Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware_commanddesktop


  • This topic is locked This topic is locked
5 replies to this topic

#1 cin1671

cin1671

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 08 February 2007 - 01:10 PM

Hello,

I am trying to clean an infected office laptop. I've run Ad-Aware, SpyBot, Stinger, Norton, and AVG Anti-Virus in an attempt to clean out the spyware, etc. I believe that I've gotten everything except for Adware_CommandDesktop. This is the one thing that shows up when I run TrendMicro Housecall Scan and it's unable to remove it.

Thank you for any help you can offer!

My HJT log is below:

Logfile of HijackThis v1.99.1
Scan saved at 1:01:23 PM, on 2/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Juno\bin\juno.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Documents and Settings\Rich Thau\Desktop\stng260.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: (no name) - {82302CC7-EE7B-C1D8-5526-EC1BC47717C6} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - >Ï - (no file)
O2 - BHO: (no name) - @>Ï - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - ¨Ï - (no file)
O2 - BHO: (no name) - à=Ï - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/instal...edsolutions.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--Cindy

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 08 February 2007 - 01:28 PM

Welcome to Bleeping Computer cin1671 :thumbsup:

Copy and paste the following bold blue text below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.
==============================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-

==============================================

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

========================

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

========================

Please download/install AVG Anti-Spyware 7.5.

Please follow these instructions carefully.
Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

R3 - URLSearchHook: (no name) - {82302CC7-EE7B-C1D8-5526-EC1BC47717C6} - (no file)
O2 - BHO: (no name) - >Ï - (no file)
O2 - BHO: (no name) - @>Ï - (no file)
O2 - BHO: (no name) - ¨Ï - (no file)
O2 - BHO: (no name) - à=Ï - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.
Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

========================

Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols3.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Reboot when you've done.
Post the AVG Anti Spyware and F-Secure reports and a new Hijackthis log into your next reply please.
Posted Image
Posted Image

#3 cin1671

cin1671
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 08 February 2007 - 04:25 PM

Thank you for the welcome Richie!

I've done everything in the above post. The computer is still running slowly and when I click on "My Computer", it stalls (the flashlight icon moving back and forth) for several minutes before I can see/open the drives.

Within Internet Explorer, when I type any url into the address bar, it doesn't take me to the page. I can only get to another webpage by clicking on a link.

Below are the new logs.

AVG AntiSpyware:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:44:09 PM 2/8/2007

+ Scan result:



C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135877.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135835.dll -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135988.dll -> Adware.MaxSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135784.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0134781.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135838.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\uneucx.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP555\A0130754.dll -> Adware.SpyMarshal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP555\A0130755.dll -> Adware.SpyMarshal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP555\A0130756.dll -> Adware.SpyMarshal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP555\A0130757.dll -> Adware.SpyMarshal : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{2A1E37A4-04F1-5535-0715-F2C7C83EB4EE} -> Adware.SpyOnThis : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP447\A0116248.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP447\A0116249.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP447\A0116250.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP447\A0116251.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP447\A0116252.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP447\A0116253.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP447\A0116254.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP447\A0116255.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP447\A0116256.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP447\A0116257.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP447\A0116258.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP447\A0116259.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP447\A0117305.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP447\A0117308.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP447\A0117377.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP447\A0117435.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP449\A0117617.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135955.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135961.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135962.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135965.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135966.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135971.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135972.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135996.exe -> Backdoor.Aebot.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135920.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135970.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135968.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135969.exe -> Downloader.TSUpdate.r : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0134787.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135768.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135839.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135882.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135921.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1D39F185-A499-4876-A512-FEBE298E2824}\RP578\A0135963.vbs -> Trojan.Small : Cleaned with backup (quarantined).


::Report end



F-Secure Scan:

Scanning Report
Thursday, February 08, 2007 14:57:03 - 16:08:48
Computer name: RICHTHAU
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 0 malware found

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 123652
System: 3748
Not scanned: 30
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\BIOS1.ROM
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
C:\unzipped\Gsaver\Ggsaver1.exe\Ggsaver1.exe
C:\Program Files\McAfee.com\agent\Uninst\screm.ui\agntcons.vbs
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\Ad-Aware SE Default.skn
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO\COMPONENTS\NAVIGATOR\IMAGES\CST\ARROW1.GIF
C:\DOCUMENTS AND SETTINGS\ADMINI~1.LOG
C:\DOCUMENTS AND SETTINGS\RICH THAU\NTUSER.DAT
C:\Documents and Settings\Rich Thau\My Documents\Vanguard\Vanguard VMAP2\Vanguard VMAP2\Prep\sent.zip\Managed_Accounts_Focus_Group_Boston_02a.xls
C:\Documents and Settings\Rich Thau\My Documents\Vanguard\Vanguard VMAP2\Prep\sent.zip\Managed_Accounts_Focus_Group_Boston_02a.xls
C:\Documents and Settings\Rich Thau\My Documents\Vanguard\Vanguard VMAP\To Zip\June16.zip\Moderator Guide for Vanguard OSS-- Understanding.doc
C:\Documents and Settings\Rich Thau\My Documents\Vanguard\Vanguard VMAP\Prep\managed_account_focus_groups.zip\managed_account_focus_groups.xls
C:\DOCUMENTS AND SETTINGS\RICH THAU\LOCAL SETTINGS\TEMP\~DF3E96.TMP
C:\DOCUMENTS AND SETTINGS\RICH THAU\LOCAL SETTINGS\TEMP\~DF41E7.TMP
C:\DOCUMENTS AND SETTINGS\RICH THAU\LOCAL SETTINGS\TEMP\~DFECF9.TMP
C:\DOCUMENTS AND SETTINGS\RICH THAU\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\RICH THAU\APPLICATION DATA\ADOBE\ACROBAT\6.0\EBOOKS\VOUCHERS\ACTIVATION.DAT
C:\DOCUMENTS AND SETTINGS\RICH THAU\APPLICATION DATA\ADOBE\ACROBAT\6.0\EBOOKS\VOUCHERS\DBFILE.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3AD391678A806EC4D691E83AAA393B6F_502C93C1-E394-4758-ACC7-3AD8787CAC4E

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-02-01
F-Secure AVP: 7.0.171, 2007-02-08
F-Secure Orion: 1.2.37, 2007-02-08
F-Secure Blacklight: 1.0.53, 0000-00-00
F-Secure Draco: 1.0.35, 0260-02-44
F-Secure Pegasus: 1.19.0, 2007-01-07
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.


New HJT Report:

Logfile of HijackThis v1.99.1
Scan saved at 4:20:06 PM, on 2/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/instal...edsolutions.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


Thanks!
Cindy

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 08 February 2007 - 04:48 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Turn off System Restore,then turn it back on again:
Help if needed:
http://www.pchell.com/virus/systemrestore.shtml

Create a new System Restore Point:
Help if needed:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the System Restore window,click "Create a Restore Point" button,then click 'Next'.
In the window that appears,enter a description,then click on "Create", then "Close".
The date and time is created automatically.

You should now go to Windows Update and install any available critical/high priority updates.

Read through the info found here,to help you prevent any possible future infections.
How did I get infected?
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

======================

See if these two links help you out Cindy:

'Long delay before files appear in 'My Computer' in Windows XP':
http://windowsxp.mvps.org/wiadelay.htm

'IEFix' - 'General purpose fix for Internet Explorer':
http://windowsxp.mvps.org/IEFIX.htm

======================

Please Note:
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6.0'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

Post back when you've done please Cindy,let me know how it's going.
Posted Image
Posted Image

#5 cin1671

cin1671
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 08 February 2007 - 05:45 PM

Thank you so much for your help! The computer seems to be running fine now.

I've updated Java and am installing all new Windows Updates as well.

-Cindy

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 08 February 2007 - 05:48 PM

You're most welcome Cindy :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users