Free Malware Removal Forum

[kdirks]

I have been asked to help remove DrSmarload292a.exe from an infected computer at work. I'm sure there are other malware issues on this machine also. Where should I begin. I am new applications developer, but a novice at malware removal. Spybot and Norton has been run on the machine, but they do not seem to help. Prevx is blocking it, but not removing it.

Thanks,

['KotaGuy]

Hi Kelly!

Download HijackThis to a folder either on your Desktop or somewhere else on your Hard Drive. Run the program and click the Do a System Scan and save a Logfile button.

Post the log in your next reply to this topic. Don't start a new one.

Thanks!

[Navigator]

Hello kdirks...welcome to Malware Removal! I will try and assist you with cleaning this machine...

Please do this:

Click here to download HJTsetup.exe.

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop
• By default it will install to C:\Program Files\Hijack This
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again. Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on Edit>Select All; then click on Edit>Copy to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

['KotaGuy]

The Preview button is your friend, Nav

You can take this one

Kelly... please follow the directions Navigator will run you through. You're in good hands with him.

[Navigator]

Man, you gotta be quick around here! Thanks for the vote of confidence 'Kota! I swore I checked before hitting reply...

kdirks...post the HJT log when you can and we'll get started...

[Navigator]

HJT logfile posted here from a PM for convenience of all:

Logfile of HijackThis v1.99.1
Scan saved at 1:51:36 PM, on 8/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\mgabg.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\rundll.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ADskMgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Symantec\pcAnywhere\slaunch.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AppianDesktopManager] ADskMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [newname] C:\\nwnmff_7.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_7.exe
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Global Startup: Shortcut to NETWORK, CABLE, DSL.lnk = C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\NETWORK, CABLE, DSL.bhf
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to Monitor &1 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to Monitor &2 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O15 - Trusted Zone: http://remc.iam.mcgware.com
O15 - Trusted Zone: ameritrade.streamer.com
O15 - Trusted Zone: ameritrade01.streamer.com
O15 - Trusted IP range: 198.200.173.74
O15 - Trusted IP range: 198.200.173.139
O15 - Trusted IP range: 204.58.27.33
O15 - Trusted IP range: 204.58.27.41
O15 - Trusted IP range: 204.58.27.49
O15 - Trusted IP range: 204.58.27.57
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5059868695
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Rainbowenergy.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Rainbowenergy.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Rainbowenergy.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: rundll.exe - Unknown owner - C:\WINNT\rundll.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

[Navigator]

Hello kdirks....

1. First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

• Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run ewido and update the definition files.
• On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly

2. Please download Brute Force Uninstaller to your desktop.

• Right click the BFU folder on your desktop, and choose Extract All
• Click "Next"
• In the box to choose where to extract the files to,
• Click "Browse"
• Click on the + sign next to "My Computer"
• Click on "Local Disk (C: ) or whatever your primary drive is
• Click "Make New Folder"
• Type in BFU
• Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

4. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:

• Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• ewido will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close ewido.

5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
• Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.

Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

[kdirks]

Here is the ewido anti-spyware log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:54:08 AM 8/2/2006

+ Scan result:



C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\INWRUROT\dist13[1].exe -> Downloader.Agent.aaf : Cleaned with backup (quarantined).
C:\dist13.exe -> Downloader.Agent.aaf : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4TIPKRST\drsmartload292a[1].exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\INWRUROT\drsmartload45a[2].exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\INWRUROT\drsmartload849a[1].exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\INWRUROT\drsmartload849a[2].exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\W9AZIDK9\drsmartload46a[1].exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\W9AZIDK9\drsmartload46a[2].exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\W9AZIDK9\drsmartload849a[1].exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
C:\drsmartload292a.exe -> Downloader.VB.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4TIPKRST\dfndrff_7[1].exe -> Hijacker.VB.ly : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@buycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@dowjones.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@highbeam.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@nasdaq.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@northwestairlines.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@snapfish.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@stubhub.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@usatoday1.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@stats.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@media.adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@twci.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@e-2dj6wfkikpazwaq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@e-2dj6wfkygiazgfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@e-2dj6wflowlajmhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@e-2dj6wgkosgcjilo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@e-2dj6wgl4und5sko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@e-2dj6wjk4uoc5ofo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@e-2dj6wjk4wkcpgbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@e-2dj6wjkoohcpkfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@e-2dj6wjmiwldzedp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@e-2dj6wjmyukcjoao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@e-2dj6wjny-1iczol.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@ehg-foxsports.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@web4.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@trafic[1].txt -> TrackingCookie.Trafic : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@blp.valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Scotth\Cookies\scotth@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@c1.zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Documents and Settings\mikep\Cookies\mikep@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).


::Report end





Here is the HiJackThis report:

Logfile of HijackThis v1.99.1
Scan saved at 8:02:43 AM, on 8/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\mgabg.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINNT\rundll.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ADskMgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AppianDesktopManager] ADskMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Global Startup: Shortcut to NETWORK, CABLE, DSL.lnk = C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\NETWORK, CABLE, DSL.bhf
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to Monitor &1 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to Monitor &2 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O15 - Trusted Zone: http://remc.iam.mcgware.com
O15 - Trusted Zone: ameritrade.streamer.com
O15 - Trusted Zone: ameritrade01.streamer.com
O15 - Trusted IP range: 198.200.173.74
O15 - Trusted IP range: 198.200.173.139
O15 - Trusted IP range: 204.58.27.33
O15 - Trusted IP range: 204.58.27.41
O15 - Trusted IP range: 204.58.27.49
O15 - Trusted IP range: 204.58.27.57
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5059868695
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Rainbowenergy.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Rainbowenergy.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Rainbowenergy.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: rundll.exe - Unknown owner - C:\WINNT\rundll.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

[Navigator]

Hello kdirks...good job. Looking much better already!

A few things:

1. Is Rainbowenergy.com your employer or do you know what this is? It will determine whether we need to fix these O17 entries or not...I'm betting it's OK, but I want to check.

2. Two of the O9 entries in your HJT log are placed there by Alexa. There is debate as to whether Alexa is spyware or not, but this is from CastleCops, a reputable malware reference regarding Alexa::

Related to Alexa Note: COLLECTS AND STORES INFORMATION ABOUT THE WEB PAGES YOU VIEW, THE DATA YOU ENTER IN ONLINE FORMS AND SEARCH FIELDS, AND, WITH VERSIONS 5.0 AND HIGHER, THE PRODUCTS YOU PURCHASE ONLINE WHILE USING THE TOOLBAR SERVICE. Although Alexa state's they do not attempt to analyze the data it may collect about you to determine who you are, some of your information collected by the software is personally identifiable. Please read the Privacy_Policy

Alexa is recognized by various malware scanners as spyware, but the issue is subject to debate. Most security experts IMO, recommend removal. For some more reading on the subject, please see:

http://www.imilly.com/alexa.htm and http://www.felgall.com/brsie9.htm

If this is something YOU knowingly installed, find useful and understand Alexa's user's agreement regarding their data collection and do not find it bothersome, then omit the O9's in the HJT part of the fix below.

3. You have a number of entries in your Trusted Zone and Trusted IP ranges. While these entries all appear legitimate, it is usually unnecessary to have things in the trusted zones and in essence gives unfettered access to your machine in terms of downloads and such from the trusted sites.

I would recommend that you check if these entries actually require that they be in the Trusted Zone, and consider removing them from there if not necessary....but I'll leave that up to you.

On to the 'Fix':

1. Go to Start | Run and type this in the box: services.msc

• Locate this service, 'rundll.exe' then right click and select properties.
• Under Service Status: select Stop
• In the drop down box labeled, Startup Type: select Disabled

2. Please download the Killbox by Option^Explicit.

Unzip the folder to your desktop.

3. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Place it on your desktop - we will use it later.


3. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: rundll.exe - Unknown owner - C:\WINNT\rundll.exe


Now close all windows other than HiJackThis, then click Fix Checked.

4. Reboot into safe mode by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

5. Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

6. Please double-click Killbox.exe to run it.

• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINNT\rundll.exe
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

7. Let your computer reboot into Windows normally

8. Go here and download and install JRE 5.0 Update 7. Click the link that says Download JRE 5.0 Update 7. You will then need to select Accept License Agreement and click the Continue button that is beside it. Then click the link that says Windows Offline Installation, Multi-language. Save it to your Desktop. Then go back to your Desktop and double click jre-1_5_0_07-windows-i586-p.exe to start the install.

Once you have it installed, click Start>>Run, type in appwiz.cpl and hit Enter. From the list, uninstall Java - jre1.5.0_02.

9. Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

10. Post the contents of the ActiveScan report, and a new HJT log...also let me know how your system is running.

[kdirks]

Hello,

The computer seems to be running somewhat better. Should I leave the Prevxl running that is on the machine?
I finished the instructions you gave me. Here are the reports:

From the Active scan--


Incident Status Location

Adware:adware/dollarrevenue Not disinfected c:\drsmartload.exe
Adware:adware/commad Not disinfected c:\MTE3NDI6ODoxNg.exe
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\mikep\Application Data\tvmcwrd.dll
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4TIPKRST\drsmartload292a[1].exe
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\INWRUROT\loader[1].exe
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\O781SHEB\kybrdff_7[1].exe
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\O781SHEB\nwnmff_7[1].exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\mikep\Cookies\mikep@2o7[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Scotth\Cookies\scotth@atwola[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Scotth\Cookies\scotth@go[1].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Scotth\Cookies\scotth@tickle[2].txt
Adware:Adware/DollarRevenue Not disinfected C:\drsmartload292a.exe
Adware:Adware/DollarRevenue Not disinfected C:\kybrdff_7.exe
Adware:Adware/DollarRevenue Not disinfected C:\nwnmff_7.exe



From HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 9:44:46 AM, on 8/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\mgabg.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ADskMgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AppianDesktopManager] ADskMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Global Startup: Shortcut to NETWORK, CABLE, DSL.lnk = C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\NETWORK, CABLE, DSL.bhf
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Client to Monitor &1 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to Monitor &2 - C:\WINNT\web\AOpenClient.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O15 - Trusted Zone: http://remc.iam.mcgware.com
O15 - Trusted Zone: ameritrade.streamer.com
O15 - Trusted Zone: ameritrade01.streamer.com
O15 - Trusted IP range: 198.200.173.74
O15 - Trusted IP range: 198.200.173.139
O15 - Trusted IP range: 204.58.27.33
O15 - Trusted IP range: 204.58.27.41
O15 - Trusted IP range: 204.58.27.49
O15 - Trusted IP range: 204.58.27.57
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5059868695
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Rainbowenergy.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Rainbowenergy.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Rainbowenergy.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\COMPAQ\ACLIENT\ACLIENT.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe


Let me know what to do next. Thanks again for your help.

[Navigator]

Hello kdirks....

With regard to the Prevx1 on your system....I really do not know. It is a relatively new program that I do not know much about in terms of what people think about it. There is a Prevx1 forum over at CastleCops...may be they can answer?

Your HJT log appears 'clean'...Hopefully just some leftovers to clean up:

1. Clear IE's Cookies and Cache

• Close all instances of Outlook Express and Internet Explorer.
  
• Go to Control Panel » Internet Options » General tab.
  
• Click Delete Cookies.
  
• Next to it, Click the Delete Files button.
  
• When prompted, place a check in: Delete all offline content, click OK.

Clear Firefox' Cookies

• Open Firefox.
  
• Click Tools » Options.
  
• Click the Privacy tab, then the Cookies tab.
  
• Click the Clear Cookies Now button.
  
• Then click OK to exit.

Clean Temporary Files

• Go to Start » Run » type: cleanmgr » OK.
  
• Choose (C: ) and then click OK.
  
• Make sure these are the only ones that are checked :
  
  
  • Temporary Internet Files
    
  • Temporary Files
    
  • Recycle Bin
• Click OK to remove them.
  
• Click Yes to confirm the deletion.

2. Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  c:\drsmartload.exe
  c:\MTE3NDI6ODoxNg.exe
  C:\Documents and Settings\mikep\Application Data\tvmcwrd.dll
  C:\drsmartload292a.exe
  C:\kybrdff_7.exe
  C:\nwnmff_7.exe
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

3. Let me know how your system is running and if you are having any problems...

[kdirks]

The computer seems to be running much better. Thank you for all your help.

I have another computer with most of the same issues. I ran the same steps and it helped. Can I send you a HiJackThis log for evaluation to determine if there is more that should be done with the 2nd computer? I can start a new forum thread if that is preferred.

Thanks,

[Navigator]

You are welcome!

To avoid confusion, it would probably be better if you started a new thread for the second computer...

I'm actually leaving for work as we speak and will be unavailable until tomorrow anyway....if no one has picked up your new thread by tomorrow, I'll be glad to help!

Your HJT appears clean and I'm glad your system is running well with out problems!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

• THIS IS IMPORTANT! - If you are using Windows XP then you should reset system restore to make sure there are no infected files found in a restore point and that you have a clean restore point should you need one!
  
  Now let's reset your restore points.
  
  Click Start Menu >> All Programs >> Accessories >> System Tools >> SystemRestore
  
  Press OK. Choose 'Create a Restore Point' then Next. Name it and press 'Create' then when the confirmation screen shows the restore point has been created click 'Close'.
  
  Next go to Start Menu >> Run, then type:
  
  cleanmgr
  
  click OK, when Disk Cleanup opens go to the 'More Options' tab and press 'Cleanup' on the system restore area which will remove all the restore points except the one we just created. To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.
  
• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
    
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    
  • Next press the Apply button and then the OK to exit the Internet Properties page.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• Spybot Search & Destroy- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  
• AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  
• SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  
• IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  
• ATF Cleaner by Atribune. This program is for XP and Windows 2000 only. ATF is a new, freeware, temporary file cleaner for Windows, IE, Firefox and Opera with a simple, easy-to-use interface. The main screen allows the user to either clean all temporary files, or select files for cleaning. The program also knows if Firefox and or Opera is being used, and gives the option of cleaning the temporary files associated with those applications.
  

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein. These are excellent reads too: I'm not pulling your leg and Malware: Preventing the Infection



Remember...be careful out there!

['KotaGuy]

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.