11 replies to this topic

[ike001]

Hi,

When doing a search on Google, I get a "ImSorryInternet Speed Monitor" window pane that pops up on the left side
of my browser (it shows ads related to what I search for).

This virus started showing up yesterday.

Two programs also startup when my computer boots up, they are QDRModule11.exe QDRModule11 .exe.
Even though my firewall is set to stop these files from starting, they start anyway.

My avast antivirus program detected 12 trojans on my computer, and I move them to chest, but two trojans
keep coming back. Sometimes I cannot move these 2 trojans to chest and I'm forced to delete them, but it
doesn't matter as they keep coming back. The trojan filenames are "jkhhf.dll" and "awvtq.dll"

I just noticed also that in my Windows Start Menu/Programs, there is a Menu Folder called "Internet Speed
Monitor." That folder has two menu items which are "Check Now" and "Uninstall." I don't dare touch them.

Below is my HiJackThis Logfile.

Any help will be much appreciated.

Thanks,

Ike



Logfile of HijackThis v1.99.1
Scan saved at 10:59:55 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Application Files\Utilities\AntiVirus\Avast4\aswUpdSv.exe
C:\Application Files\Utilities\AntiVirus\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Application Files\Utilities\AntiVirus\Avast4\ashMaiSv.exe
C:\Application Files\Utilities\AntiVirus\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06 .exe
C:\APPLIC~1\UTILIT~1\ANTIVI~1\Avast4\ashDisp.exe
C:\Application Files\Utilities\Firewall\ZoneAlarm\zlclient.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4 .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QdrModule\QdrModule11.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\QdrModule\QdrModule11 .exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Data%20Files/Work%20Files/WebsiteFiles/HomePage/Home.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkhhf.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CApplication%20Files%5CInternet%5CNewsReaders%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: BndBlock4 BHO Class - {8F9E2BE3-766D-4831-BB0E-766D5B819995} - C:\Program Files\QdrDrive\QdrDrive9.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\efcyyvs.dll
O3 - Toolbar: Anonymizer 2005 Toolbar - {DB264E15-F83B-4603-BFC1-4EA7E3204686} - C:\Program Files\Anonymizer\Anon2005\AnonIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\application files\multimedia\video\quicktime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\APPLIC~1\UTILIT~1\ANTIVI~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Application Files\Utilities\Firewall\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QdrModule11] "C:\Program Files\QdrModule\QdrModule11.exe"
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Application Files\Multimedia\Games\PartyPoker\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Application Files\Multimedia\Games\PartyPoker\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://supportcenter...ad/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135806761620
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1135807830562
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....302/Coupons.cab
O20 - Winlogon Notify: efcyyvs - C:\WINDOWS\SYSTEM32\efcyyvs.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Application Files\Utilities\AntiVirus\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Application Files\Utilities\AntiVirus\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Application Files\Utilities\AntiVirus\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Application Files\Utilities\AntiVirus\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by ike001, 16 January 2008 - 02:42 AM.

[IndiGenus]

Hi ike001 and welcome to the forums.

My name is Dave. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can sometimes take a while to research so please be patient and I'd be grateful if you would note the following:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
  
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  
• Double click combofix.exe & follow the prompts.
  
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[ike001]

Hello Dave,

Thank you so much for helping me with my computer! I appreciate it!

I ran ComboFix and turned off my AntiVirus and Firewall, but need to note that when ComboFix
rebooted Windows, my AntiVirus and Firewall booted up as well, then ComboFix finished. I
just thought I should mention that.

Everything seems fine now, but I'm noting your warning that everything may not be.

Ike






Here is my ComboFix log:




ComboFix 08-01-16.4 - Ike 2008-01-15 21:52:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.465 [GMT -10:00]
Running from: C:\Documents and Settings\Ike\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\application files\multimedia\video\quicktime\qttask.exe
C:\Application Files\Utilities\AntiVirus\Avast4\ashDisp .exe
C:\Documents and Settings\Ike\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Ike\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Ike\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
C:\Program Files\ISM
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive9.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrModule
C:\Program Files\QdrModule\QdrModule11 .exe
C:\Program Files\QdrModule\QdrModule11.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\000080.exe
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\efcyyvs.dll
C:\WINDOWS\system32\fhhkj.ini
C:\WINDOWS\system32\fhhkj.ini2
C:\WINDOWS\system32\jkhhf.exe
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
E:\Autorun.inf

<pre>
C:\Application Files\Multimedia\Video\QuickTime\qttask .exe ---> qttask.exe
C:\Application Files\Utilities\AntiVirus\Avast4\ashDisp .exe ---> QooBox
C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate .exe ---> SSBkgdupdate.exe
C:\Program Files\QdrModule\QdrModule11 .exe ---> QooBox
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4 .exe ---> OpwareSE4.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg .exe ---> Ereg.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06 .exe ---> hpztsb06.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon .exe ---> WrtMon.exe
</pre>

.
.
((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-15 21:50 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 22:10 . 2008-01-12 22:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-12 22:10 . 2008-01-12 22:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-08 08:56 . 2008-01-08 08:56 0 --a------ C:\tqk.1
2008-01-08 08:56 . 2008-01-08 08:56 0 --a------ C:\tqk
2008-01-04 19:56 . 2008-01-05 04:36 <DIR> d-------- C:\Documents and Settings\Ike\Application Data\FrostWire
2007-12-28 06:13 . 2007-12-28 06:13 0 --a------ C:\tf8.5
2007-12-28 06:13 . 2007-12-28 06:13 0 --a------ C:\tf8.4
2007-12-25 09:30 . 2007-12-25 09:30 0 --a------ C:\tnc.1
2007-12-25 09:30 . 2007-12-25 09:30 0 --a------ C:\tnc
2007-12-25 09:16 . 2007-12-25 09:16 0 --a------ C:\teg.1
2007-12-25 09:16 . 2007-12-25 09:16 0 --a------ C:\teg
2007-12-24 05:00 . 2007-12-24 05:00 0 --a------ C:\t12k.1
2007-12-24 05:00 . 2007-12-24 05:00 0 --a------ C:\t12k
2007-12-23 01:24 . 2007-12-23 01:24 0 --a------ C:\te4.1
2007-12-23 01:24 . 2007-12-23 01:24 0 --a------ C:\te4
2007-12-20 21:44 . 2007-12-20 21:44 0 --a------ C:\tms.1
2007-12-20 21:43 . 2007-12-20 21:43 0 --a------ C:\tms
2007-12-20 11:12 . 2007-12-20 11:12 0 --a------ C:\t120.1
2007-12-20 11:12 . 2007-12-20 11:12 0 --a------ C:\t120
2007-12-19 14:43 . 2007-12-19 14:43 0 --a------ C:\t10g.1
2007-12-19 14:43 . 2007-12-19 14:43 0 --a------ C:\t10g
2007-12-16 23:24 . 2007-12-16 23:28 <DIR> d-------- C:\Program Files\PartyGaming

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 05:30 --------- d-----w C:\Documents and Settings\Ike\Application Data\MailWasher
2008-01-15 23:37 --------- d-----w C:\Documents and Settings\Ike\Application Data\Newsbin
2008-01-10 21:13 21 ---ha-w C:\qpmd8378.bin
2007-12-18 12:42 --------- d--h--w C:\Documents and Settings\Ike\Application Data\Move Networks
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-05-13 15:20 67584 C:\WINDOWS\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-08-03 15:32 163840 C:\WINDOWS\system32\VTTrayp.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2008-01-15 21:47 188416]
"QuickTime Task"="C:\application files\multimedia\video\quicktime\qttask .exe" [ ]
"avast!"="C:\APPLIC~1\UTILIT~1\ANTIVI~1\Avast4\ashDisp.exe" [2007-12-04 03:00 79224]
"Zone Labs Client"="C:\Application Files\Utilities\Firewall\ZoneAlarm\zlclient.exe" [2006-07-09 13:42 968696]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 21:56 158208]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2008-01-15 21:47 185896]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2008-01-15 21:47 75304]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2008-01-15 21:47 20480]
"ScanSoft OmniPage SE 4.0-reminder"="C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" [2008-01-15 21:47 1410600]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2006-08-17 14:57 86016]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ike^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\Ike\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 06:35 49152 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 06:24 1694208 C:\Program Files\Messenger\MSMSGS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-13 22:18 98304 C:\application files\multimedia\video\quicktime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
c:\documents and settings\Ike\local settings\temp\gain_trickler_3202.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ColdFusion Management Service"=2 (0x2)
"ColdFusion Management Repository"=2 (0x2)
"ColdFusion Graphing Server"=2 (0x2)
"Cold Fusion RDS"=2 (0x2)
"Cold Fusion Executive"=2 (0x2)
"Cold Fusion Application Server"=2 (0x2)
"ClusterCATS Service"=2 (0x2)
"SQLServerAgent"=3 (0x3)
"MySql"=2 (0x2)
"MSSQLServer"=3 (0x3)
"IISADMIN"=2 (0x2)
"ColdFusion MX 7 Search Server"=2 (0x2)
"ColdFusion MX 7 ODBC Server"=2 (0x2)
"ColdFusion MX 7 ODBC Agent"=2 (0x2)
"ColdFusion MX 7 Application Server"=2 (0x2)

R1 crlscsi;crlscsi;C:\WINDOWS\system32\drivers\crlscsi.sys [1995-11-06 22:57]
S4 ColdFusion MX 7 Application Server;ColdFusion MX 7 Application Server;"C:\CFusionMX7\runtime\bin\jrunsvc.exe" [2006-06-13 05:30]
S4 ColdFusion MX 7 ODBC Agent;ColdFusion MX 7 ODBC Agent;C:\CFusionMX7\db\slserver54\bin\swagent.exe "ColdFusion MX 7 ODBC Agent" []
S4 ColdFusion MX 7 ODBC Server;ColdFusion MX 7 ODBC Server;C:\CFusionMX7\db\slserver54\bin\swstrtr.exe "ColdFusion MX 7 ODBC Server" []
S4 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;"C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 22:02:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"
.
Completion time: 2008-01-15 22:09:18 - machine was rebooted [Ike]
ComboFix-quarantined-files.txt 2008-01-16 08:09:14
.
2008-01-09 12:16:57 --- E O F ---










Here is my fresh HiJackThis log:




Logfile of HijackThis v1.99.1
Scan saved at 10:13:36 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Application Files\Utilities\AntiVirus\Avast4\aswUpdSv.exe
C:\Application Files\Utilities\AntiVirus\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Application Files\Utilities\AntiVirus\Avast4\ashMaiSv.exe
C:\Application Files\Utilities\AntiVirus\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\APPLIC~1\UTILIT~1\ANTIVI~1\Avast4\ashDisp.exe
C:\Application Files\Utilities\Firewall\ZoneAlarm\zlclient.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Data%20Files/Work%20Files/WebsiteFiles/HomePage/Home.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CApplication%20Files%5CInternet%5CNewsReaders%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Anonymizer 2005 Toolbar - {DB264E15-F83B-4603-BFC1-4EA7E3204686} - C:\Program Files\Anonymizer\Anon2005\AnonIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\application files\multimedia\video\quicktime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\APPLIC~1\UTILIT~1\ANTIVI~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Application Files\Utilities\Firewall\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Application Files\Multimedia\Games\PartyPoker\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Application Files\Multimedia\Games\PartyPoker\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://supportcenter...ad/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135806761620
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1135807830562
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....302/Coupons.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Application Files\Utilities\AntiVirus\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Application Files\Utilities\AntiVirus\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Application Files\Utilities\AntiVirus\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Application Files\Utilities\AntiVirus\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[IndiGenus]

Looks like we got most of it. Just one item that is disabled in msconfig we need to kill, and one item with HJT.

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on this:

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....302/Coupons.cab

Then close all windows except this one and press Fix checked.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\documents and settings\Ike\local settings\temp\gain_trickler_3202.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

NOTE: Before posting your logs back you need to update Java.

Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 3.

• Go to http://java.sun.com/...loads/index.jsp
• Click on the link named Java Runtime Environment (JRE) 6 Update 3
• Click on the radio button to Accept License Agreement
• Click on Windows Offline Installation, Multi-language and save the downloaded file to your hard disk
• Go to Start => Control Panel => Add or Remove Programs
• Uninstall all old versions of Java (Java 2 Runtime Environment, JRE or JSE)
• Reboot your computer
• Delete the folder C:\Program Files\Java if present
• Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
• Reboot your computer

[ike001]

Hello Dave,

I appreciate the effort you put into your step-by-step instructions.

Below are my new log files.

I think you wanted me to remove-the-old/install-the-new JRE before running the ComboFix?
Unfortunately, I did the JRE after - sorry.

Ike




ComboFix 08-01-16.4 - Ike 2008-01-16 4:57:34.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.465 [GMT -10:00]
Running from: C:\Documents and Settings\Ike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ike\Desktop\CFScript.txt
* Created a new restore point

FILE
c:\documents and settings\Ike\local settings\temp\gain_trickler_3202.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-16 to 2008-01-16 )))))))))))))))))))))))))))))))
.

2008-01-15 21:50 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 22:10 . 2008-01-12 22:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-12 22:10 . 2008-01-12 22:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-08 08:56 . 2008-01-08 08:56 0 --a------ C:\tqk.1
2008-01-08 08:56 . 2008-01-08 08:56 0 --a------ C:\tqk
2008-01-04 19:56 . 2008-01-05 04:36 <DIR> d-------- C:\Documents and Settings\Ike\Application Data\FrostWire
2007-12-28 06:13 . 2007-12-28 06:13 0 --a------ C:\tf8.5
2007-12-28 06:13 . 2007-12-28 06:13 0 --a------ C:\tf8.4
2007-12-25 09:30 . 2007-12-25 09:30 0 --a------ C:\tnc.1
2007-12-25 09:30 . 2007-12-25 09:30 0 --a------ C:\tnc
2007-12-25 09:16 . 2007-12-25 09:16 0 --a------ C:\teg.1
2007-12-25 09:16 . 2007-12-25 09:16 0 --a------ C:\teg
2007-12-24 05:00 . 2007-12-24 05:00 0 --a------ C:\t12k.1
2007-12-24 05:00 . 2007-12-24 05:00 0 --a------ C:\t12k
2007-12-23 01:24 . 2007-12-23 01:24 0 --a------ C:\te4.1
2007-12-23 01:24 . 2007-12-23 01:24 0 --a------ C:\te4
2007-12-20 21:44 . 2007-12-20 21:44 0 --a------ C:\tms.1
2007-12-20 21:43 . 2007-12-20 21:43 0 --a------ C:\tms
2007-12-20 11:12 . 2007-12-20 11:12 0 --a------ C:\t120.1
2007-12-20 11:12 . 2007-12-20 11:12 0 --a------ C:\t120
2007-12-19 14:43 . 2007-12-19 14:43 0 --a------ C:\t10g.1
2007-12-19 14:43 . 2007-12-19 14:43 0 --a------ C:\t10g
2007-12-16 23:24 . 2007-12-16 23:28 <DIR> d-------- C:\Program Files\PartyGaming

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-16 14:43 --------- d-----w C:\Documents and Settings\Ike\Application Data\MailWasher
2008-01-16 09:04 --------- d-----w C:\Documents and Settings\Ike\Application Data\Newsbin
2008-01-10 21:13 21 ---ha-w C:\qpmd8378.bin
2007-12-27 15:05 18,525,001 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_12_27_05_04_29_full.dmp.zip
2007-12-18 12:42 --------- d--h--w C:\Documents and Settings\Ike\Application Data\Move Networks
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-11-12 08:39 13,206,786 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 03:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-08-16 18:11 18,487,291 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_08_16_08_10_04_full.dmp.zip
2007-08-11 22:50 18,484,864 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_08_11_12_48_36_full.dmp.zip
2007-08-06 06:19 18,491,419 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_08_05_20_18_05_full.dmp.zip
2007-07-11 08:46 3,299,328 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2007-07-11 08:46 2,433,024 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2006-12-07 21:28 1,686,528 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2006-10-15 17:14 2,781,184 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2006-10-15 17:14 1,524,224 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
.

((((((((((((((((((((((((((((( snapshot@2008-01-15_22.09.01.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-16 07:51:15 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-16 14:57:28 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-16 07:51:15 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-16 14:57:28 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-16 07:51:15 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-16 14:57:28 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-16 07:51:15 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-16 14:57:29 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-16 07:51:16 14,217,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-16 14:57:29 14,217,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-16 07:51:16 114,688 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-16 14:57:29 114,688 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-05-13 15:20 67584 C:\WINDOWS\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [2005-03-08 03:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-08-03 15:32 163840 C:\WINDOWS\system32\VTTrayp.exe]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2008-01-15 21:47 188416]
"QuickTime Task"="C:\application files\multimedia\video\quicktime\qttask .exe" [ ]
"avast!"="C:\APPLIC~1\UTILIT~1\ANTIVI~1\Avast4\ashDisp.exe" [2007-12-04 03:00 79224]
"Zone Labs Client"="C:\Application Files\Utilities\Firewall\ZoneAlarm\zlclient.exe" [2006-07-09 13:42 968696]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 21:56 158208]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2008-01-15 21:47 185896]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2008-01-15 21:47 75304]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2008-01-15 21:47 20480]
"ScanSoft OmniPage SE 4.0-reminder"="C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" [2008-01-15 21:47 1410600]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2006-08-17 14:57 86016]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ike^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=C:\Documents and Settings\Ike\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=C:\WINDOWS\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
--a------ 2005-06-01 06:35 49152 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 06:24 1694208 C:\Program Files\Messenger\MSMSGS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-13 22:18 98304 C:\application files\multimedia\video\quicktime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ColdFusion Management Service"=2 (0x2)
"ColdFusion Management Repository"=2 (0x2)
"ColdFusion Graphing Server"=2 (0x2)
"Cold Fusion RDS"=2 (0x2)
"Cold Fusion Executive"=2 (0x2)
"Cold Fusion Application Server"=2 (0x2)
"ClusterCATS Service"=2 (0x2)
"SQLServerAgent"=3 (0x3)
"MySql"=2 (0x2)
"MSSQLServer"=3 (0x3)
"IISADMIN"=2 (0x2)
"ColdFusion MX 7 Search Server"=2 (0x2)
"ColdFusion MX 7 ODBC Server"=2 (0x2)
"ColdFusion MX 7 ODBC Agent"=2 (0x2)
"ColdFusion MX 7 Application Server"=2 (0x2)

R1 crlscsi;crlscsi;C:\WINDOWS\system32\drivers\crlscsi.sys [1995-11-06 22:57]
S4 ColdFusion MX 7 Application Server;ColdFusion MX 7 Application Server;"C:\CFusionMX7\runtime\bin\jrunsvc.exe" [2006-06-13 05:30]
S4 ColdFusion MX 7 ODBC Agent;ColdFusion MX 7 ODBC Agent;C:\CFusionMX7\db\slserver54\bin\swagent.exe "ColdFusion MX 7 ODBC Agent" []
S4 ColdFusion MX 7 ODBC Server;ColdFusion MX 7 ODBC Server;C:\CFusionMX7\db\slserver54\bin\swstrtr.exe "ColdFusion MX 7 ODBC Server" []
S4 ColdFusion MX 7 Search Server;ColdFusion MX 7 Search Server;"C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 05:01:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="C:/mysql/bin/mysqld-nt.exe"
.
Completion time: 2008-01-16 5:01:52
ComboFix-quarantined-files.txt 2008-01-16 15:01:31
ComboFix2.txt 2008-01-16 08:09:18
.
2008-01-09 12:16:57 --- E O F ---







Logfile of HijackThis v1.99.1
Scan saved at 5:05:15 AM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Data%20Files/Work%20Files/WebsiteFiles/HomePage/Home.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CApplication%20Files%5CInternet%5CNewsReaders%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Anonymizer 2005 Toolbar - {DB264E15-F83B-4603-BFC1-4EA7E3204686} - C:\Program Files\Anonymizer\Anon2005\AnonIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\application files\multimedia\video\quicktime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\APPLIC~1\UTILIT~1\ANTIVI~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Application Files\Utilities\Firewall\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Application Files\Multimedia\Games\PartyPoker\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Application Files\Multimedia\Games\PartyPoker\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://supportcenter...ad/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135806761620
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1135807830562
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Application Files\Utilities\AntiVirus\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Application Files\Utilities\AntiVirus\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Application Files\Utilities\AntiVirus\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Application Files\Utilities\AntiVirus\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[IndiGenus]

Hmm? Still showing old version of Java in HJT. Doesn't matter if you did before or after CF, but I don't see it in your last HJT log.

Let's do some more cleanup.

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:

• Click the Update icon at the top and under Manual Update click the Start update button.
• The program will either update or inform you that no update was available.
• It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).

Please set up the program as follows:

• Click the Shield icon at the top and under Resident shield is... click active. This should now
  change to inactive.
• Click the Update icon and untick the automatic update option.
• Click on Scanner on the toolbar.
• Click on the Settings tab.
  
• Under How to act? - make sure that Quarantine is selected.
• Under How to scan? - All checkboxes should be ticked.
• Under Possibly unwanted software - All checkboxes should be ticked.
• Under Reports - Select Do not automatically generate reports.
• Under What to scan? - Select Scan every file.

Close all open windows.



Please download ATF Cleaner here by Atribune. This program is for XP and Windows 2000 only.
It does not require any installation and uses minimal system resources. It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s).

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
• Click the Empty Selected button.
  
  If you use Firefox browser
• Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
• Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  
  If you use Opera browser
• Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
• Click the Empty Selected button.
• NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


We Now Need To Boot Into Safemode Now

Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine,
amount of memory, hard drives installed etc (BOOT SCREEEN).
At this point you should gently tap the F8 key repeatedly until you are presented with a Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Run AVG

• Click on Scanner on the toolbar.
• Click on Complete System Scan to start the scan process.
• Let the program scan your computer.
• When the scan has finished, follow the instructions below:
  
  • Make sure that Set all elements to: shows Quarantine
  • Important: Click on the Apply all Actions button This must done before saving the report
  • When the program has finished, it will display the message All actions have been applied.
  • Then click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
    
• Right-click the AVG Tray Icon and select Exit.
• Now copy the report back to this topic.

Restart into normal mode and post the AVG Log and a new HJT Log. Also how are things now

[ike001]

Hello Dave,

Everything seems fine now. That ImSorry thing is gone. The trojans
are gone.

That AVG scan took over 3 hours.

Also, AVG didn't let me Quarantine everything. Although I "set all
elements to:" "Quarantine," the list at the top still listed the word
"delete." And when I clicked upon the word "delete" to change it to
"Quarantine," the word "Quarantine" was grayed out. So I had to go
with the delete.

Thanks for all of your help!

Ike




Here are my log files now:



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:39:11 AM 1/16/2008

+ Scan result:



C:\Program Files\Hijackthis\backups\backup-20080116-045237-619.dll -> Adware.Coupons : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7B16506A-4767-435B-AC65-EBA2393E3FF2}\RP588\A0235807.ocx -> Adware.Coupons : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Gator -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Gator\dyn -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Gator\stat -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Trickler -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Trickler\Files -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Trickler\Files\Bundle -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Trickler\Files\Bundle\chk -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Trickler\Files\Bundle\dl -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Trickler\Files\OemResDll -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Trickler\Files\OemResDll\chk -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Trickler\Files\OemResDll\dl -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Trickler\Files\SilentSetup -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Trickler\Files\SilentSetup\chk -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Trickler\Files\SilentSetup\dl -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Trickler\Files\TricklerInf -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Trickler\Settings -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Trickler\downloads -> Adware.Gator : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Gator.com\Trickler\downloads\trickle.gator.com:80/download/5017.gsz -> Adware.Gator : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Application Files\Multimedia\Video\QuickTime\qttask.exe.vir -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe.vir -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule11.exe.vir -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe.vir -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe.vir -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\jkhhf.exe.vir -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe.vir -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe.vir -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7B16506A-4767-435B-AC65-EBA2393E3FF2}\RP585\A0234626.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7B16506A-4767-435B-AC65-EBA2393E3FF2}\RP585\A0234627.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7B16506A-4767-435B-AC65-EBA2393E3FF2}\RP585\A0234643.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7B16506A-4767-435B-AC65-EBA2393E3FF2}\RP588\A0235608.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7B16506A-4767-435B-AC65-EBA2393E3FF2}\RP588\A0235613.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7B16506A-4767-435B-AC65-EBA2393E3FF2}\RP588\A0235614.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7B16506A-4767-435B-AC65-EBA2393E3FF2}\RP588\A0235615.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7B16506A-4767-435B-AC65-EBA2393E3FF2}\RP588\A0235616.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7B16506A-4767-435B-AC65-EBA2393E3FF2}\RP588\A0235617.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7B16506A-4767-435B-AC65-EBA2393E3FF2}\RP588\A0235618.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7B16506A-4767-435B-AC65-EBA2393E3FF2}\RP588\A0235619.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\catchme2008-01-15_220209.40.zip/efcyyvs.dll -> Not-A-Virus.Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7B16506A-4767-435B-AC65-EBA2393E3FF2}\RP588\A0235630.dll -> Not-A-Virus.Adware.Virtumonde : Cleaned with backup (quarantined).
D:\Old Computer Files\_Drive-E\Software Downloads\Interesting Stuff\L0phtCrack1.0\l0phtcrack.zip/LC_CLI.EXE -> Not-A-Virus.PSWTool.Win32.Lopht.100 : Cleaned with backup (quarantined).
D:\Old Computer Files\_Drive-E\Software Downloads\Interesting Stuff\L0phtCrack1.0\l0phtcrack.zip/lc_gui.exe -> Not-A-Virus.PSWTool.Win32.Lopht.100 : Cleaned with backup (quarantined).
D:\Old Computer Files\_Drive-E\Software Downloads\Interesting Stuff\L0phtCrack2.01\Program\l0phtcrack.exe -> Not-A-Virus.PSWTool.Win32.Lopht.201 : Cleaned with backup (quarantined).
D:\Old Computer Files\_Drive-E\Software Downloads\Interesting Stuff\L0phtCrack2.01\Program\l0phtcrack95.exe -> Not-A-Virus.PSWTool.Win32.Lopht.201 : Cleaned with backup (quarantined).
D:\Old Computer Files\_Drive-E\Software Downloads\Interesting Stuff\L0phtCrack2.01\lc201exe.zip/l0phtcrack.exe -> Not-A-Virus.PSWTool.Win32.Lopht.201 : Cleaned with backup (quarantined).
D:\Old Computer Files\_Drive-E\Software Downloads\Interesting Stuff\L0phtCrack2.01\lc201exe.zip/l0phtcrack95.exe -> Not-A-Virus.PSWTool.Win32.Lopht.201 : Cleaned with backup (quarantined).
D:\Old Computer Files\_Drive-E\Software Downloads\Interesting Stuff\L0phtCrack1.0\l0phtcrack.zip/PWDUMP.EXE -> Not-A-Virus.PSWTool.Win32.PWDump.b : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.21:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.22:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.23:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.24:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.16:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.6:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.7:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.9:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.8:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
D:\Old Computer Files\_Drive-D\Old-C-Drive\WINDOWS\Cookies\ike@dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
D:\Old Computer Files\_Drive-D\Old-C-Drive\WINDOWS\Cookies\ike@www.dealtime[2].txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.18:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
D:\Old Computer Files\_Drive-D\Old-C-Drive\WINDOWS\Cookies\ike@earth.goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
:mozilla.30:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
D:\Old Computer Files\_Drive-D\Old-C-Drive\WINDOWS\Cookies\ike@find.real[1].txt -> TrackingCookie.Real : Cleaned.
D:\Old Computer Files\_Drive-D\Old-C-Drive\WINDOWS\Cookies\ike@realguide.real[2].txt -> TrackingCookie.Real : Cleaned.
D:\Old Computer Files\_Drive-D\Old-C-Drive\WINDOWS\Cookies\ike@icover.realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
D:\Old Computer Files\_Drive-D\Old-C-Drive\WINDOWS\Cookies\ike@retaildirect.realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.25:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.12:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.14:C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
D:\Old Computer Files\_Drive-D\Old-C-Drive\WINDOWS\Cookies\ike@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned.


::Report end




Logfile of HijackThis v1.99.1
Scan saved at 12:04:55 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Application Files\Utilities\AntiVirus\Avast4\aswUpdSv.exe
C:\Application Files\Utilities\AntiVirus\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Application Files\Utilities\AntiVirus\Avast4\ashMaiSv.exe
C:\Application Files\Utilities\AntiVirus\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\APPLIC~1\UTILIT~1\ANTIVI~1\Avast4\ashDisp.exe
C:\Application Files\Utilities\Firewall\ZoneAlarm\zlclient.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/Data%20Files/Work%20Files/WebsiteFiles/HomePage/Home.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CApplication%20Files%5CInternet%5CNewsReaders%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Ike\Application Data\Mozilla\Profiles\default\au48jlbe.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Anonymizer 2005 Toolbar - {DB264E15-F83B-4603-BFC1-4EA7E3204686} - C:\Program Files\Anonymizer\Anon2005\AnonIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\application files\multimedia\video\quicktime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\APPLIC~1\UTILIT~1\ANTIVI~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Application Files\Utilities\Firewall\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [ScanSoft OmniPage SE 4.0-reminder] "C:\Program Files\ScanSoft\OmniPageSE4.0\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\OmniPageSE4.0\Ereg\ereg.ini"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Application Files\Multimedia\Games\PartyPoker\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Application Files\Multimedia\Games\PartyPoker\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Installer) - http://supportcenter...ad/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1135806761620
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1135807830562
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Application Files\Utilities\AntiVirus\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Application Files\Utilities\AntiVirus\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Application Files\Utilities\AntiVirus\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Application Files\Utilities\AntiVirus\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[IndiGenus]

Hi,

Looking good and glad to hear it's running better. Not sure what happened with AVG there but think we're OK. I would recommend one more scan here, this time for viruses, and if all is well I think you'll be pretty much good to go other than cleanup.

You will need to run this with Internet Explorer.
Run Panda's ActiveScan from here and perform a full system scan.

• Once you are on the Panda site click the "Scan your PC" button
• A new window will open...click the big "Check Now" button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
• If you are on a slow connection it will take about 15 minuites for the scanner to load.
• Click on "Local Disks" to start the scan
• Once scan is done, click "see report" then "save report"
• Save the log someplace you can find
• Reboot
• Post the Panda scan results in your next reply

[ike001]

Hi Dave, Here is the log for Panda's Active Scan. Thanks! Ike Incident Status Location Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Ike\Application Data\Mozilla\Firefox\Profiles\xaac7lao.default\cookies.txt[.doubleclick.net/] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ike\Desktop\System Tools\VundoFix\process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Ike\Desktop\System Tools\VundoFix.exe[process.exe] Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Ike\Desktop\Virus Removal\ComboFix.exe[nircmd.com] Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Ike\Desktop\Virus Removal\ComboFix.exe[nircmd.cfexe] Adware:Adware/Adband Not disinfected C:\QooBox\Quarantine\C\Program Files\ISM\ism.exe.vir Adware:Adware/InternetSpeedMonitor Not disinfected C:\QooBox\Quarantine\C\Program Files\QdrDrive\QdrDrive9.dll.vir Possible Virus. Not disinfected C:\QooBox\Quarantine\C\Program Files\QdrDrive\qdrloader.exe.vir Adware:Adware/InternetSpeedMonitor Not disinfected C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule11 .exe.vir Adware:Adware/Adband Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe Adware:Adware/Gator Not disinfected D:\Data Files\Software Downloads\Multimedia\Video\Codecs\DivX\DivXPro511Adware.exe[Gain_Trickler.exe] Adware:Adware/Gator Not disinfected D:\Old Computer Files\SoftwareDownloads\Media\Codecs\DivX\DivXPro511Adware.exe[Gain_Trickler.exe] Virus:Generic Malware Disinfected D:\Old Computer Files\SoftwareDownloads\Utilities\GRC-Important\DCOMbobulator\DCOMbob.exe Potentially unwanted tool:Application/Leaktest.A Not disinfected D:\Old Computer Files\SoftwareDownloads\Utilities\GRC-Important\LeakTest\leaktest.exe Virus:Eicar.Mod Not disinfected D:\Old Computer Files\_Drive-D\Old-C-Drive\Program Files\PestPatrol\Help.chm[/HowCanITestDetection.html] Spyware:Cookie/Barelylegal Not disinfected D:\Old Computer Files\_Drive-D\Old-C-Drive\WINDOWS\Cookies\ike@c.fsx[2].txt Spyware:Cookie/Ccbill Not disinfected D:\Old Computer Files\_Drive-D\Old-C-Drive\WINDOWS\Cookies\ike@ccbill[2].txt Spyware:Cookie/Kazaa Networks Not disinfected D:\Old Computer Files\_Drive-D\Old-C-Drive\WINDOWS\Cookies\ike@desktop.kazaa[2].txt Spyware:Cookie/Go Not disinfected D:\Old Computer Files\_Drive-D\Old-C-Drive\WINDOWS\Cookies\ike@go[2].txt Spyware:Cookie/LinkExchange Not disinfected D:\Old Computer Files\_Drive-D\Old-C-Drive\WINDOWS\Cookies\ike@linkexchange[1].txt Spyware:Cookie/LinkExchange Not disinfected D:\Old Computer Files\_Drive-D\Old-C-Drive\WINDOWS\Cookies\ike@linkexchange[3].txt Spyware:Cookie/Com.com Not disinfected D:\Old Computer Files\_Drive-D\Old-C-Drive\WINDOWS\Cookies\ike@uol.com[1].txt Spyware:Cookie/WebPower Not disinfected D:\Old Computer Files\_Drive-D\Old-C-Drive\WINDOWS\Cookies\ike@webpower[2].txt Virus:Generic Malware Disinfected D:\Old Computer Files\_Drive-E\OldOldDrive\OldF\Zipped\Image Indexing & Publishing\ImagePageWizard\ipw30.zip[dsrun.exe] Adware:Adware/SaveNow Not disinfected D:\Old Computer Files\_Drive-E\_Main\wfallsfree.exe[wfalls.exe][BSAVEINSTCM.EXE] Spyware:Spyware/New.net Not disinfected D:\Old Computer Files\_Drive-E\_Main\wfallsfree.exe[wfalls.exe][FREEZE_388.EXE]

[IndiGenus]

Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  
  
• 

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

==========================

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

In addition to updating and using what you currently have you may want to consider the following:

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Spybot - Search and Destroy - Spybot: Search And Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Install Ad-Aware - Ad-Aware SE You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Install SpywareGuard - SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.
A tutorial on installing & using this product can be found here:
Using SpywareGuard to protect your computer from Spyware and Malware

Use IESpy-Ad -
IESpy-Ad will block access to malicious websites so you cannot be redirected to them from an infected site or email. Instructions for set up and use can be found at the website.

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Here is a great link to a post here on securing your PC after an attack.
http://www.geekstogo...;page=How_did_I

[ike001]

Hey Dave, You're amazing mann. Thanks! Ike

[IndiGenus]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.