
  • When the sweep has finished, click Remove. Click Select All and then Next
  • From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
  • Exit Spy Sweeper.

STEP 2.
======
Ewido Trojan Scanner
Please download, install, and update the NEW free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  • If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Empty Recycle Bin
Reboot

Please post (reply) with the results from SpySweeper, ewido and a new hijackthis log.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 Guest_nyankeec_*

Guest_nyankeec_*
  • Guests

Posted 19 June 2006 - 07:15 PM

Hi Susan528! :wavey: I am currently out of town on a business trip, and will follow your instructions when I return home at the end of the week. Thanks for your rapid reply.

#4 Guest_nyankeec_*

Guest_nyankeec_*
  • Guests

Posted 24 June 2006 - 07:58 AM

Hi Susan528:

I have followed your instructions, however please note that when I did the install for ewido I was not given any options other than to select the language; so I ended up with background guard installed :scratch: . I deactivated it prior to proceeding. A reboot occurred at the conclusion of Spy Sweeper and winlogon.dll was reportedly removed during the restart process (but I still see it in the latest hijackthis log.....). Logs follow in order:

Spy Sweeper:

********
6:34 AM: | Start of Session, Saturday, June 24, 2006 |
6:34 AM: Spy Sweeper started
6:34 AM: Sweep initiated using definitions version 706
6:35 AM: Starting Memory Sweep
6:35 AM: Found Adware: purityscan
6:35 AM: Detected running threat: C:\WINDOWS\system32\winlogon.dll (ID = 305947)
6:39 AM: Memory Sweep Complete, Elapsed Time: 00:04:22
6:39 AM: Starting Registry Sweep
6:39 AM: Found System Monitor: email sentinel pro
6:39 AM: HKCR\.esp\ (1 subtraces) (ID = 1512784)
6:39 AM: HKU\WRSS_Profile_S-1-5-21-2247778763-2552189465-2221179514-1006\software\microsoft\windows\currentversion\run\ || aaou (ID = 137990)
6:39 AM: Registry Sweep Complete, Elapsed Time:00:00:25
6:39 AM: Starting Cookie Sweep
6:39 AM: Found Spy Cookie: nextag cookie
6:39 AM: mom@nextag[2].txt (ID = 5014)
6:39 AM: Found Spy Cookie: yieldmanager cookie
6:39 AM: marti@ad.yieldmanager[1].txt (ID = 3751)
6:39 AM: Found Spy Cookie: adrevolver cookie
6:39 AM: marti@adrevolver[1].txt (ID = 2088)
6:39 AM: marti@adrevolver[2].txt (ID = 2088)
6:39 AM: Found Spy Cookie: advertising cookie
6:39 AM: marti@advertising[2].txt (ID = 2175)
6:39 AM: Found Spy Cookie: casalemedia cookie
6:39 AM: marti@as.casalemedia[1].txt (ID = 2355)
6:39 AM: Found Spy Cookie: ask cookie
6:39 AM: marti@ask[1].txt (ID = 2245)
6:39 AM: Found Spy Cookie: atlas dmt cookie
6:39 AM: marti@atdmt[2].txt (ID = 2253)
6:39 AM: Found Spy Cookie: belnk cookie
6:39 AM: marti@ath.belnk[1].txt (ID = 2293)
6:39 AM: Found Spy Cookie: atwola cookie
6:39 AM: marti@atwola[1].txt (ID = 2255)
6:39 AM: Found Spy Cookie: bluestreak cookie
6:39 AM: marti@bluestreak[1].txt (ID = 2314)
6:39 AM: marti@casalemedia[1].txt (ID = 2354)
6:39 AM: Found Spy Cookie: fastclick cookie
6:39 AM: marti@fastclick[2].txt (ID = 2651)
6:39 AM: Found Spy Cookie: mediaplex cookie
6:39 AM: marti@mediaplex[1].txt (ID = 6442)
6:39 AM: Found Spy Cookie: realmedia cookie
6:39 AM: marti@network.realmedia[1].txt (ID = 3236)
6:39 AM: Found Spy Cookie: one-time-offer cookie
6:39 AM: marti@one-time-offer[2].txt (ID = 3095)
6:39 AM: Found Spy Cookie: questionmarket cookie
6:39 AM: marti@questionmarket[2].txt (ID = 3217)
6:39 AM: marti@realmedia[2].txt (ID = 3235)
6:39 AM: Found Spy Cookie: tacoda cookie
6:39 AM: marti@tacoda[1].txt (ID = 6444)
6:39 AM: Found Spy Cookie: tradedoubler cookie
6:39 AM: marti@tradedoubler[1].txt (ID = 3575)
6:39 AM: Found Spy Cookie: trafficmp cookie
6:39 AM: marti@trafficmp[1].txt (ID = 3581)
6:39 AM: Found Spy Cookie: tribalfusion cookie
6:39 AM: marti@tribalfusion[1].txt (ID = 3589)
6:39 AM: Found Spy Cookie: websponsors cookie
6:39 AM: rusty@a.websponsors[1].txt (ID = 3665)
6:39 AM: rusty@ad.yieldmanager[1].txt (ID = 3751)
6:39 AM: Found Spy Cookie: adecn cookie
6:39 AM: rusty@ad2.adecn[1].txt (ID = 2064)
6:39 AM: rusty@adecn[2].txt (ID = 2063)
6:39 AM: Found Spy Cookie: adknowledge cookie
6:39 AM: rusty@adknowledge[2].txt (ID = 2072)
6:39 AM: Found Spy Cookie: hbmediapro cookie
6:39 AM: rusty@adopt.hbmediapro[2].txt (ID = 2768)
6:39 AM: Found Spy Cookie: hotbar cookie
6:39 AM: rusty@adopt.hotbar[2].txt (ID = 4207)
6:39 AM: Found Spy Cookie: specificclick.com cookie
6:39 AM: rusty@adopt.specificclick[2].txt (ID = 3400)
6:39 AM: Found Spy Cookie: revenue.net cookie
6:39 AM: rusty@ads1.revenue[1].txt (ID = 3258)
6:39 AM: rusty@ask[2].txt (ID = 2245)
6:39 AM: rusty@atwola[1].txt (ID = 2255)
6:39 AM: rusty@belnk[1].txt (ID = 2292)
6:39 AM: Found Spy Cookie: enhance cookie
6:39 AM: rusty@c.enhance[1].txt (ID = 2614)
6:39 AM: Found Spy Cookie: goclick cookie
6:39 AM: rusty@c.goclick[2].txt (ID = 2733)
6:39 AM: rusty@dist.belnk[2].txt (ID = 2293)
6:39 AM: Found Spy Cookie: 2o7.net cookie
6:39 AM: rusty@gateway.122.2o7[1].txt (ID = 1958)
6:39 AM: Found Spy Cookie: clickandtrack cookie
6:39 AM: rusty@hits.clickandtrack[2].txt (ID = 2397)
6:39 AM: Found Spy Cookie: offeroptimizer cookie
6:39 AM: rusty@offeroptimizer[2].txt (ID = 3087)
6:39 AM: rusty@partygaming.122.2o7[1].txt (ID = 1958)
6:39 AM: Found Spy Cookie: partypoker cookie
6:39 AM: rusty@partypoker[1].txt (ID = 3111)
6:39 AM: rusty@temp2.adecn[1].txt (ID = 2064)
6:39 AM: rusty@trafficmp[1].txt (ID = 3581)
6:40 AM: Found Spy Cookie: webpower cookie
6:40 AM: owner@webpower[2].txt (ID = 3660)
6:40 AM: Cookie Sweep Complete, Elapsed Time: 00:00:09
6:40 AM: Starting File Sweep
6:52 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb821253$\faultrep.dll". Access is denied
7:13 AM: Warning: Failed to open file "c:\windows\$ntuninstallkb821253$\dwwin.exe". Access is denied
7:20 AM: winlogon.dll (ID = 305947)
7:29 AM: Warning: Invalid Stream
7:29 AM: Warning: Unhandled Archive Type
7:29 AM: Warning: Invalid Stream
7:29 AM: Warning: Unhandled Archive Type
7:29 AM: File Sweep Complete, Elapsed Time: 00:49:46
7:29 AM: Full Sweep has completed. Elapsed time 00:54:56
7:29 AM: Traces Found: 50
7:30 AM: Removal process initiated
7:30 AM: Quarantining All Traces: email sentinel pro
7:30 AM: Quarantining All Traces: purityscan
7:30 AM: purityscan is in use. It will be removed on reboot.
7:30 AM: winlogon.dll is in use. It will be removed on reboot.
7:30 AM: C:\WINDOWS\system32\winlogon.dll is in use. It will be removed on reboot.
7:30 AM: Quarantining All Traces: 2o7.net cookie
7:30 AM: Quarantining All Traces: adecn cookie
7:30 AM: Quarantining All Traces: adknowledge cookie
7:30 AM: Quarantining All Traces: adrevolver cookie
7:30 AM: Quarantining All Traces: advertising cookie
7:30 AM: Quarantining All Traces: ask cookie
7:30 AM: Quarantining All Traces: atlas dmt cookie
7:30 AM: Quarantining All Traces: atwola cookie
7:30 AM: Quarantining All Traces: belnk cookie
7:30 AM: Quarantining All Traces: bluestreak cookie
7:30 AM: Quarantining All Traces: casalemedia cookie
7:30 AM: Quarantining All Traces: clickandtrack cookie
7:30 AM: Quarantining All Traces: enhance cookie
7:30 AM: Quarantining All Traces: fastclick cookie
7:30 AM: Quarantining All Traces: goclick cookie
7:30 AM: Quarantining All Traces: hbmediapro cookie
7:30 AM: Quarantining All Traces: hotbar cookie
7:30 AM: Quarantining All Traces: mediaplex cookie
7:30 AM: Quarantining All Traces: nextag cookie
7:30 AM: Quarantining All Traces: offeroptimizer cookie
7:30 AM: Quarantining All Traces: one-time-offer cookie
7:30 AM: Quarantining All Traces: partypoker cookie
7:30 AM: Quarantining All Traces: questionmarket cookie
7:30 AM: Quarantining All Traces: realmedia cookie
7:30 AM: Quarantining All Traces: revenue.net cookie
7:30 AM: Quarantining All Traces: specificclick.com cookie
7:30 AM: Quarantining All Traces: tacoda cookie
7:30 AM: Quarantining All Traces: tradedoubler cookie
7:30 AM: Quarantining All Traces: trafficmp cookie
7:30 AM: Quarantining All Traces: tribalfusion cookie
7:30 AM: Quarantining All Traces: webpower cookie
7:30 AM: Quarantining All Traces: websponsors cookie
7:30 AM: Quarantining All Traces: yieldmanager cookie
7:30 AM: Warning: Launched explorer.exe
7:30 AM: Warning: Quarantine process could not restart Explorer.
7:31 AM: Preparing to restart your computer. Please wait...
7:31 AM: Removal process completed. Elapsed time 00:01:15
********
6:32 AM: | Start of Session, Saturday, June 24, 2006 |
6:32 AM: Spy Sweeper started
6:33 AM: Your spyware definitions have been updated.
6:34 AM: | End of Session, Saturday, June 24, 2006 |


ewido:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:26:16 AM 6/24/2006

+ Scan result:



C:\WINDOWS\Downloaded Program Files\ieatgpc.dll -> Adware.WebEx : Cleaned with backup (quarantined).
C:\Program Files\ѕecurity\arpa.exe -> Downloader.PurityScan.cl : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\YPN Consulting\70gd6qng.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.6:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\irpq5dwe.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.6:C:\Documents and Settings\Rusty\Application Data\Mozilla\Profiles\Rusty\l7wuzmdd.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\YPN Consulting\70gd6qng.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\irpq5dwe.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\Rusty\Application Data\Mozilla\Profiles\Rusty\l7wuzmdd.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\Documents and Settings\Rusty\Application Data\Mozilla\Profiles\Rusty\l7wuzmdd.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.33:C:\Documents and Settings\All Users\Documents\PhylMozBU\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.34:C:\Documents and Settings\All Users\Documents\PhylMozBU\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.39:C:\Documents and Settings\All Users\Documents\PhylMozBU\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.40:C:\Documents and Settings\All Users\Documents\PhylMozBU\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.41:C:\Documents and Settings\All Users\Documents\PhylMozBU\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.42:C:\Documents and Settings\All Users\Documents\PhylMozBU\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.46:C:\Documents and Settings\Mom\Application Data\Mozilla\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.47:C:\Documents and Settings\Mom\Application Data\Mozilla\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.48:C:\Documents and Settings\Mom\Application Data\Mozilla\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.49:C:\Documents and Settings\Mom\Application Data\Mozilla\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.56:C:\Documents and Settings\All Users\Documents\PhylMozBU\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.57:C:\Documents and Settings\All Users\Documents\PhylMozBU\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.58:C:\Documents and Settings\All Users\Documents\PhylMozBU\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.60:C:\Documents and Settings\Mom\Application Data\Mozilla\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.61:C:\Documents and Settings\Mom\Application Data\Mozilla\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.62:C:\Documents and Settings\Mom\Application Data\Mozilla\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.6:C:\Documents and Settings\Mom\Application Data\Mozilla\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.7:C:\Documents and Settings\Mom\Application Data\Mozilla\Profiles\default\kfbspo3g.slt\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Marti\Cookies\marti@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.30:C:\Documents and Settings\Rusty\Application Data\Mozilla\Profiles\Rusty\l7wuzmdd.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end


hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 9:43:20 AM, on 6/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\notes\ntmulti.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\Owner\Desktop\Spyware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csc.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\qckb\bagent.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - https://quicken.ehos...s/custappx3.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093688482734
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastacces...bls_speedop.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://webmeeting.a...bex/ieatgpc.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#5 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 24 June 2006 - 09:33 AM

Hello nyankeec,

You are doing find. Don't worry about the winlogon.dll. I did a search and it did not show in your hijackthis log.

Let's run another scan please.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.

Copy and paste that information from Kapersky in your next reply.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#6 Guest_nyankeec_*

Guest_nyankeec_*
  • Guests

Posted 24 June 2006 - 03:12 PM

Here ya go, Susan528: ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Saturday, June 24, 2006 5:04:25 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 24/06/2006 Kaspersky Anti-Virus database records: 190393 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 128461 Number of viruses found: 2 Number of infected objects: 3 Number of suspicious objects: 2 Duration of the scan process: 04:01:27 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\irpq5dwe.slt\Mail\mail.lig.bellsouth.net\Inbox.sbd\Ebay-PayPal/[From "eBay Member: nc_yankee" <checkout@ebay.com>][Date Sat, 16 Jul 2005 03:36:27 -0700]/UNNAMED/[From <spoof@paypal.com>][Date Thu, 25 May 2006 05:14:13 -0500]/text Infected: Trojan-Spy.HTML.Bayfraud.dq skipped C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\irpq5dwe.slt\Mail\mail.lig.bellsouth.net\Inbox.sbd\Ebay-PayPal/[From "eBay Member: nc_yankee" <checkout@ebay.com>][Date Sat, 16 Jul 2005 03:36:27 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.dq skipped C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\irpq5dwe.slt\Mail\mail.lig.bellsouth.net\Inbox.sbd\Ebay-PayPal Mail Berkeley mbox: infected - 2 skipped C:\System Volume Information\_restore{77BD54D2-7CCA-4CAA-8C8E-7D47D8611E73}\RP100\A0007886.exe Suspicious: Trojan-Downloader.Win32.Dyfuca.bj skipped C:\System Volume Information\_restore{77BD54D2-7CCA-4CAA-8C8E-7D47D8611E73}\RP100\A0007887.exe Suspicious: Trojan-Downloader.Win32.Dyfuca.bj skipped Scan process completed.

#7 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 24 June 2006 - 09:02 PM

It looks like you have some infected emails present. You need to delete them. You may have to compact the folders to permanently delete them. C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\irpq5dwe.slt\Mail\mail.lig.bellsouth.net\Inbox.sbd\Ebay-PayPal/[From "eBay Member: nc_yankee" <checkout@ebay.com>][Date Sat, 16 Jul 2005 03:36:27 -0700]/UNNAMED/[From <spoof@paypal.com>][Date Thu, 25 May 2006 05:14:13 -0500]/text Infected: Trojan-Spy.HTML.Bayfraud.dq skipped C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\irpq5dwe.slt\Mail\mail.lig.bellsouth.net\Inbox.sbd\Ebay-PayPal/[From "eBay Member: nc_yankee" <checkout@ebay.com>][Date Sat, 16 Jul 2005 03:36:27 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.dq skipped C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\irpq5dwe.slt\Mail\mail.lig.bellsouth.net\Inbox.sbd\Ebay-PayPal Mail Berkeley mbox: infected - 2 skipped Please run Kapersky again and post (reply) with the results. Let's make sure the infected emails are gone.
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#8 Guest_nyankeec_*

Guest_nyankeec_*
  • Guests

Posted 25 June 2006 - 09:55 AM

Hi Susan528. :wavey:

I located and deleted the questionable email -- it actually was a spoof I had received concerning ebay that I had forwarded to ebay security -- I had deleted the original message but the sent message was still hanging around. Also, I saw in this morning's AVG log that the irritating file that started this whole thread now only showed up in a System Restore Point. So, this morning I:
  • Cleaned out the suspect email message and compacted all email folders.
  • Reset my restore points by turning it off, rebooting, and turning it back on.
  • Reran Kaspersky, who found nothing and therefore did not create a log.
Here's a current HJT log for good measure:

Logfile of HijackThis v1.99.1
Scan saved at 11:44:41 AM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\notes\ntmulti.exe
C:\WINDOWS\system32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\2Wire\HomePortal\2PortalMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Documents and Settings\Owner\Desktop\Spyware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csc.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\HomePortal\2PortalMon.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\qckb\bagent.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (eAssist NetAgent Customer ActiveX Control version 3) - https://quicken.ehos...s/custappx3.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093688482734
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7E9522CF-6B95-46D6-8E2F-7638F507313F} (BLS_SpeedOP.systemcheck) - http://www.fastacces...bls_speedop.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://webmeeting.a...bex/ieatgpc.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15010/CTPID.cab
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes\ntmulti.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

Thanks for your help.

#9 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 25 June 2006 - 08:33 PM

Hello nyankeec, :)

You logs appear to be clean.
Step 3 will eliminate the infected _restore files. Also be sure and get the latest patch for Java.

Please do the following:

STEP 1.
======
Cleanmgr
To clean temporary files:
  • Go > start > run and type cleanmgr and click OK
  • Scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
  • Click OK to remove those files.
  • Click Yes to confirm deletion.

STEP 2.( Windows XP only)
======
Prefetch Folder
Open C:\Windows\Prefetch\
Delete All files in this folder but not the Prefetch folder


STEP 3.
======
System Restore for Windows XP
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Reboot.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.

STEP 4.
======
DON’T BECOME OVERCONFIDENT WITH ANTIVIRUS APPLICATIONS INSTALLED!!!

http://forum.malware...39eba6ea0b5e8ee

Stay up to date on security patches and be extremely wary of clicking on links and attachments that arrive unbidden in instant messages and e-mail.

"The number one thing the majority of the malicious code we're seeing now does is disable or delete anti-virus and other security software," Dunham said. "In a lot of cases, once the user clicks on that attachment, it's already too late."


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Test your Firewall - Please test your firewall and make sure it is working properly.
    Test Firewall

  • Visit Microsoft's Update Site Frequently - It is important that you visit Windows Updates regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update your Java with the latest patch. Java Software Java Runtime Environment Version 5.0 Update 7
    http://www.java.com/...load/manual.jsp

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  • More info on how to prevent malware you can also find here (By Tony Klein)
Follow this list and your potential for being infected again will reduce dramatically.

Thank you for allowing me to assist you.


Susan
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#10 Susan528

Susan528

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 3,194 posts

Posted 28 June 2006 - 06:54 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
Posted Image

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users