Jump to content


Photo

infected computer


  • This topic is locked This topic is locked
17 replies to this topic

#1 geerub

geerub

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 27 June 2007 - 11:36 PM

I read the FAQ first!

I am running
Windows XP -SP2
IE 6.0.2900.2180.xpsp2_qfe.070227-2300
Outlook 2003 for Email

My computer is infected with evil !!!
Manifestations are (1-7) :
1- blood red web page filling my desktop with the message "Your Privacy is in Danger - Download privacy protection software now"
2 - desktop icons for "Spyware&Protection", "PrivacyProtector","ErrorCleaner" all pointing to
http://onlinesecurit...andler.php?sg=1 ( or ending with sg=0, or sg=2)
3- pop-up web page offering about 20 security services for every 1 porno site or 1 porno file cleaner tools
4- creation and automatic repopulation of the folder C:\Windows\privacy_danger
5- takes control of active web-pages that I have open - it just jumps them to another page. If I open the web page I want and then open a dummy one that I dont' want second - it eats the second one - unless I am unlucky enough to be in the "desired one" when it gets hungry.
6- little red triangle in system tray keeps flashing and posting message ballons warning
"System Alert - System detected virus activities. These may impact the performance of your computer. Please use recommended antispyware software to protect your system from parasite programs."

That message balloon is always followed by a regular warning message in mid screen dialog titled "Malware Alert" that indicates
"Warning - Trojan Adware.W32.ExpDwnldr spyware detected. This Trojan allows attackers to access your computer from remote locations, stealing passwords, banking and personal data. This also prompts advertising popups. It should be removed from your system. - Type:Trojan horse; System Affected : Windows 98, 2000,NT, ME, XP ; Security Risk (0-5) 4; Recommendations- Click yes to get all available antispyware.

Steps followed so far ( A-F)-
After download/install of AD-Aware, Spybot, Ewido, Hi-Jack this and update of same on 6/27
disconnected from network. Then,

These two message continue to "pop" wjile offline and with scanners running - and the attempt to open cached web pages - so I deleted the temporary internet pages, cookies and history.



A) Run Ad-Aware 2007 ( removed/deleted all found)
B) Run Spybot Search and Destroy ( removed/deleted all found)
C) Run Ewido-Anti-Spyware ( removed/deleted all found) - reboot required
D) Reran Spybot, Ad-Aware, Ewido-AVG
E) Run Hijack-this -1.99.1 (as per instructions) 6/25/2007 - log file =
Logfile of HijackThis v1.99.1
Scan saved at 11:26:22 PM, on 6/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\PDF Complete\pdfsty.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Actiontec 802.11g USB Wireless LAN\PRISMCFG.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\microgreg\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/N.../3560/homepage/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com...a...e=true&RW=1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: MSVPS System - {A1770FD6-A7CB-44DA-AD2C-692D2A2B521B} - C:\WINDOWS\vpsnetwork.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Actiontec 802.11g USB Wireless LAN.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: vpssup - {26EE2108-32A1-4861-92EA-A6F2A527A16D} - C:\WINDOWS\vpssup.dll (file missing)
O21 - SSODL: expro - {092EE26A-44C3-40D7-BF7A-1750ABA53C2F} - C:\WINDOWS\expro.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe


F) Run /Install Kapersky Online Virus Scan - after getting online to send this e-mail - then wait and check back

#2 geerub

geerub

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 27 June 2007 - 11:43 PM

Forgot to add - i am having trouble getting in to SAFE MODE -
Options that pop during reboot are F9 F10 F11 F12 but none open an option for SAFE MODE and none hold/pause for more than about a second.

#3 geerub

geerub

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 28 June 2007 - 12:51 AM

Here are KASPERSKY SCANS logs for
Critical Areas, Memory, My Computer, Folder= C:\Windows

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, June 28, 2007 12:00:31 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 28/06/2007
Kaspersky Anti-Virus database records: 354782
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\MICROG~1\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 12061
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:05:51

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\expro.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5e4.dat Object is locked skipped
C:\WINDOWS\vpsnetwork.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\MICROG~1\LOCALS~1\Temp\BITA16.tmp Object is locked skipped
C:\DOCUME~1\MICROG~1\LOCALS~1\Temp\~DF7B66.tmp Object is locked skipped
C:\DOCUME~1\MICROG~1\LOCALS~1\Temp\~DF7B7E.tmp Object is locked skipped

Scan process completed.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, June 28, 2007 12:02:06 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 28/06/2007
Kaspersky Anti-Virus database records: 354782
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Memory:

Scan Statistics:
Total number of scanned objects: 1438
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:00:32

Infected Object Name / Virus Name / Last Action
[508] explorer.exe => C:\WINDOWS\expro.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
[3248] IEXPLORE.EXE => C:\WINDOWS\vpsnetwork.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped

Scan process completed.





-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, June 28, 2007 12:36:29 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 28/06/2007
Kaspersky Anti-Virus database records: 354782
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 43369
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:33:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prism\77cc4a1d Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\microgreg\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\History\History.IE5\MSHist012007062820070629\index.dat Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BITCFA.tmp Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\~DF7B66.tmp Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\~DF7B7E.tmp Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temporary Internet Files\Content.IE5\OD87WFGB\blultbar[1].gif Object is locked skipped
C:\Documents and Settings\microgreg\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\microgreg\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP134\A0004637.exe Infected: Trojan-Downloader.Win32.Agent.bjc skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP136\A0004725.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP136\change.log Object is locked skipped
C:\WINDOWS\expro.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5e4.dat Object is locked skipped
C:\WINDOWS\vpsnetwork.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, June 28, 2007 12:44:55 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 28/06/2007
Kaspersky Anti-Virus database records: 354782
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\WINDOWS\

Scan Statistics:
Total number of scanned objects: 11215
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:05:26

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\expro.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5e4.dat Object is locked skipped
C:\WINDOWS\vpsnetwork.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#4 geerub

geerub

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 29 June 2007 - 11:01 AM

hijack this and kaspersky both seem to find the files
C:\WINDOWS\vpsnetwork.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\WINDOWS\expro.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped

also I am curious about the entry
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/N.../3560/homepage/

inthe hijack this log - this is not may main home or start page. - and is one of the addresses I have added to my IExplorer restricted sites list.
BAsically - avery time some errant page comes up, I add it to the restricted sites list. - Quaint perhaps, but it stalls the automated romp that it is attempting to inflict long engough for me to catch it and kill it.

#5 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 30 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#6 geerub

geerub

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 02 July 2007 - 06:45 PM

Fresh HJT log - after running ADV-Ewido, AD-Aware, and Spybot


Logfile of HijackThis v1.99.1
Scan saved at 6:42:25 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\PDF Complete\pdfsty.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Actiontec 802.11g USB Wireless LAN\PRISMCFG.EXE
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\common~1\instal~1\update~1\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\microgreg\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/N.../3560/homepage/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://us.mcafee.com...a...e=true&RW=1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: MSVPS System - {A1770FD6-A7CB-44DA-AD2C-692D2A2B521B} - C:\WINDOWS\vpsnetwork.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avp] C:\WINDOWS\xar6000v7.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Actiontec 802.11g USB Wireless LAN.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: vpssup - {26EE2108-32A1-4861-92EA-A6F2A527A16D} - C:\WINDOWS\vpssup.dll (file missing)
O21 - SSODL: expro - {092EE26A-44C3-40D7-BF7A-1750ABA53C2F} - C:\WINDOWS\expro.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common

Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe

#7 geerub

geerub

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 02 July 2007 - 08:41 PM

Updated Kaspersky - <My Comuter


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 02, 2007 8:38:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 3/07/2007
Kaspersky Anti-Virus database records: 357020
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 44865
Number of viruses found: 5
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 00:34:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prism\77cc4a1d Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\microgreg\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\History\History.IE5\MSHist012007070220070703\index.dat Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\ac8zt2.dat/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\ac8zt2.dat ZIP: infected - 1 skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT152.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT152.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT153.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT153.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT154.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT154.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT155.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT155.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT156.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT156.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT18.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT18.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT2AE.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT2AE.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT62.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT62.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT7.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT7.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT9.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT9.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT96.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BIT96.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BITA6.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\BITA6.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\~DF5373.tmp Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\~DF57CF.tmp Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\~DFBE0B.tmp Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temporary Internet Files\Content.IE5\CDW9MZ8D\WinAntiVirusPro2007FreeInstall[1].cab/UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\microgreg\Local Settings\Temporary Internet Files\Content.IE5\CDW9MZ8D\WinAntiVirusPro2007FreeInstall[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\microgreg\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\microgreg\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\microgreg\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP134\A0004637.exe Infected: Trojan-Downloader.Win32.Agent.bjc skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP136\A0004725.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP137\change.log Object is locked skipped
C:\WINDOWS\expro.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\WINDOWS\mgrs.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_728.dat Object is locked skipped
C:\WINDOWS\vpsnetwork.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped

Scan process completed.

#8 waterfalls

waterfalls

    Malware Exorcist

  • Retired Staff
  • PipPipPipPip
  • 359 posts

Posted 03 July 2007 - 01:48 AM

Hi -

Thank you for your patience. The forum has been very busy.
Please follow these instructions in the order stated - this is important.

You have an outdated version of Java which, because of security reasons, needs to be updated immediately.
To update Java:
- Download the latest version of Java Runtime Environment (JRE) 6u1 from HERE
- Click the "Download" button for the second file listed (Windows (Offline Installation) and save it to your Desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel > Add/Remove Programs and remove all older versions of Java by checking any item, one at a time, with Java Runtime Environment (JRE or J2SE) in the name. It should have this icon Posted Image next to it.
- For each item that you check, click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove ALL of the Java versions.
- REBOOT your computer once ALL Java components are removed.
- Then from your Desktop, double-click on the newly-downloaded Java file to install the newest version.

Start HijackThis, click System Scan Only and place a checkmark next to the following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/N.../3560/homepage/
O2 - BHO: MSVPS System - {A1770FD6-A7CB-44DA-AD2C-692D2A2B521B} - C:\WINDOWS\vpsnetwork.dll
O4 - HKLM\..\Run: [smgr] mgrs.exe
O21 - SSODL: vpssup - {26EE2108-32A1-4861-92EA-A6F2A527A16D} - C:\WINDOWS\vpssup.dll (file missing)
O21 - SSODL: expro - {092EE26A-44C3-40D7-BF7A-1750ABA53C2F} - C:\WINDOWS\expro.dll


Close ALL browsers and open windows/programs leaving just HijackThis and click 'Fix Checked'.

Reboot your computer.

Download and scan with CCleaner.
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free Basic or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
3. Then select the items you wish to clean up.

In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.
In the Applications Tab:
  • Clean all entries in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
3. Click the "Run Cleaner" button.
4. A pop-up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done.

Download Superantispyware
  • Load Superantispyware and click the check for updates button.
  • Once the update is finished click the scan your computer button.
  • Check Perform Complete Scan and then next.
  • Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log in your next reply.
Scan again with Kaspersky Online Scanner.

Post back with the Superantispyware log, the Kaspersky Online Scanner log and a new HijackThis log.
Take only memories, leave nothing but footprints.
 

#9 geerub

geerub

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 03 July 2007 - 09:39 PM

Thank you Waterfalls for providing assistance. I have followed your instructions with one minor deviation.
- uninstalled old JRE (only one previous) and installed current download ( Env 6 Update 1) Version 1.6.0.10 and rebooted as specified
- ran hijack this, scan only and highlighted specified items for removal, rebooted computer
- ran CCleaner with specified options for Windows TAB and Applications TAB
- ran Superantispyware, with update. here I varied from instructions - which indicated reboot necessary for complete cleaning. Rebooted once and reran Superantispyware both logs are reported below.
- ran kaspersky ( for my comptuer - log below)
- ran HijackThis - log below.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/03/2007 at 08:28 PM

Application Version : 3.9.1008

Core Rules Database Version : 3265
Trace Rules Database Version: 1276

Scan type : Complete Scan
Total Scan Time : 00:16:23

Memory items scanned : 386
Memory threats detected : 2
Registry items scanned : 5284
Registry threats detected : 5
File items scanned : 20434
File threats detected : 18

Trojan.Downloader-Gen/AVP
C:\WINDOWS\XAR6000V7.EXE
C:\WINDOWS\XAR6000V7.EXE
[avp] C:\WINDOWS\XAR6000V7.EXE
C:\WINDOWS\Prefetch\XAR6000V7.EXE-2687B51C.pf

Trojan.Downloader-MGRS
C:\WINDOWS\MGRS.EXE
C:\WINDOWS\MGRS.EXE
[smgr] C:\WINDOWS\MGRS.EXE

Adware.Tracking Cookie
C:\Documents and Settings\microgreg\Cookies\microgreg@tribalfusion[1].txt

Trojan.Net-MSV/VPS
HKCR\MSVPS.MSVPSApp
HKCR\MSVPS.MSVPSApp\CLSID
HKCR\MSVPS.MSVPSApp\CurVer

Desktop Hijacker.AboutYourPrivacy
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.gif
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\images\Thumbs.db
C:\WINDOWS\privacy_danger\images
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\privacy_danger
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP134\A0004554.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP137\A0004797.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP137\A0004806.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP139\A0004982.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP139\A0005657.LNK

Unclassified.Removed
C:\WINDOWS\SYSTEM32\REMOVED.EXE



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/03/2007 at 08:49 PM

Application Version : 3.9.1008

Core Rules Database Version : 3265
Trace Rules Database Version: 1276

Scan type : Complete Scan
Total Scan Time : 00:16:01

Memory items scanned : 364
Memory threats detected : 0
Registry items scanned : 5285
Registry threats detected : 0
File items scanned : 20428
File threats detected : 1

Trojan.Downloader-Gen/AVP
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP140\A0005680.EXE

<><>GEERUB COMMENT - I need to reboot to complete this superspyware cleanup

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 03, 2007 9:35:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 4/07/2007
Kaspersky Anti-Virus database records: 357496
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 41399
Number of viruses found: 3
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 00:32:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prism\77cc4a1d Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\microgreg\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\microgreg\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\microgreg\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\microgreg\Desktop\backups\backup-20070703-195740-615.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\Documents and Settings\microgreg\Desktop\SpywareInfo Forum FAQ.doc Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\History\History.IE5\MSHist012007070320070704\index.dat Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\~DF408F.tmp Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\~DF40A0.tmp Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\~DF56AA.tmp Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\~DF73EE.tmp Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\~WRF0001.tmp Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\~WRS0000.tmp Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\microgreg\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\microgreg\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP134\A0004637.exe Infected: Trojan-Downloader.Win32.Agent.bjc skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP136\A0004725.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP139\A0004965.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP139\A0004978.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP140\A0005681.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP140\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\expro.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{69C8617C-05FD-4421-BA2A-8785477A7365}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 9:36:03 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\PDF Complete\pdfsty.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Actiontec 802.11g USB Wireless LAN\PRISMCFG.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\microgreg\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eatyourcad.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com...a...e=true&RW=1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Actiontec 802.11g USB Wireless LAN.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe

#10 waterfalls

waterfalls

    Malware Exorcist

  • Retired Staff
  • PipPipPipPip
  • 359 posts

Posted 04 July 2007 - 02:58 PM

Hi -

Very good. Looks much better. You will need to print these instructions because you will be working in Safe Mode without an Internet connection.

Please set your system to show all files.
- Go to Start > open My Computer
- Select the Tools menu and click Folder Options.
- Select the View tab and, under Hidden files and folders, select Show hidden files and folders
- Uncheck Hide file extensions for known file types
- Uncheck Hide protected operating system files (Recommended)
- Click Apply, then OK

Reboot into SAFE MODE
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

Start HijackThis, click System Scan Only and place a checkmark next to the following entry:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eatyourcad.com

Close ALL browsers and open windows/programs except HijackThis and click 'Fix Checked'.

Navigate to and delete the following file:
C:\WINDOWS\expro.dll

Reboot into NORMAL MODE

Scan one more time with Kaspersky's Online Scanner.

Post back with the Kaspersky's log and a new HijackThis log.
Take only memories, leave nothing but footprints.
 

#11 geerub

geerub

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 05 July 2007 - 09:10 PM

Apologies for Delay.
Followed steps offline as described in previous e-mail
here are requested logs

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, July 05, 2007 9:04:08 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 6/07/2007
Kaspersky Anti-Virus database records: 358785
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 42633
Number of viruses found: 3
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 00:34:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee.com\VSO\OASLogs\OAS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prism\77cc4a1d Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\microgreg\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\microgreg\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\microgreg\Desktop\backups\backup-20070703-195740-615.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\Documents and Settings\microgreg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\~DF1D2D.tmp Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temp\~DF1D3C.tmp Object is locked skipped
C:\Documents and Settings\microgreg\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\microgreg\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\microgreg\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-575163818-2251106094-367488958-1005\Dc2.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP134\A0004637.exe Infected: Trojan-Downloader.Win32.Agent.bjc skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP136\A0004725.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP139\A0004965.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP139\A0004978.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP140\A0005681.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



Logfile of HijackThis v1.99.1
Scan saved at 9:04:53 PM, on 7/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\PDF Complete\pdfsty.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Actiontec 802.11g USB Wireless LAN\PRISMCFG.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\microgreg\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com...a...e=true&RW=1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Actiontec 802.11g USB Wireless LAN.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe

#12 geerub

geerub

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 05 July 2007 - 09:18 PM

neglected to mention in previous post -
I am re-running AVG and SuperAntiSpyware to clean -

Also - was there concern about www.eatyourcad.com site?? - It's legit - a very good site for MicroStation CAD users.

Geerub

#13 geerub

geerub

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 05 July 2007 - 09:34 PM

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:30:18 PM 7/5/2007

+ Scan result:



C:\Documents and Settings\microgreg\Desktop\backups\backup-20070703-195740-615.dll -> Adware.Agent : No action taken.
C:\RECYCLER\S-1-5-21-575163818-2251106094-367488958-1005\Dc2.dll -> Adware.Agent : No action taken.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP136\A0004725.dll -> Adware.Agent : No action taken.
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP139\A0004965.dll -> Adware.Agent : No action taken.
C:\Documents and Settings\microgreg\Cookies\microgreg@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\microgreg\Cookies\microgreg@advertising[1].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\microgreg\Cookies\microgreg@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\microgreg\Cookies\microgreg@ehg-kasperskylab.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\microgreg\Cookies\microgreg@hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\microgreg\Cookies\microgreg@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.


::Report end

#14 geerub

geerub

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 05 July 2007 - 09:50 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/05/2007 at 09:45 PM

Application Version : 3.9.1008

Core Rules Database Version : 3265
Trace Rules Database Version: 1276

Scan type : Complete Scan
Total Scan Time : 00:13:32

Memory items scanned : 372
Memory threats detected : 0
Registry items scanned : 5285
Registry threats detected : 0
File items scanned : 20890
File threats detected : 6

Adware.Tracking Cookie
C:\Documents and Settings\microgreg\Cookies\microgreg@doubleclick[1].txt
C:\Documents and Settings\microgreg\Cookies\microgreg@advertising[1].txt
C:\Documents and Settings\microgreg\Cookies\microgreg@hitbox[1].txt
C:\Documents and Settings\microgreg\Cookies\microgreg@ehg-kasperskylab.hitbox[1].txt
C:\Documents and Settings\microgreg\Cookies\microgreg@tacoda[1].txt
C:\Documents and Settings\microgreg\Cookies\microgreg@2o7[1].txt

#15 waterfalls

waterfalls

    Malware Exorcist

  • Retired Staff
  • PipPipPipPip
  • 359 posts

Posted 06 July 2007 - 05:59 PM

Hi -

You can bookmark the www.eatyourcad.com site.

One thing about AVG Anti-Spyware:
"Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", so be sure you save it only AFTER clicking the "Apply all actions?" button."

Your logs look clean.

It appears that there is no software Firewall program present on your system. This will greatly help in preventing your system from being infected by malware. Please install a Firewall program because you really do need one.
Comodo -or- Jetico are good FREE software Firewall programs.
See, Understanding and Using Firewalls


Please set your system to hide system files.
- Go to Start and open My Computer
- Select the Tools menu and click Folder Options.
- Select the View Tab and, under Hidden files and folders, check Do not show hidden files and folders
- Check Hide file extensions for known file types
- Check Hide protected operating system files (Recommended)
- Click Apply, then OK.

If you have not done so, please empty your Recycle Bin.

Create a new Restore Point:
- Go to Start > All Programs > Accessories > System Tools > System Restore.
- When the utility opens, select "Create a new restore point" and click Next
- Name the restore point - something like "After infection cleaned" or "After cleaning"
- Click Create.

Delete the old Restore Points:
- Go to Start > All Programs > Accessories > System Tools > Disk Cleanup. Click Ok.
- Click the "More Options" tab.
- Where it states "System Restore" - click Clean up.
- All of the old Restore Points will be deleted EXCEPT for the one you just created.

:!: Reboot your computer.

* Avoid illegal sites because that's where most malware is present.
* Don't click on links inside pop-ups. If you should get them, use ALT + F4 to close them.
* Don't click on links in spam messages claiming to offer anti-spyware software because most of these so-called removers ARE spyware.
* Download free software only from sites you know and trust because a lot of free software can bundle other software, including spyware.

Let your anti-virus and anti-spyware scanners scan frequently and don't forget to update before scanning.

More information on how to prevent malware can be found at So how did I get infected in the first place? by Tony Klein.

Happy surfing again! :)
Take only memories, leave nothing but footprints.
 

#16 geerub

geerub

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 06 July 2007 - 11:21 PM

I've completed the tasks as indicated
- clear out recycle bin
- create new restore point
- delete prior restore points
- read Firewall info page
- install COmodo Firewall
- reboot

I understand the risk factor of the types of web-pages you mention. It won't be too hard to stay off the "funk-a-docious" sites. Once through the partially self-inflicted pain of malware/spyware is a good enough lesson for me.

I 'll be running all of these scrubbers and cleaners on the other household computer ( much less time on internet - but some) and get a proper firewall onboard.

Your advice and information has been very good. I hope you'll pardon me if I say I hope I never have to call again. :D (at least for this issue)

After reading the other forums, there is a lot of very good information here.
Very much appreciated!

#17 waterfalls

waterfalls

    Malware Exorcist

  • Retired Staff
  • PipPipPipPip
  • 359 posts

Posted 06 July 2007 - 11:36 PM

You're quite welcome - glad I could help. :)
Take only memories, leave nothing but footprints.
 

#18 waterfalls

waterfalls

    Malware Exorcist

  • Retired Staff
  • PipPipPipPip
  • 359 posts

Posted 28 July 2007 - 10:36 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Take only memories, leave nothing but footprints.
 




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button