Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Delete Trogan Named Cutwail G


  • Please log in to reply
20 replies to this topic

#1 inagony

inagony

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 08 October 2007 - 12:05 PM

Hello -

I am sending our Hijackthis log I just ran. We have been having problems with Popups, computer shutting down unexpectantly, our desktop overtaken by a black screen saying our computer was compromised, toolbar notices saying we are infected with spyware, etc. for the past couple of weeks. We have the latest McAfee Security Suite and we've run the anti-virus scans several times, but they seem to get hung up before they finish (usually in a HKLM location). I also use the CA Pest Control Virus Scan and have, I think, been successful in removing all spyware and trogans, except one keeps coming up that I cannot delete: Cutwail G. Our computer is performing much better now, with only a few popups (the same two that have been prevalent all along) and the black desktop background screen is gone. We are concerned about whether we have had any personal information compromised and if we are still vulnerable because of this Cutwail G Trogan and what we can do about it. We greatly appreciate your help with analyzing our current status and providing us guidance on what to do next.

Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:36 PM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\nusrmgr.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1146959447\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1146959447\ee\AOLServiceHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Simple Star\PhotoShow Print & Share\OurPictures.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\ISM2\ISMPack5.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINNT\system32\l3acdb2.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - (no file)
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - sipov.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: oembios32.msdn_hlp - {D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF} - C:\WINNT\system32\oembios32.dll
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146959447\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\Simple Star\PhotoShow Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [autoload] C:\WINNT\system32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Owner\smss.exe
O4 - HKCU\..\Run: [ISMPack5] "C:\Program Files\ISM2\ISMPack5.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191693192296
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Seekmo/ie/...212eeb77d5972cd
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...tupv2.0.0.9.cab?
O23 - Service: McAfee Application Installer Cleanup (0288331191860085) (0288331191860085mcinstcleanup) - McAfee, Inc. - C:\WINNT\TEMP\028833~1.EXE
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13295 bytes

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 10 October 2007 - 01:16 PM

Hello inagony

Copy and Paste this post into a new text document or print it for reference

1. Re-open HijackThis and select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINNT\system32\l3acdb2.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - (no file)
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - sipov.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: oembios32.msdn_hlp - {D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF} - C:\WINNT\system32\oembios32.dll
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKCU\..\Run: [autoload] C:\WINNT\system32\drivers\smss.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Owner\smss.exe
O4 - HKCU\..\Run: [ISMPack5] "C:\Program Files\ISM2\ISMPack5.exe"
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Seekmo/ie/...212eeb77d5972cd

Close any Explorer windows which may be open and click the "Fix Checked" button.


2. From either of these links download "ComboFix.exe" and place this onto your desktop

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Doubleclick "combofix.exe" to launch the application Follow the prompts that will be displayed on the screen.

Important: Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it will produce a log called "combofix.txt" by default saved into your C folder
navigate to: Start >> My Computer >> Local Disk C and Copy and Paste combofix.txt log back to me.

Thank you.

#3 inagony

inagony
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 12 October 2007 - 11:54 AM

Hi Ourwilly -

I had to go out of town, but am back now. I will try these steps and report back. Thanks so so so much for your help.

#4 inagony

inagony
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 12 October 2007 - 01:11 PM

OurWilly -

Well I went through your instructions and ran the Hijackthis scan again. I checked all files but one:

O2 - BHO: oembios32.msdn_hlp - {D79E1D43-C805-40EF-8ACB-DFFB17E9A4AF} - C:\WINNT\system32\oembios32.dll

because it was not on the list this time. I ran the "Fix Checked" command.

I then ran the ComboFix app, but I don't believe it finished. It completed about 31 Stages and and deleted several files and then it opened a new window and just stayed there blank for about 20 minutes. I finally just closed it down. I checked my C disk and there was not a ComboFix. txt file with the results......

Should I start over with the same steps again?

Thank-you so much.

#5 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 13 October 2007 - 03:11 AM

Hello inagony

Ok Thank you for letting me know.... let try this next. :thumbsup:

Copy and Paste this post into a new text document or print it for reference

Please now use Internet Explorer and run this online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases


Click OK
Now under select a target to scan: Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Copy and paste that information in your next post along with a new HijackThis log.

Thank you

#6 inagony

inagony
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 13 October 2007 - 10:51 AM

Hi OurWilly -

I had success running the Kaspersky Scan (yeah). I also ran another HijackThis Scan and it is listed below. Here are the scans:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-10-13 11:30
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/10/2007
Kaspersky Anti-Virus database records: 435501
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 157086
Number of viruses found: 20
Number of infected objects: 65
Number of suspicious objects: 0
Duration of the scan process: 02:03:49

Infected Object Name / Virus Name / Last Action
C:\11B.tmp Infected: Trojan-Spy.Win32.Zbot.y skipped
C:\1E4.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\1E4.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\1E4.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\1E4.tmp NSIS: infected - 3 skipped
C:\1F8.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\1F8.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\1F8.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\1F8.tmp NSIS: infected - 3 skipped
C:\9.tmp Infected: Trojan-Spy.Win32.Zbot.y skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{A3D7805C-6F2D-474E-B85D-05FA0C2D64DE}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6817939cfeaf389fbbe4f67eabbc1669_13d9c1f6-3bf3-4aae-948a-9938bf4029c3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\94c96ac369b84a5ef4ba5811c6840d9f_13d9c1f6-3bf3-4aae-948a-9938bf4029c3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\Cache\5D03B265d01 Infected: Trojan-Downloader.JS.Psyme.nc skipped
C:\Documents and Settings\Elisa\Local Settings\Temporary Internet Files\Content.IE5\WTUR4TEN\install_iframe[1].htm Infected: Trojan-Downloader.JS.Agent.kk skipped
C:\Documents and Settings\Elisa\Local Settings\Temporary Internet Files\Content.IE5\WTUR4TEN\install_iframe[2].htm Infected: Trojan-Downloader.JS.Agent.kk skipped
C:\Documents and Settings\Elisa\Local Settings\Temporary Internet Files\Content.IE5\WTUR4TEN\install_iframe[3].htm Infected: Trojan-Downloader.JS.Agent.kk skipped
C:\Documents and Settings\Elisa\Local Settings\Temporary Internet Files\Content.IE5\WTUR4TEN\install_iframe[4].htm Infected: Trojan-Downloader.JS.Agent.kk skipped
C:\Documents and Settings\Elisa\Local Settings\Temporary Internet Files\Content.IE5\WTUR4TEN\install_iframe[5].htm Infected: Trojan-Downloader.JS.Agent.kk skipped
C:\Documents and Settings\Elisa\Local Settings\Temporary Internet Files\Content.IE5\WTUR4TEN\install_iframe[6].htm Infected: Trojan-Downloader.JS.Agent.kk skipped
C:\Documents and Settings\Julie\Application Data\ntos.exe Infected: Trojan-Spy.Win32.Zbot.ap skipped
C:\Documents and Settings\Julie\Desktop\package_MARKETING27.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Julie\Desktop\package_MARKETING27.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q skipped
C:\Documents and Settings\Julie\Desktop\package_MARKETING27.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q skipped
C:\Documents and Settings\Julie\Desktop\package_MARKETING27.exe/stream/data0005/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Julie\Desktop\package_MARKETING27.exe/stream/data0005/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Julie\Desktop\package_MARKETING27.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Julie\Desktop\package_MARKETING27.exe/stream/data0006/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y skipped
C:\Documents and Settings\Julie\Desktop\package_MARKETING27.exe/stream/data0006/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.w skipped
C:\Documents and Settings\Julie\Desktop\package_MARKETING27.exe/stream/data0006/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Julie\Desktop\package_MARKETING27.exe/stream/data0006/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Julie\Desktop\package_MARKETING27.exe/stream/data0006/stream/data0008 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Julie\Desktop\package_MARKETING27.exe/stream/data0006/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Julie\Desktop\package_MARKETING27.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Julie\Desktop\package_MARKETING27.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Julie\Desktop\package_MARKETING27.exe NSIS: infected - 14 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms0311.jar-64b2bbdc-2f1cc86c.zip/TakePrivileges.class Infected: Trojan-Downloader.Java.OpenConnection.ak skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms0311.jar-64b2bbdc-2f1cc86c.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ak skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms0311.jar-64b2bbdc-2f1cc86c.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007101320071014\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_dc0.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PWQ5180Y\profile[1].htm Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0003/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0003/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0003/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0003/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0003/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0003 Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0004 Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0005/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0005/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0005 Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0006/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0006/stream Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0006 Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar RAR: infected - 14 skipped
C:\Program Files\AWS\WeatherBug\WeatherBugInstall.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\Program Files\AWS\WeatherBug\WeatherBugInstall.exe WiseSFX: infected - 1 skipped
C:\Program Files\AWS\WeatherBug\WeatherBugInstall.exe WiseSFX Dropper: infected - 1 skipped
C:\Program Files\AWS\WeatherBug\WxBugAutoUpgradeChoiceSAb1.0.0.6.EXE/WISE0008.BIN/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\Program Files\AWS\WeatherBug\WxBugAutoUpgradeChoiceSAb1.0.0.6.EXE/WISE0008.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\Program Files\AWS\WeatherBug\WxBugAutoUpgradeChoiceSAb1.0.0.6.EXE WiseSFX: infected - 2 skipped
C:\Program Files\AWS\WeatherBug\WxBugAutoUpgradeChoiceSAb1.0.0.6.EXE WiseSFX Dropper: infected - 2 skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071012-132241-541.dll Infected: not-a-virus:AdWare.Win32.BHO.cw skipped
C:\qoobox\Quarantine\C\U.exe.vir Infected: Trojan-Downloader.Win32.Small.fkm skipped
C:\qoobox\Quarantine\C\WINNT\system32\l3acdb2.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cw skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1029\A0182831.exe Infected: Trojan-Downloader.Win32.Small.fkm skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1029\A0182859.dll Infected: not-a-virus:AdWare.Win32.BHO.cw skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1030\change.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{3BA3CBFB-0874-476F-9562-9BAC71F96AFD}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\Internet.evt Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\drivers\ip6fw.sys Infected: Trojan-Downloader.Win32.Agent.acl skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\sipov.dll Infected: Trojan-Clicker.Win32.Agent.lu skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\Temp\mcafee_qhifPpSaNfV09Ll Object is locked skipped
C:\WINNT\Temp\mcmsc_031UNoM0FYaaUdl Object is locked skipped
C:\WINNT\Temp\mcmsc_Rg00sfQyuqNLE5M Object is locked skipped
C:\WINNT\Temp\mcmsc_zhvkesBHZ1Ks079 Object is locked skipped
C:\WINNT\Temp\mcmsc_ZPCHQXTQuoR8jMW Object is locked skipped
C:\WINNT\wiadebug.log Object is locked skipped
C:\WINNT\wiaservc.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\{00000001-00000000-00000001-00001102-00000004-20041102}.CDF Object is locked skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38, on 2007-10-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1146959447\ee\AOLHostManager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Simple Star\PhotoShow Print & Share\OurPictures.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1146959447\ee\AOLServiceHost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146959447\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\Simple Star\PhotoShow Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191693192296
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...tupv2.0.0.9.cab?
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11014 bytes


Looks like some bad stuff in there (??). Thanks again for your help.

#7 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 14 October 2007 - 03:50 AM

Hello inagony

Looks like some bad stuff in there

Yes indeed a few bad things are showing in that scan, please work your way through these instructions next.

Copy and Paste this post into a new text document or print it for reference

1. Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt


2. Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


3. Download the trial version of AVG Anti-Spyware from >here< and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.
Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
You will need to change the following settings:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click the Scanner icon at the top and then click the Settings Tab.
  • Under How to act? click Recommended actions and select Quarantine from the menu. <== This is important
You can now close AVG Anti-Spyware. Do not scan yet.

Boot to Safe Mode
  • Restart your computer.
  • Continually tap the F8 button as your computer is booting (a menu appears).
  • Use up-arrow key to select Safe Mode and press Enter.
Close all open windows and then start AVG Anti-Spyware
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected. <== This is important
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports and uncheck Only if threats were found.
    • Under What to scan? - Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine <== This is important
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
Reboot in Normal Mode.


4. Copy and Paste the contents of the SD Report.txt and the AVG Anti-Spyware log back to me

Thank you.

#8 inagony

inagony
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 14 October 2007 - 07:13 PM

Hi OurWilly -

I've followed your directions and am sending the reports below. One note is that we are still getting the black screen overwriting our desktop background when we login. It has a red warning message:

Warning! Spyware threat has been detected on your PC. Your computer has several fatal errors due to spyware. Etc., etc.


Here is the SD Report.txt:


SDFix: Version 1.109

Run by Owner on 2007-10-14 at 17:04

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
runtime

ImagePath:
\??\C:\WINNT\System32\drivers\runtime.sys

runtime - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service runtime2 - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINNT\system32\6_exception.nls - Deleted
C:\WINNT\system32\sipov.dll - Deleted
C:\WINNT\Temp\startdrv.exe - Deleted
C:\WINNT\system32\drivers\runtime2.sys - Deleted



Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Disabled:AOL Instant Messenger"
"C:\\WINNT\\system32\\sessmgr.exe"="C:\\WINNT\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\1146959447\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1146959447\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\1146959447\\ee\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1146959447\\ee\\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 21 Jan 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 21 Jan 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv16.bak"
Sun 20 Aug 2006 5,424,640 ...H. --- "C:\Documents and Settings\Dan\My Documents\~WRL0079.tmp"
Sun 20 Aug 2006 3,651,072 ...H. --- "C:\Documents and Settings\Dan\My Documents\~WRL2455.tmp"
Sun 20 Aug 2006 6,150,144 ...H. --- "C:\Documents and Settings\Dan\My Documents\~WRL3901.tmp"
Sat 4 Mar 2006 85,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL2581.tmp"
Thu 4 Oct 2007 25,088 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3363.tmp"
Thu 4 Oct 2007 25,600 ...H. --- "C:\Documents and Settings\Owner\My Documents\~WRL3365.tmp"
Fri 31 Mar 2006 59,904 ...H. --- "C:\Documents and Settings\All Users\Documents\Cammie College Letters\~WRL2068.tmp"
Wed 25 Jul 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 29 Jan 2005 20,480 ...H. --- "C:\Documents and Settings\Elisa\My Documents\Elisa's Work\~WRL0463.tmp"
Sat 29 Jan 2005 19,968 ...H. --- "C:\Documents and Settings\Elisa\My Documents\Elisa's Work\~WRL2963.tmp"
Mon 6 Jun 2005 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\BAYSIDE BLUES 2004_2005\~WRL0537.tmp"
Mon 6 Jun 2005 21,504 ...H. --- "C:\Documents and Settings\Owner\My Documents\BAYSIDE BLUES 2004_2005\~WRL1652.tmp"
Fri 21 Jan 2005 4,348 ...H. --- "C:\Documents and Settings\Julie\My Documents\My Music\License Backup\drmv1key.bak"
Wed 2 Nov 2005 401 A..H. --- "C:\Documents and Settings\Julie\My Documents\My Music\License Backup\drmv1lic.bak"
Wed 21 Apr 2004 312 ...H. --- "C:\Documents and Settings\Julie\My Documents\My Music\License Backup\drmv2key.bak"
Wed 2 Nov 2005 1,536 A..H. --- "C:\Documents and Settings\Julie\My Documents\My Music\License Backup\drmv2lic.bak"
Fri 21 Jan 2005 4,348 A..H. --- "C:\Documents and Settings\Julie\My Documents\My Pictures\My Music\License Backup\drmv1key.bak"
Wed 9 Feb 2005 401 A..H. --- "C:\Documents and Settings\Julie\My Documents\My Pictures\My Music\License Backup\drmv1lic.bak"
Wed 21 Apr 2004 312 A..H. --- "C:\Documents and Settings\Julie\My Documents\My Pictures\My Music\License Backup\drmv2key.bak"
Wed 9 Feb 2005 1,536 A..H. --- "C:\Documents and Settings\Julie\My Documents\My Pictures\My Music\License Backup\drmv2lic.bak"
Tue 25 Sep 2007 6,261,544 A..H. --- "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Media Player\MTVN\Downloads\00168717\BIT1E4.tmp"

Finished!


Here is the AVG Anti-Spyware log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:25 2007-10-14

+ Scan result:



HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned with backup (quarantined).
HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1ADBCCE8-CF84-441E-9B38-AFC7A19C06A4} -> Adware.ActivShopper : Cleaned with backup (quarantined).
C:\Documents and Settings\Julie\Desktop\package_MARKETING27.exe -> Adware.BargainBuddy : Cleaned with backup (quarantined).
HKU\S-1-5-21-4069285105-1660435534-2397799627-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5AF2622-8C75-4DFB-9693-23AB7686A456} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\AWS\WeatherBug\Weather.exe -> Adware.WeatherBug : Cleaned with backup (quarantined).
C:\WINNT\system32\drivers\ip6fw.sys -> Downloader.Agent.acl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1029\A0182831.exe -> Downloader.Small.fkm : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\U.exe.vir -> Downloader.Small.fkm : Cleaned with backup (quarantined).
:mozilla.160:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.161:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.162:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.163:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.267:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.287:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.33:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.36:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.39:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.40:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.167:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.168:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.169:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.170:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.171:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.172:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.173:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.196:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.125:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Adengage : Cleaned.
:mozilla.139:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.140:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.141:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.142:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.143:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.144:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.145:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.83:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.84:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.85:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.86:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.87:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.88:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.40:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.41:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.42:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.43:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.44:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.67:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.68:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.69:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.70:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.71:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.55:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.79:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.146:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.147:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.148:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.149:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.150:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.151:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.152:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.282:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.236:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.237:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.240:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.241:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.28:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.64:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.248:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.249:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.250:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.251:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.252:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.253:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.67:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.68:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.69:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.70:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.71:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.72:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.73:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.74:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.75:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.301:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.303:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.80:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.63:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.153:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.154:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.76:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.77:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.78:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.306:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.307:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.308:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.309:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.34:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.35:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.257:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.258:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.259:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.260:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.261:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.262:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.117:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.118:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.119:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.120:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.121:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.122:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.123:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.49:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.50:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.51:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.52:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.53:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.54:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.55:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.56:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.57:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.58:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.58:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.59:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.59:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.60:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.61:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.62:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.81:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.32:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.33:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.34:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.35:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.36:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.37:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.47:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.48:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.62:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.63:C:\Documents and Settings\Julie\Application Data\Mozilla\Firefox\Profiles\dq6mqd38.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.178:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.179:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.181:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.182:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.183:C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1029\A0182832.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINNT\system32\wnstscc.exe.vir -> Trojan.Small : Cleaned with backup (quarantined).
C:\11B.tmp -> Trojan.Zbot.d : Cleaned with backup (quarantined).
C:\9.tmp -> Trojan.Zbot.d : Cleaned with backup (quarantined).
C:\103.tmp -> Trojan.Zbot.h : Cleaned with backup (quarantined).
C:\Documents and Settings\Julie\Application Data\ntos.exe -> Trojan.Zbot.h : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1028\A0181738.exe -> Trojan.Zbot.h : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1028\A0181754.exe -> Trojan.Zbot.h : Cleaned with backup (quarantined).


::Report end


That's it for now. Thanks again for your help!

#9 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 15 October 2007 - 10:32 AM

Hello inagony

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
In your next reply Please Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt from the Deckard's System Scanner scan.

#10 inagony

inagony
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 15 October 2007 - 12:19 PM

Hello ourwilly -

As of now, our computer is running pretty well. The black desktop screen is no longer appearing upon system start-up. I just went in and chose a new desktop background and it is continuing to load after I shut down and restart the computer. From what I can tell, everything is running normal, we are no longer getting any pop-ups and the slowness of operation has gone away. When I run the Comcast spyware scan, it comes up clean.

In looking at the DSS extra.txt scan report, I am a little reluctant in posting that as it contains a detailed description of our computer, user accounts, applications, etc. I was wondering if it is necessary to post that information.

You have been so extremely helpful and we cannot thank-you enough. Please let me know what the DSS scans provide and what the status of our clean-up is from your viewpoint.

Thanks again for all your help!

#11 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 15 October 2007 - 01:16 PM

Hello inagony

1. Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 3.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Click on the link named Java Runtime Environment (JRE) 6 Update 3
  • Click on the radio button to Accept License Agreement
  • Click on Windows Offline Installation, Multi-language and save the downloaded file to your hard disk
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 2 Runtime Environment, JRE or JSE)
  • Reboot your computer
  • Delete the folder C:\Program Files\Java if present
  • Install the new version by running the newly-downloaded file, and follow the on-screen instructions.
  • Reboot your computer

2. I would like to suggest repeating the Kaspersky Online Scan at this point and posting the new results.

Please let me know what the DSS scans provide and what the status of our clean-up is from your viewpoint.

Ok lets look at the main.txt itself this will give us an Hijack log and also a listing of any unwanted files that still may be showing on your system, so please feel free to include this along with the Online Kaspersky results in your next reply

Thank you.

#12 inagony

inagony
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 16 October 2007 - 08:25 PM

Hello ourwilly -

Well, it looks like things are not as good as they seem. We still have some infections showing up in the Kaspersky Scan ( :thumbsup: ) dag nabit.

Here is the new Kaspersky Scan:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-10-16 19:43
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/10/2007
Kaspersky Anti-Virus database records: 436911
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 145187
Number of viruses found: 15
Number of infected objects: 52
Number of suspicious objects: 0
Duration of the scan process: 02:25:55

Infected Object Name / Virus Name / Last Action
C:\1E4.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\1E4.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\1E4.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\1E4.tmp NSIS: infected - 3 skipped
C:\1F8.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\1F8.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\1F8.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\1F8.tmp NSIS: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{9233250B-7465-4A4C-B83B-8A27C5CD6832}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6817939cfeaf389fbbe4f67eabbc1669_13d9c1f6-3bf3-4aae-948a-9938bf4029c3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\94c96ac369b84a5ef4ba5811c6840d9f_13d9c1f6-3bf3-4aae-948a-9938bf4029c3 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Dan\Local Settings\Application Data\Mozilla\Firefox\Profiles\am9zogg9.default\Cache\5D03B265d01 Infected: Trojan-Downloader.JS.Psyme.nc skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\VirusScan_Applications\SDFix\backups\backups.zip/backups/startdrv.exe Infected: Trojan.Win32.Pakes.sb skipped
C:\Documents and Settings\Owner\Desktop\VirusScan_Applications\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_b34.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF953F.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF96A7.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0003/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0003/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0003/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0003/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0003/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0003 Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0004 Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0005/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0005/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0005 Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0006/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0006/stream Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe/data0006 Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar/setup.exe Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar RAR: infected - 14 skipped
C:\Program Files\AWS\WeatherBug\WeatherBugInstall.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\Program Files\AWS\WeatherBug\WeatherBugInstall.exe WiseSFX: infected - 1 skipped
C:\Program Files\AWS\WeatherBug\WeatherBugInstall.exe WiseSFX Dropper: infected - 1 skipped
C:\Program Files\AWS\WeatherBug\WxBugAutoUpgradeChoiceSAb1.0.0.6.EXE/WISE0008.BIN/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\Program Files\AWS\WeatherBug\WxBugAutoUpgradeChoiceSAb1.0.0.6.EXE/WISE0008.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\Program Files\AWS\WeatherBug\WxBugAutoUpgradeChoiceSAb1.0.0.6.EXE WiseSFX: infected - 2 skipped
C:\Program Files\AWS\WeatherBug\WxBugAutoUpgradeChoiceSAb1.0.0.6.EXE WiseSFX Dropper: infected - 2 skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071012-132241-541.dll Infected: not-a-virus:AdWare.Win32.BHO.cw skipped
C:\qoobox\Quarantine\C\WINNT\system32\l3acdb2.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.cw skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1029\A0182859.dll Infected: not-a-virus:AdWare.Win32.BHO.cw skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1029\A0182863.exe Object is locked skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186812.exe Object is locked skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186853.exe Object is locked skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186905.exe Infected: Trojan-PSW.Win32.Zbot.z skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186907.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186907.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186907.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186907.exe/stream/data0005/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186907.exe/stream/data0005/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186907.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186907.exe/stream/data0006/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186907.exe/stream/data0006/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.w skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186907.exe/stream/data0006/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186907.exe/stream/data0006/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186907.exe/stream/data0006/stream/data0008 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186907.exe/stream/data0006/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186907.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186907.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1031\A0186907.exe NSIS: infected - 14 skipped
C:\System Volume Information\_restore{7DCA1BE4-D752-48D6-A25E-C722C8FD1BC4}\RP1039\change.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{A81ACE1B-894C-4532-AD02-6872AE83C7EF}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\Internet.evt Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\Temp\mcafee_ct2R2vrWY6DCII5 Object is locked skipped
C:\WINNT\Temp\mcafee_VSaRvv6acCuldwt Object is locked skipped
C:\WINNT\Temp\mcmsc_2U23lp0CEaavKhP Object is locked skipped
C:\WINNT\Temp\mcmsc_5CMFI36vg94LeZa Object is locked skipped
C:\WINNT\Temp\mcmsc_BMMk50z0CLkuAo7 Object is locked skipped
C:\WINNT\Temp\mcmsc_CqRLtH94TNkQaQ9 Object is locked skipped
C:\WINNT\Temp\mcmsc_YJarBO8MEmfM9MB Object is locked skipped
C:\WINNT\wiadebug.log Object is locked skipped
C:\WINNT\wiaservc.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\{00000001-00000000-00000001-00001102-00000004-20041102}.CDF Object is locked skipped

Scan process completed.


Here is the main.txt from the DSS scan:

Deckard's System Scanner v20071014.68
Run by Owner on 2007-10-15 12:31:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
7: 2007-10-15 16:31:55 UTC - RP1033 - Deckard's System Scanner Restore Point
6: 2007-10-15 12:08:52 UTC - RP1032 - Installed Adobe Reader 7.0.9
5: 2007-10-14 16:40:39 UTC - RP1031 - System Checkpoint
4: 2007-10-13 12:52:12 UTC - RP1030 - Software Distribution Service 3.0
3: 2007-10-12 17:31:06 UTC - RP1029 - ComboFix created restore point


-- First Restore Point --
1: 2007-10-08 16:47:10 UTC - RP1027 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33, on 2007-10-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINNT\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1146959447\ee\AOLHostManager.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Simple Star\PhotoShow Print & Share\OurPictures.exe
C:\Program Files\Common Files\AOL\1146959447\ee\AOLServiceHost.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146959447\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\Simple Star\PhotoShow Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-21-4069285105-1660435534-2397799627-1006\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Julie')
O4 - HKUS\S-1-5-21-4069285105-1660435534-2397799627-1006\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'Julie')
O4 - HKUS\S-1-5-21-4069285105-1660435534-2397799627-1006\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 (User 'Julie')
O4 - HKUS\S-1-5-21-4069285105-1660435534-2397799627-1006\..\Run: [Internet Optimizer] "C:\Documents and Settings\Julie\Internet Optimizer\optimize.exe" (User 'Julie')
O4 - HKUS\S-1-5-21-4069285105-1660435534-2397799627-1006\..\Run: [[01]##############################################################################################################################] C:\Documents and Settings\Julie\Internet Optimizer\update\rogue.exe (User 'Julie')
O4 - HKUS\S-1-5-21-4069285105-1660435534-2397799627-1006\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" (User 'Julie')
O4 - HKUS\S-1-5-21-4069285105-1660435534-2397799627-1006\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Julie')
O4 - HKUS\S-1-5-21-4069285105-1660435534-2397799627-1006\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Julie')
O4 - HKUS\S-1-5-21-4069285105-1660435534-2397799627-1006\..\Run: [msnmsgr] "c:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Julie')
O4 - HKUS\S-1-5-21-4069285105-1660435534-2397799627-1006\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe (User 'Julie')
O4 - HKUS\S-1-5-21-4069285105-1660435534-2397799627-1006\..\Run: [userinit] C:\Documents and Settings\Julie\Application Data\ntos.exe (User 'Julie')
O4 - S-1-5-21-4069285105-1660435534-2397799627-1006 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Julie')
O4 - S-1-5-21-4069285105-1660435534-2397799627-1006 User Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Julie')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191693192296
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...tupv2.0.0.9.cab?
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13521 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071012-132241-125 O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Owner\smss.exe
backup-20071012-132241-241 O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
backup-20071012-132241-423 O2 - BHO: (no name) - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - (no file)
backup-20071012-132241-440 O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
backup-20071012-132241-458 O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
backup-20071012-132241-460 O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
backup-20071012-132241-517 O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
backup-20071012-132241-532 O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
backup-20071012-132241-539 O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
backup-20071012-132241-541 O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINNT\system32\l3acdb2.dll
backup-20071012-132241-546 O4 - HKCU\..\Run: [ISMPack5] "C:\Program Files\ISM2\ISMPack5.exe"
backup-20071012-132241-602 O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - sipov.dll (file missing)
backup-20071012-132241-634 O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
backup-20071012-132241-746 O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
backup-20071012-132241-750 O4 - HKCU\..\Run: [autoload] C:\WINNT\system32\drivers\smss.exe
backup-20071012-132241-781 O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
backup-20071012-132241-793 O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
backup-20071012-132241-795 O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
backup-20071012-132241-869 O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
backup-20071012-132241-877 O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
backup-20071012-132241-916 O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
backup-20071012-132241-956 O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Seekmo/ie/...212eeb77d5972cd
backup-20071012-132241-967 O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
backup-20071012-132241-974 O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
backup-20071012-132241-993 O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 prohlp02 (StarForce Protection Helper Driver v2) - c:\winnt\system32\drivers\prohlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 prosync1 (StarForce Protection Synchronization Driver v1) - c:\winnt\system32\drivers\prosync1.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp01 (StarForce Protection Helper Driver) - c:\winnt\system32\drivers\sfhlp01.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 prodrv06 (StarForce Protection Environment Driver v6) - c:\winnt\system32\drivers\prodrv06.sys <Not Verified; Protection Technology; StarForce Protection System>

S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 ip6fw (IPv6 Windows Firewall Driver) - c:\winnt\system32\drivers\ip6fw.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\winnt\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>

S2 navapsvc (Norton AntiVirus Auto Protect Service) - "c:\program files\norton antivirus\navapsvc.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-10-06 08:31:00 284 --a------ C:\WINNT\Tasks\AppleSoftwareUpdate.job
2007-10-01 09:45:31 336 --a------ C:\WINNT\Tasks\McDefragTask.job
2007-10-01 09:45:29 332 --a------ C:\WINNT\Tasks\McQcTask.job
2004-05-01 23:00:00 254 --a------ C:\WINNT\Tasks\ISP signup reminder 3.job
2004-04-26 21:45:00 254 --a------ C:\WINNT\Tasks\ISP signup reminder 2.job
2004-04-21 19:46:13 412 --a------ C:\WINNT\Tasks\Symantec NetDetect.job
2004-04-18 07:45:00 254 --a------ C:\WINNT\Tasks\ISP signup reminder 1.job


-- Files created between 2007-09-15 and 2007-10-15 -----------------------------

2007-10-15 11:49:41 0 d-------- C:\Documents and Settings\Dan\Application Data\COMCASTTOOLBAR
2007-10-15 11:25:40 0 d-------- C:\Documents and Settings\Dan\Application Data\Grisoft
2007-10-15 08:12:24 0 d-------- C:\Documents and Settings\Julie\Application Data\Grisoft
2007-10-15 08:09:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-10-14 17:39:38 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2007-10-14 17:38:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-14 17:02:52 0 d-------- C:\WINNT\ERUNT
2007-10-13 09:16:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-13 09:16:20 0 d-------- C:\WINNT\system32\Kaspersky Lab
2007-10-08 10:17:31 0 d-------- C:\Program Files\Trend Micro
2007-10-06 14:07:54 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-06 10:43:11 0 d-------- C:\Documents and Settings\Owner\Application Data\MSN6
2007-10-06 10:43:11 0 d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2007-10-01 15:07:57 0 d-------- C:\Documents and Settings\Owner\Application Data\Common Files
2007-10-01 09:48:17 143360 --a------ C:\WINNT\system32\dunzip32.dll <Not Verified; Inner Media, Inc.; DynaZIP-32 Multi-Threading UnZIP DLL>
2007-10-01 09:44:29 0 d-------- C:\Program Files\McAfee
2007-10-01 09:44:22 0 d-------- C:\Program Files\Common Files\McAfee
2007-10-01 09:35:31 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-01 09:35:29 0 d-------- C:\Documents and Settings\Owner\Application Data\McAfee
2007-09-30 15:43:09 0 d--hs---- C:\Documents and Settings\Julie\Application Data\wsnpoem
2007-09-25 20:30:59 0 --a------ C:\4058343
2007-09-25 19:56:27 4 --a------ C:\WINNT\system32\stfv.bin
2007-09-25 19:53:53 0 d-------- C:\WINNT\system32\acespy
2007-09-25 19:53:53 29696 --a------ C:\WINNT\system32\ace16win.dll
2007-09-25 19:30:56 0 --a------ C:\454859
2007-09-24 07:28:28 0 d-------- C:\Documents and Settings\Julie\Application Data\COMCASTTOOLBAR
2007-09-23 17:08:32 0 d-------- C:\Documents and Settings\Owner\Application Data\ComcastToolbar
2007-09-23 11:12:49 0 d-------- C:\Program Files\ISM2


-- Find3M Report ---------------------------------------------------------------

2007-10-15 08:32:20 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-10-15 08:11:06 384 --a------ C:\WINNT\system32\DVCStateBkp-{00000001-00000000-00000001-00001102-00000004-20041102}.dat
2007-10-15 08:11:06 384 --a------ C:\WINNT\system32\DVCState-{00000001-00000000-00000001-00001102-00000004-20041102}.dat
2007-10-15 08:05:58 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2007-10-12 13:50:01 0 d-------- C:\Program Files\Common Files
2007-10-06 14:15:47 0 d-------- C:\Program Files\Microsoft Picture It! 7
2007-10-05 07:24:23 0 d-------- C:\Program Files\Real
2007-10-01 14:47:04 0 d-------- C:\Documents and Settings\Owner\Application Data\WeatherBug
2007-10-01 10:01:39 0 d-------- C:\Program Files\McAfee.com
2007-09-25 21:12:38 0 d-------- C:\Program Files\Ahead
2007-09-25 21:11:41 0 d-------- C:\Program Files\Napster
2007-09-25 21:11:41 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-09-25 21:10:55 0 d-------- C:\Program Files\MUSICMATCH
2007-09-23 17:16:08 0 d-------- C:\Program Files\Common Files\scanner
2007-09-23 17:08:35 0 d-------- C:\Program Files\ComcastToolbar
2007-09-09 20:52:11 0 --a------ C:\42205734
2007-08-31 14:16:12 0 d-------- C:\Documents and Settings\Owner\Application Data\Snapfish
2007-08-23 09:28:40 0 d-------- C:\Documents and Settings\Owner\Application Data\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gateway Ink Monitor"="C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe" [2003-11-05 14:23]
"Gateway Extended Warranty"="C:\Program Files\Gateway\GWCares\GWCares.exe" [2004-02-08 18:30]
"NvCplDaemon"="C:\WINNT\System32\NvCpl.dll" [2003-11-17 12:33]
"CTHelper"="CTHELPER.EXE" [2003-11-13 14:18 C:\WINNT\system32\CTHELPER.EXE]
"WT GameChannel"="C:\Program Files\WildTangent\Apps\GameChannel.exe" [2003-04-30 18:21]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 08:32]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"HostManager"="C:\Program Files\Common Files\AOL\1146959447\ee\AOLHostManager.exe" [2005-08-02 15:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-21 17:27]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" []
"Start WingMan Profiler"="" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"OurPictures"="C:\Program Files\Simple Star\PhotoShow Print & Share\OurPictures.exe" [2006-06-27 10:45]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 03:56]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7873b4ae-469e-11db-8874-0011955854dd}]
AutoRun\command- F:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2007-10-15 12:34:55 ------------


Wow....amazing that you can make sense of all of this. Thanks, ourwilly for your continued help.

#13 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 17 October 2007 - 10:14 AM

Hello inagony

I would like to ask if you've installed "AceSpy" onto this system and any information regarding the Norton AntiVirus entry in your HJT log


Copy and Paste this post into a new text document or print it for reference

1. Go to Start | Control Panel | Add/Remove Programs and if listed Uninstall

Internet Optimizer
Weatherbug



2. Re-open HijackThis and select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKUS\S-1-5-21-4069285105-1660435534-2397799627-1006\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1 (User 'Julie')
O4 - HKUS\S-1-5-21-4069285105-1660435534-2397799627-1006\..\Run: [Internet Optimizer] "C:\Documents and Settings\Julie\Internet Optimizer\optimize.exe" (User 'Julie')
O4 - HKUS\S-1-5-21-4069285105-1660435534-2397799627-1006\..\Run: [[01]################################################################################################] C:\Documents and Settings\Julie\Internet Optimizer\update\rogue.exe (User 'Julie')
O4 - HKUS\S-1-5-21-4069285105-1660435534-2397799627-1006\..\Run: [userinit] C:\Documents and Settings\Julie\Application Data\ntos.exe (User 'Julie')
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)

Close any Explorer windows which may be open and click the "Fix Checked" button.


3. Download the OTMoveIt from here:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Save it to your desktop.
Do not run it yet!

Double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\AWS
C:\Documents and Settings\Julie\Internet Optimizer
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar
C:\1E4.tmp
C:\1F8.tmp



Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


4. Please don't forget to also update you "Java" by following the instructions given in This Post

Once you have done this can you post a new HijackThis log and the OTMoveIt results and let me know how your system is running.

Thank you.

#14 inagony

inagony
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 17 October 2007 - 09:22 PM

Good Evening ourwilly,

let's try this again, shall we. First, we are not familiar with AceSpy and don't recall ever installing it. As for Norton, we did install that when we got this computer initially, but it did not work for some reason and we installed McAfee instead. We thought the Norton was uninstalled.

From your post:
1. I could not uninstall Internet Optimizer as it was not present in the Add/Remove Programs List.
I could not uninstall Weather Bug from the Add/Remove Programs List, but it was there and gave me an error message relating to Firefox/connection problem and would not let me remove.

2. From the HiJackThis scan, I could not check any of the items starting with 04-HKUS/S as they were not on the scan when I ran it to perform this fix. The other two items were checked and "Fix Checked".

3. OtMoveIt worked fine.

Here are the new OTMoveIt results:

C:\Program Files\AWS\WeatherBug\Local moved successfully.
C:\Program Files\AWS\WeatherBug moved successfully.
C:\Program Files\AWS moved successfully.
C:\Documents and Settings\Julie\Internet Optimizer\update moved successfully.
C:\Documents and Settings\Julie\Internet Optimizer moved successfully.
C:\Documents and Settings\Owner\Shared\boys ii men beautiful women.rar moved successfully.
C:\1E4.tmp moved successfully.
C:\1F8.tmp moved successfully.

Created on 10-17-2007 21:58:26

Here is a new HiJackThis scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:02, on 2007-10-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Simple Star\PhotoShow Print & Share\OurPictures.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\AOL\1146959447\ee\AOLHostManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1146959447\ee\AOLServiceHost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe"
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146959447\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\Simple Star\PhotoShow Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191693192296
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...tupv2.0.0.9.cab?
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11276 bytes

I reinstalled the JAVA Runtime Environment Ver 6 Update 3.....looks like yesterday I installed the wrong one which I uninstalled today before I installed the right one.

The computer seems alright, a little sluggish on startup and opening applications and the time is still set to the 24 hour clock.

Thank-you again!

#15 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:57 AM

Posted 18 October 2007 - 10:39 AM

Hello inagony

1. Click on: Start > Run and type in: services.msc Click "OK"
In the Services window look for Norton AntiVirus Auto Protect Service

Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click "Apply" then "OK"


2. Double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINNT\system32\stfv.bin
C:\WINNT\system32\acespy
C:\WINNT\system32\ace16win.dll
C:\WINNT\Tasks\Symantec NetDetect.job


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


3. Reboot into Safe Mode by shutting down your system, then Restart your computer as soon as it starts booting up again continuously tap F8. from the menu select the option to enter Safe Mode

Go to Start > All Programs > Accessories > System Tools > Disk Defragmenter

Highlight the drive that you want to check, and press the Analyze button. XP will tell you whether the drive needs to be defragmented. If XP does recommend defragging, click the Defragment button.

Reboot back into Normal Mode

Once you have done this please post a new HijackThis log and let me know how this system is running now

Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users