malware from www.asecuretool.com

Question

Was recently hit with unwanted s/w that purports to provide scurity monitoring..... I tried & cannot remove the applications using add/remove function. Have detected two applications:                      'Online Security Guide'                      'Troubleshooting'   Below is a logfile using HJT, any suggestions or assistance is greatly appreciated.   Logfile of HijackThis v1.99.1 Scan saved at 7:28:22 AM, on 2/8/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32
vsvc32.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Canon\CALMAIN.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\wuauclt.exe C:\DOCUME~1\BILLYH~1\LOCALS~1\Temp\Temporary Directory 4 for hijackthis[1].zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isadd.dll (file missing) O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [MoneyStartUp10.0] 'C:\Program Files\Microsoft Money\System\Activation.exe' O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe'  -osboot O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe' O4 - HKLM\..\Run: [Windows Defender] 'C:\Program Files\Windows Defender\MSASCui.exe' -hide O4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Cris Hawkins\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Blackjack - http://download2.games.yahoo.com/games/clients/y/jt0_x.cab O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - C:\WINDOWS\system32\cwgppb.dll O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

zbestwun2001 · Answer

Please download SmitfraudFix (by S!Ri) to your Desktop. Download AVG Anti-Spyware from HERE and save that file to your desktop. This is a 30 day trial of the program Once you have downloaded AVG anti-spyware, locate the icon on the desktop and double-click it to launch the set up program. Select Change state' to inactivate 'Resident Shield' and 'Automatic Updates' Right click on AVG AS in the system tray and uncheck 'Start with Windows'. Go to Start > Run and type: services.msc Press 'OK'. In Services, click the 'Extended tab' and scroll down the list to find AVG anti-spyware guard. When you find the guard service, double-click on it. In the Properties Window > General Tab that opens, click the 'Stop' button. From the drop-down menu next to 'Startup Type', click on 'Manual'. Now click 'Apply', then 'OK' and close the Services window. Once the setup is complete you will need run AVG AS and update the definition files. On the main screen select the icon 'Update' then select the 'Update now' link. Next select the 'Start Update' button, the update will start and a progress bar will show the updates being installed. If you are having problems with the updater, manually update with the AVG AS Full database installer from here. Once the update has completed select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab. Once in the Settings screen click on 'Recommended actions' and then select 'Quarantine'. Under 'Reports' Select 'Automatically generate report after every scan' Un-Select 'Only if threats were found' Close AVG Anti-Spyware, Do Not run a scan just yet. We will shortly. Double-click smitfraudfix.exe Select option #1 - Search by typing 1 and press ' Enter'; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. IMPORTANT: Do NOT run any other options until you are asked to do so! Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a 'RiskTool'; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between 'good' and 'malicious' use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm After you have done the above I would like you to completely delete your current HJT folder and follow the instuctions in THIS thread here on how to download an .exe version of the HJT program and make sure that it is installed in the correct location. Do not start a new thread just stay in this thread here. Thanks. *************************** zb1 EDIT: for spelling. Message Edited by zbestwun2001 on 02-08-2007 09:39 AM

hawk8060 · Answer

Thanks very much for your reply...

Hate to be such a dunce but where do I find " smitfraudfix.exe" so that I can launch it?

BH

Un-Select " Only if threats were found"Close AVG Anti-Spyware, Do Not run a scan just yet. We will shortly.

Double-click smitfraudfix.exe
Select option #1 - Search by typing 1 and press " Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

zbestwun2001 · Answer

I have asked to to download SmitfraudFix (by S!Ri) to your Desktop. zb1

hawk8060 · Answer

My sincere apology zbestwun - I would hate to admit to how many times I read your notes and still missed the very first instruction........   Here is the text: SmitFraudFix v2.141 Scan done at 11:18:13.93, Fri 02/09/2007 Run from C:\Documents and Settings\Billy Hawkins\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS C:\WINDOWS\logo.gif FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\cwgppb.dll FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Billy Hawkins »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Billy Hawkins\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND ! C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BILLYH~1\FAVORI~1 C:\DOCUME~1\BILLYH~1\FAVORI~1\Online Security Test.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Desktop C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND ! C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files C:\Program Files\AntiVermeans\ FOUND ! C:\Program Files\Video ActiveX Object\ FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components   [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] 'Source'='About:Home' 'SubscribedURL'='About:Home' 'FriendlyName'='My Current Home Page'   »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] '{2acf3add-34a1-4f2f-99cf-cc69785d1e90}'='exemplars' [HKEY_CLASSES_ROOT\CLSID\{2acf3add-34a1-4f2f-99cf-cc69785d1e90}\InProcServer32] @='C:\WINDOWS\system32\cwgppb.dll' [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2acf3add-34a1-4f2f-99cf-cc69785d1e90}\InProcServer32] @='C:\WINDOWS\system32\cwgppb.dll'   »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] 'AppInit_DLLs'='' »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'System'='' »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End     Here is the new logfile using HJT after deleting and reinstallation: Logfile of HijackThis v1.99.1 Scan saved at 11:54:48 AM, on 2/9/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32
vsvc32.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Canon\CALMAIN.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\devldr32.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\Real\Update_OBealsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\explorer.exe C:\Program Files\Hijackthis\HijackThis.exe C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isadd.dll (file missing) O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [MoneyStartUp10.0] 'C:\Program Files\Microsoft Money\System\Activation.exe' O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe'  -osboot O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe' O4 - HKLM\..\Run: [Windows Defender] 'C:\Program Files\Windows Defender\MSASCui.exe' -hide O4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Cris Hawkins\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Blackjack - http://download2.games.yahoo.com/games/clients/y/jt0_x.cab O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - C:\WINDOWS\system32\cwgppb.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

zbestwun2001 · Answer

Hawk,
No problem at all.

Let's continue:

Please print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe again.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report along with all others into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : Running option #2 on a non-infected computer will remove your Desktop background.

____________________________________________________________

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Next Click Start, click Control Panel and then double-click Display.
Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin
______________________________

Close ALL open Windows / Programs / Folders.

While in Safe Mode, launch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AS will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG AS and reboot your system back into Normal Mode.

In your next reply please include:

1. The report from SmitfraudFix found here: C:\rapport.txt
2. The report from AVG AS
3. A fresh HijackThis log

You may need several replies to post the requested logs; otherwise they might get cut off.

************************

zb1

hawk8060 · Answer

Attached is the new HJT logfile report:   Logfile of HijackThis v1.99.1 Scan saved at 2:37:02 PM, on 2/9/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32
vsvc32.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Canon\CALMAIN.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\Real\Update_OBealsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [MoneyStartUp10.0] 'C:\Program Files\Microsoft Money\System\Activation.exe' O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe'  -osboot O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe' O4 - HKLM\..\Run: [Windows Defender] 'C:\Program Files\Windows Defender\MSASCui.exe' -hide O4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Cris Hawkins\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Blackjack - http://download2.games.yahoo.com/games/clients/y/jt0_x.cab O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

hawk8060 · Answer

part 2 of 3 - avg as report:   C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-babyuniverse.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-bestbuy.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-chicos.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-clearchannel.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-futurepub.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-gameshownet.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-hollywood.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-learningco.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-legacy.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-space.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-stubhub.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-theviptour.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-tlcmultimedia.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-trilegiant.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-verizon.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-viacom.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-warnerbrothers.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@phg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@ehg-comcast.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@ehg-hollywood.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@counter.hitslink[1].txt -> TrackingCookie.Hitslink : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@counter2.hitslink[2].txt -> TrackingCookie.Hitslink : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@sec1.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@sec1.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@stat.onestat[1].txt -> TrackingCookie.Onestat : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@overture[2].txt -> TrackingCookie.Overture : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@overture[2].txt -> TrackingCookie.Overture : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@pro-market[1].txt -> TrackingCookie.Pro-market : Cleaned.

hawk8060 · Answer

ZB1 you definitely the MAN...  unwanted security s/w appears to be gone... any issue  with XP's  system restore functionality?    here is the report from smitfraudfix: SmitFraudFix v2.141 Scan done at 12:20:56.23, Fri 02/09/2007 Run from C:\Documents and Settings\Billy Hawkins\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] '{2acf3add-34a1-4f2f-99cf-cc69785d1e90}'='exemplars' [HKEY_CLASSES_ROOT\CLSID\{2acf3add-34a1-4f2f-99cf-cc69785d1e90}\InProcServer32] @='C:\WINDOWS\system32\cwgppb.dll' [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2acf3add-34a1-4f2f-99cf-cc69785d1e90}\InProcServer32] @='C:\WINDOWS\system32\cwgppb.dll' »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1       localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri C:\WINDOWS\system32\cwgppb.dll -> Hoax.Win32.Renos.gen.i C:\WINDOWS\system32\cwgppb.dll -> Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\WINDOWS\logo.gif Deleted C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted C:\DOCUME~1\BILLYH~1\FAVORI~1\Online Security Test.url Deleted C:\Program Files\AntiVermeans\ Deleted C:\Program Files\Video ActiveX Object\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] 'System'='' »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning   Registry Cleaning done.   »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End   other 2 reports to follow:

hawk8060 · Answer

part 1 of 2  - report from avg as:   ---------------------------------------------------------AVG Anti-Spyware - Scan Report---------------------------------------------------------  + Created at: 2:31:05 PM 2/9/2007  + Scan result:    C:\System Volume Information\_restore{FEDEAC82-EDE5-457B-B567-587B66F50FE0}\RP441\A0051021.exe -> Adware.AntiVermins : Cleaned.C:\Documents and Settings\Patti Hawkins\Local Settings\Temp\~MySetup.exe -> Adware.DelphinMediaViewer : Cleaned.C:\Documents and Settings\Patti Hawkins\Start Menu\Programs\EARN -> Adware.eZula : Cleaned.C:\Documents and Settings\Patti Hawkins\Start Menu\Programs\EARN\EARN website.url -> Adware.eZula : Cleaned.C:\Program Files\MemoryWatcher -> Adware.MemoryWatcher : Cleaned.C:\Program Files\MemoryWatcher\EULA.URL -> Adware.MemoryWatcher : Cleaned.C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned.C:\Documents and Settings\Patti Hawkins\Local Settings\Temp\MiniBug.exe -> Adware.SuspectModule : Cleaned.C:\Program Files\whInstall -> Adware.Webhancer : Cleaned.C:\Program Files\whInstall\license.txt -> Adware.Webhancer : Cleaned.C:\Program Files\whInstall\readme.txt -> Adware.Webhancer : Cleaned.C:\Program Files\se -> Adware.WindowEnhancer : Cleaned.C:\Program Files\se\Data -> Adware.WindowEnhancer : Cleaned.C:\WINDOWS\Temp\~986242.tmp -> Adware.Wintol : Cleaned.C:\Documents and Settings\Patti Hawkins\Local Settings\Temp\~516293.tmp -> Downloader.Wintool.a : Cleaned.C:\Documents and Settings\Patti Hawkins\Local Settings\Temp\~972530.tmp -> Downloader.Wintool.a : Cleaned.C:\WINDOWS\Temp\~112392.tmp -> Downloader.Wintool.a : Cleaned.C:\WINDOWS\Temp\~917178.tmp -> Downloader.Wintool.a : Cleaned.C:\WINDOWS\Temp\~923409.tmp -> Downloader.Wintool.a : Cleaned.C:\WINDOWS\Temp\~999155.tmp -> Downloader.Wintool.a : Cleaned.C:\System Volume Information\_restore{FEDEAC82-EDE5-457B-B567-587B66F50FE0}\RP441\A0051024.exe -> Downloader.Zlob.arq : Cleaned.C:\System Volume Information\_restore{FEDEAC82-EDE5-457B-B567-587B66F50FE0}\RP439\A0050884.exe -> Downloader.Zlob.bni : Cleaned.C:\System Volume Information\_restore{FEDEAC82-EDE5-457B-B567-587B66F50FE0}\RP439\A0050890.exe -> Downloader.Zlob.bni : Cleaned.C:\System Volume Information\_restore{FEDEAC82-EDE5-457B-B567-587B66F50FE0}\RP440\A0050908.exe -> Downloader.Zlob.bni : Cleaned.C:\System Volume Information\_restore{FEDEAC82-EDE5-457B-B567-587B66F50FE0}\RP440\A0050914.exe -> Downloader.Zlob.bni : Cleaned.C:\System Volume Information\_restore{FEDEAC82-EDE5-457B-B567-587B66F50FE0}\RP440\A0050921.exe -> Downloader.Zlob.bni : Cleaned.C:\System Volume Information\_restore{FEDEAC82-EDE5-457B-B567-587B66F50FE0}\RP440\A0050936.exe -> Downloader.Zlob.bni : Cleaned.C:\System Volume Information\_restore{FEDEAC82-EDE5-457B-B567-587B66F50FE0}\RP441\A0051019.dll -> Not-A-Virus.Hoax.Win32.Renos.NAO : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@oasc02.247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.C:\Documents and Settings\Guest\Cookies\guest@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@babyuniverse.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ge.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@harpo.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@kaboose.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@polo.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@razorgator.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@stubhub.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.C:\Documents and Settings\Patti Hawkins\Local Settings\Temp\Cookies\patti hawkins@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.C:\Documents and Settings\Patti Hawkins\Local Settings\Temp\Cookies\patti hawkins@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@clickagents[1].txt -> TrackingCookie.Clickagents : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@com[1].txt -> TrackingCookie.Com : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@com[1].txt -> TrackingCookie.Com : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@twci.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@bilbo.counted[1].txt -> TrackingCookie.Counted : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@www.directnetadvertising[1].txt -> TrackingCookie.Directnetadvertising : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.C:\Documents and Settings\Patti Hawkins\Local Settings\Temp\Cookies\patti hawkins@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@e-2dj6wfk4uhczmlo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@e-2dj6wgkiqod5map.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@e-2dj6wgkyeodpceo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@e-2dj6wgl4qhd5afo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@e-2dj6wgmyeocpgho.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@e-2dj6wjkyepdpilo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@e-2dj6wjliwjazikp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@e-2dj6wjmyaldzkbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@e-2dj6wjmyegdpmlq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@e-2dj6wjny-1sazwg.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@sel.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ehg-aha.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.

hawk8060 · Answer

part 3 of 3 - avg as report:   C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@web4.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@web4.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@counter12.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@spylog[2].txt -> TrackingCookie.Spylog : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@trafficmp[3].txt -> TrackingCookie.Trafficmp : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.C:\Documents and Settings\Patti Hawkins\Local Settings\Temp\Cookies\patti hawkins@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@yadro[1].txt -> TrackingCookie.Yadro : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@c1.zedo[1].txt -> TrackingCookie.Zedo : Cleaned.C:\Documents and Settings\Lindsey Hawkins\Cookies\lindsey hawkins@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.C:\Documents and Settings\Patti Hawkins\Cookies\patti hawkins@zedo[1].txt -> TrackingCookie.Zedo : Cleaned. ::Report end

zbestwun2001 · Answer

If you are no longer using your AOL toolbar follow these instructions:
Run HiJackThis and click " Scan", then check(tick) the following, if present:

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll (file missing)

Now, with all windows closed except HiJackThis, click " Fix checked".

Reboot and post a new log.

*****************

zb1

hawk8060 · Answer

zb1, thanks very much for all of your time & help through this ordeal, seems so routine for you... will X/P's system restore funtionality pose any issue with the stuff we eliminated? also, do you have any opinion on M/S's latest browser IE7?   attached is the latest HJT logfile: Logfile of HijackThis v1.99.1 Scan saved at 11:10:27 AM, on 2/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32
vsvc32.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Canon\CALMAIN.exe C:\WINDOWS\system32\devldr32.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Common Files\Real\Update_OBealsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [MoneyStartUp10.0] 'C:\Program Files\Microsoft Money\System\Activation.exe' O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ccApp] 'C:\Program Files\Common Files\Symantec Shared\ccApp.exe' O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe'  -osboot O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe' O4 - HKLM\..\Run: [Windows Defender] 'C:\Program Files\Windows Defender\MSASCui.exe' -hide O4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\msmsgs.exe' /background O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Cris Hawkins\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: Yahoo! Blackjack - http://download2.games.yahoo.com/games/clients/y/jt0_x.cab O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32
vsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

zbestwun2001 · Answer

The jury is still out on IE7.
I have it, somethings don't work like they did with IE6.
I would stay with IE6 for a while longer... till they iron out the kinks.

I also would use Firefox as my main browser for security reasons and all around safety.

You are good to go now.

Here are your last instructions.

Next, please run Disk Cleanup in each user's profile:
Click "Start > Programs > Accessories > System Tools > Disk Cleanup"
Please make sure the following are checked:
-- Downloaded Program Files
-- Temporary Internet Files
-- Recycle Bin
-- Temporary Files
Click "OK" and Disk Cleanup will delete those files for you.

Please note my #10 Prevention Tip below to be sure you are using the latest version of Java.

After making sure your Java has been updated, if everything is running well....
it would be good to flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)
Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.

Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.

Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.

You may have already taken some of these steps:
1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

2. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

3. Download and install the following free programs:
a. SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Tutorial here: http://www.bleepingcomputer.com/forums/tutorial49.html
b. SpywareGuard:
http://www.javacoolsoftware.com/spywareguard.html
Tutorial here: http://www.bleepingcomputer.com/tutorials/tutorial50.html
Periodically check for updates in both programs.

4. Please use a firewall and realtime anti-virus. Keep the anti-virus software and firewall software up to date.
Note: Zone Alarm Firewall (Zone Labs) http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads
Sunbelt Kerio has a free version: http://www.kerio.com/kpf_download.html

5. You might consider installing Mozilla / Firefox.
http://www.mozilla.org/

6. Install spyware detection and removal programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.

a. Ad-aware: http://www.lavasoft.de/software/adaware/

b. SpyBot S&D: http://safer-networking.org/en/news/2005-05-31.html

I would check for updates in SpyBot once a week or so.
Check for updates in Ad-aware frequently.

If you have recently installed AVG Anti-Spyware, it is a free trial product for 30 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).
You will still be able to manually update it using the *update* button

7. Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List.
Here is the link:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

8. If you have not already done so, you might want to install CCleaner and run it in each user's profile: http://www.ccleaner.com/
** UNcheck the option to install the Yahoo toolbr.

9. If you use Adobe Reader it may need to be updated to be sure that you have a more secure version. If you are using a version prior to v. 6.05, you should update to 6.05, preferably version 7.08. It would be best to remove prior versions before updating to a new version.
Info here: http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
If you need additional assistance, the Adobe forums are here: http://www.adobe.com/support/forums/main.html

10. Make sure you are using the most updated version of Java.
The current version is Java Runtime Environment (JRE) 6.0
If you need to update, remove all prior versions using Add/Remove Programs, and delete the Java folder in Program Files.
You can go back here to download the latest version of Java Runtime Environment (JRE) 6.0.
Scroll down to where it says " The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the link to download the Windows (Offline Installation) package: Save it, do not run it. When the download is complete, close the browser.
Proceed with reinstalling Java. Reboot.

11. Practice Safe Surfing with with SiteAdvisor by McAfee. SiteAdvisor is a browser plugin that assigns a safety rating to domains listed in your search engine.
The following color codes are used by SiteAdvisor to indicate the safety of each site.

Red for Warning
Yellow for Use Caution
Green for Safe
Grey for Unknown

Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!

Take care,
zb1

Virus & Spyware

Was this post helpful?