Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I keep getting pop ups and I think I am getting re infected

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I keep getting pop ups and I think I am getting re infected

Unread postby patty s » October 15th, 2007, 11:25 am

Spybot keeps finding and removing stuff,some of which are AdRevolver,Advertising.com, Fast Click, and Tag a Saurus.
I have things coming up in history like b.whataboutadog.com, whataboutrabbit,forgetyourtroubles.com and other yucky weird entries.
The whatabouta... stuff comes up in the log file and I hit fix but it comes back in a little while.
AdAware found Adware and Malware and couldn't remove everything.Whats going on???? :(
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:17 AM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe
C:\Program Files\NetZero DSL\ConnectionCenter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.netzero.net/search?action ... search_dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.netzero.net/search?action ... search_dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: NetZero DSL - {8E613EAF-E16E-415C-BD39-F71D6A3B5518} - C:\Program Files\NetZero DSL\Toolbar.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe" /tray
O4 - HKLM\..\Run: [NetZeroDSL] "C:\Program Files\NetZero DSL\ConnectionCenter.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\system32\__c0040AE6.dat",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: .lnk = C:\WINDOWS\system32\msmapibx32.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O20 - Winlogon Notify: __c00A8CF9 - C:\WINDOWS\System32\__c00A8CF9.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4001 bytes
patty s
Regular Member
 
Posts: 19
Joined: October 15th, 2007, 8:32 am
Location: pennsylvania, USA
Advertisement
Register to Remove

Unread postby askey127 » October 15th, 2007, 2:57 pm

Hi patty s,
-----------------------------------------------------------
YOU HAVE NO ANTI-VIRUS PROGRAM
Download just one of these free anti-virus programs, update it and run a full scan. Have it fix anything it finds.
*Grisoft AVG from here : http://free.grisoft.com/doc/1
*AntiVir Free from here : http://www.free-av.com/
*Avast Home Edition from here : http://www.avast.com/eng/down_home.html
-----------------------------------------------------------
We need to rename HijackThis.exe to reveal.exe
Use My Computer (Windows Explorer) to go to the HiJackThis folder
In your case, the HiJackThis folder is: C:\Program Files\Trend Micro\HijackThis\
(double click C:, then double click Program Files, double click Trend Micro, then double click the HijackThis folder)
In the top menu, click View, Details
Right button-click on the file named HijackThis.exe and select Rename.
Type in the new filename as reveal.exe
Hit <Enter> and close MyComputer
-----------------------------------------------------------
You undoubtedly have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy.
This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder.
Please follow the directions below to run FindAWF so we can identify the files that have been infected along with the backups, and then restore them.
Click here to download FindAWF.exe and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to Press any key to continue.
  • Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
  • Copy and paste the contents of the AWF.txt file in your next reply.
-----------------------------------------------------------
Post a New HiJackThis Log

Reboot your computer. Start HijackThis (reveal.exe).

Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with the contents of AWF.txt.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

awf and hjt log

Unread postby patty s » October 15th, 2007, 4:26 pm

askey127, Thank you for the reply and help, I'm in your hands.I did have Norton before,with alot of problems, I was told it was not good and to get AdAware. Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:56 PM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe
C:\Program Files\NetZero DSL\ConnectionCenter.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\reveal.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.netzero.net/search?action ... search_dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.netzero.net/search?action ... search_dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: NetZero DSL - {8E613EAF-E16E-415C-BD39-F71D6A3B5518} - C:\Program Files\NetZero DSL\Toolbar.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe" /tray
O4 - HKLM\..\Run: [NetZeroDSL] "C:\Program Files\NetZero DSL\ConnectionCenter.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: .lnk = C:\WINDOWS\system32\msmapibx32.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: *.whataboutadog.com
O20 - Winlogon Notify: __c00A8CF9 - C:\WINDOWS\System32\__c00A8CF9.dat (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4854 bytes

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Mon 10/15/2007
The current time is: 16:17:44.95


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NETZERO\BAK

03/06/2007 08:00 PM 1,629,184 exec.exe
1 File(s) 1,629,184 bytes

Directory of C:\PROGRA~1\NETZER~1\BAK

05/14/2007 12:18 PM 1,050,360 ConnectionCenter.exe
1 File(s) 1,050,360 bytes

Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

10/03/2007 07:56 PM 27,664 Smax4.exe
10/14/2004 09:11 AM 1,388,544 SMax4PNP.exe
2 File(s) 1,416,208 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

06/08/2007 10:59 AM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes

Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK\BAK

09/23/2004 12:41 PM 860,160 Smax4.exe
1 File(s) 860,160 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~2\BAK

11/02/2004 07:59 PM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\BAK

08/23/2001 08:00 AM 145,408 MSConfig.exe
1 File(s) 145,408 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

24080 Aug 28 2007 "C:\Program Files\NetZero\exec.exe"
1629184 Mar 6 2007 "C:\Program Files\NetZero\bak\exec.exe"
1095152 Sep 17 2007 "C:\Program Files\NetZero DSL\ConnectionCenter.exe"
1050360 May 14 2007 "C:\Program Files\NetZero DSL\bak\ConnectionCenter.exe"
1126320 Oct 11 2007 "C:\Documents and Settings\All Users\Application Data\NetZero DSL\Downloads\ConnectionCenter_.exe"
24080 Aug 28 2007 "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe"
27664 Oct 3 2007 "C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe"
860160 Sep 23 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe"
27664 Oct 3 2007 "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
1388544 Oct 14 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe"
24080 Aug 28 2007 "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe"
27664 Oct 3 2007 "C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe"
860160 Sep 23 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe"
27664 Oct 3 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
24080 Aug 28 2007 "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe"
27664 Oct 3 2007 "C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe"
860160 Sep 23 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Documents and Settings\Patty\Local Settings\Temp\SOSNAV 12.0.1\Support\SymSC\SYMWMIAV\SymSC\UsrPrmpt.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
158208 Aug 4 2004 "C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe"
145408 Aug 23 2001 "C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\bak\MSConfig.exe"


end of report
patty s
Regular Member
 
Posts: 19
Joined: October 15th, 2007, 8:32 am
Location: pennsylvania, USA

Unread postby askey127 » October 15th, 2007, 4:41 pm

patty s,
Fix AWF Infection
Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Program Files\NetZero\bak\exec.exe
C:\Program Files\NetZero DSL\bak\ConnectionCenter.exe
C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe
C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe
C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\bak\MSConfig.exe
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press 2 then Enter
  • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for bak folders.
  • It may take a few minutes to complete, so please be patient.
  • When it is complete, it will open a text file in Notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

2nd AWF

Unread postby patty s » October 15th, 2007, 5:29 pm

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 10/15/2007
The current time is: 17:26:51.04


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NETZERO\BAK

03/06/2007 08:00 PM 1,629,184 exec.exe
1 File(s) 1,629,184 bytes

Directory of C:\PROGRA~1\NETZER~1\BAK

05/14/2007 12:18 PM 1,050,360 ConnectionCenter.exe
1 File(s) 1,050,360 bytes

Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK

10/03/2007 07:56 PM 27,664 Smax4.exe
10/14/2004 09:11 AM 1,388,544 SMax4PNP.exe
2 File(s) 1,416,208 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

06/08/2007 10:59 AM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes

Directory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK\BAK

09/23/2004 12:41 PM 860,160 Smax4.exe
1 File(s) 860,160 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~2\BAK

11/02/2004 07:59 PM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\BAK

08/23/2001 08:00 AM 145,408 MSConfig.exe
1 File(s) 145,408 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

24080 Aug 28 2007 "C:\Program Files\NetZero\exec.exe"
1629184 Mar 6 2007 "C:\Program Files\NetZero\bak\exec.exe"
1095152 Sep 17 2007 "C:\Program Files\NetZero DSL\ConnectionCenter.exe"
1050360 May 14 2007 "C:\Program Files\NetZero DSL\bak\ConnectionCenter.exe"
1126320 Oct 11 2007 "C:\Documents and Settings\All Users\Application Data\NetZero DSL\Downloads\ConnectionCenter_.exe"
24080 Aug 28 2007 "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe"
27664 Oct 3 2007 "C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe"
860160 Sep 23 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe"
27664 Oct 3 2007 "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe"
1388544 Oct 14 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe"
24080 Aug 28 2007 "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe"
27664 Oct 3 2007 "C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe"
860160 Sep 23 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe"
27664 Oct 3 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
24080 Aug 28 2007 "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe"
27664 Oct 3 2007 "C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe"
860160 Sep 23 2004 "C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Documents and Settings\Patty\Local Settings\Temp\SOSNAV 12.0.1\Support\SymSC\SYMWMIAV\SymSC\UsrPrmpt.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
158208 Aug 4 2004 "C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe"
145408 Aug 23 2001 "C:\WINDOWS\LastGood\pchealth\helpctr\binaries\msconfig.exe"
145408 Aug 23 2001 "C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\bak\MSConfig.exe"


end of report
patty s
Regular Member
 
Posts: 19
Joined: October 15th, 2007, 8:32 am
Location: pennsylvania, USA

What do I do?

Unread postby patty s » October 16th, 2007, 9:23 am

:? I don't know if I just wait or will I need to run the programs again since its been a while or is that Ok? The AVG update has run today.
Thanks for the guidance.
patty s
Regular Member
 
Posts: 19
Joined: October 15th, 2007, 8:32 am
Location: pennsylvania, USA

Unread postby askey127 » October 16th, 2007, 4:06 pm

patty s,
You are doing fine.
Hopefully a couple more things and we will be done.
-----------------------------------------------------------
Remove log items with HiJackThis (reveal.exe). Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

O4 - Startup: .lnk = C:\WINDOWS\system32\msmapibx32.exe
O15 - Trusted Zone: *.whataboutadog.com
O20 - Winlogon Notify: __c00A8CF9 - C:\WINDOWS\System32\__c00A8CF9.dat (file missing)

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
Download and Run ComboFix-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard
    Code: Select all
    File::
    C:\WINDOWS\system32\msmapibx32.exe
    C:\WINDOWS\System32\__c00A8CF9.dat
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt
    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.

-----------------------------------------------------------
Post a New HiJackThis Log

Reboot your computer. Start HijackThis (reveal.exe).

Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.
So we are looking for the contents of C:\Combofix.txt and a new HiJackThis log.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

hjt and combofix logs

Unread postby patty s » October 16th, 2007, 4:46 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:42, on 2007-10-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe
C:\Program Files\NetZero DSL\ConnectionCenter.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\reveal.exe.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.netzero.net/search?action ... search_dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.netzero.net/search?action ... search_dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: NetZero DSL - {8E613EAF-E16E-415C-BD39-F71D6A3B5518} - C:\Program Files\NetZero DSL\Toolbar.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe" /tray
O4 - HKLM\..\Run: [NetZeroDSL] "C:\Program Files\NetZero DSL\ConnectionCenter.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: *.whataboutadog.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4316 bytes
ComboFix 07-10-16.1 - Patty 2007-10-16 16:31:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.183 [GMT -4:00]
Running from: C:\Documents and Settings\Patty\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Patty\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\System32\__c00A8CF9.dat
C:\WINDOWS\system32\msmapibx32.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin11.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin12.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin13.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin14.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin15.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin8.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin9.zip
C:\Program Files\Common Files\mcroso~1
C:\Program Files\Common Files\pppatc~1
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\Insider
C:\Program Files\ISM2
C:\Program Files\ISM2\dictionary.gz
C:\Program Files\ISM2\ISMPack6.exe
C:\Program Files\ISM2\targets.gz
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191456251.old
C:\Program Files\WinBudget\bin\crap.1192230529.old
C:\Program Files\WinBudget\bin\crap.1192444247.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll.1192230529.old
C:\Program Files\WinBudget\bin\matrix.dll.1192444246.old
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\764.exe
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\ie_32.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\abc2
C:\WINDOWS\system32\abc2\aisven2.exe
C:\WINDOWS\system32\dqsqbhjg.ini
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\remove_spyware_header.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\gjhbqsqd.dll
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\kjkmp.bak1
C:\WINDOWS\system32\kjkmp.ini
C:\WINDOWS\system32\nssB.dll
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\rev1
C:\WINDOWS\system32\rrutv.bak1
C:\WINDOWS\system32\rrutv.ini
C:\WINDOWS\system32\ss9
C:\WINDOWS\system32\ttstv.bak1
C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ugcrnkjn.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\winlogon.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\wnsinticomsv.exe
C:\WINDOWS\system32\z12
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DRIVER
-------\LEGACY_ICF
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-09-16 to 2007-10-16 )))))))))))))))))))))))))))))))
.

2007-10-16 16:24 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-15 15:36 <DIR> d-------- C:\Documents and Settings\Patty\Application Data\AVG7
2007-10-15 15:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-15 15:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-15 15:36 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-15 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-15 15:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-15 06:27 <DIR> d-------- C:\WINDOWS\cache
2007-10-14 12:29 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-10-10 01:21 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-06 10:32 <DIR> d-------- C:\Program Files\Full Tilt Poker
2007-10-05 06:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-03 19:00 <DIR> d-------- C:\WINDOWS\provisioning
2007-10-03 19:00 <DIR> d-------- C:\WINDOWS\peernet
2007-10-03 18:58 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-03 18:53 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-03 18:50 <DIR> d-------- C:\WINDOWS\EHome
2007-10-03 09:05 <DIR> d-------- C:\WINDOWS\system32\ep1
2007-10-03 09:04 <DIR> d-------- C:\WINDOWS\system32\vMW27a
2007-09-30 19:22 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-30 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-30 19:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-28 08:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-26 14:00 <DIR> d-------- C:\Program Files\Viewpoint
2007-09-26 13:59 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-09-26 13:59 <DIR> d-------- C:\Program Files\AIM6
2007-09-24 22:20 27,440 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-23 06:11 <DIR> d-------- C:\Documents and Settings\Patty\Application Data\SpywareRemover
2007-09-23 05:55 30,976 --a------ C:\WINDOWS\system32\ace16win.dll
2007-09-22 22:10 <DIR> d-------- C:\Documents and Settings\Patty\Application Data\AdwareAlert
2007-09-21 20:47 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-09-21 20:39 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-09-17 23:33 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-09-17 23:33 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-09-17 23:33 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-09-17 23:33 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-15 10:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-11 19:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\NetZero DSL
2007-10-11 12:58 --------- d-----w C:\Program Files\NetZero DSL
2007-10-06 14:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-03 23:05 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-03 23:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-03 13:55 --------- d-----w C:\Program Files\Symantec
2007-09-29 19:50 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-27 13:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-26 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-26 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-09-26 17:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-15 01:11 59,392 ----a-w C:\WINDOWS\mscrypt.dll
2007-09-15 01:11 2,146 ----a-w C:\gvhp.exe
2007-09-13 22:53 4,074 ----a-w C:\Program Files\hlpsrv.exe
2007-09-13 22:37 55,560 ----a-w C:\WINDOWS\system32\adssite-remove.exe
2007-09-09 21:36 --------- d-----w C:\Program Files\LimeWire
2007-08-29 01:13 --------- d-----w C:\Program Files\NetZero
2007-08-29 01:00 --------- d-----w C:\Program Files\Enigma Software Group
2007-08-26 04:52 246 ----a-w C:\Program Files\Common Files\bapu345
2007-08-25 16:53 --------- d-----w C:\Program Files\Java
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-28 09:06 135 ----a-w C:\Program Files\Common Files\fsoxy.html
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 27,664 2007-10-03 23:56:34 C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
----a-w 24,080 2007-08-29 01:10:51 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

----a-w 1,388,544 2004-10-14 13:11:10 C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe
----a-w 27,664 2007-10-03 23:56:34 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

----a-w 860,160 2004-09-23 16:41:54 C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe
----a-w 24,080 2007-08-29 01:10:51 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

----a-w 860,160 2004-09-23 16:41:54 C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe
----a-w 27,664 2007-10-03 23:56:34 C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe

----a-w 218,240 2004-11-02 23:59:52 C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe

----a-w 132,496 2007-07-12 08:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe

----a-w 1,629,184 2007-03-07 00:00:40 C:\Program Files\NetZero\bak\exec.exe
----a-w 24,080 2007-08-29 01:10:51 C:\Program Files\NetZero\exec.exe

----a-w 1,050,360 2007-05-14 16:18:39 C:\Program Files\NetZero DSL\bak\ConnectionCenter.exe
----a-w 1,095,152 2007-09-17 23:48:48 C:\Program Files\NetZero DSL\ConnectionCenter.exe

----a-w 224,248 2007-06-08 14:59:38 C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe
----a-w 27,664 2007-10-03 23:56:34 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

----a-w 145,408 2001-08-23 12:00:00 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\bak\MSConfig.exe
----a-w 158,208 2004-08-04 07:56:53 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8E613EAF-E16E-415C-BD39-F71D6A3B5518}"= C:\Program Files\NetZero DSL\Toolbar.dll [2007-09-13 17:34 264688]

[HKEY_CLASSES_ROOT\CLSID\{8E613EAF-E16E-415C-BD39-F71D6A3B5518}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL.1]
[HKEY_CLASSES_ROOT\TypeLib\{98C469F7-8C27-489D-B107-44FD6A54C554}]
[HKEY_CLASSES_ROOT\DSLToolbar.NetZero DSL]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-08-25 07:05 C:\WINDOWS\system32\SiSPower.dll]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2007-10-03 19:56]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe" [2004-09-23 12:41]
"NetZeroDSL"="C:\Program Files\NetZero DSL\ConnectionCenter.exe" [2007-09-17 19:48]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-10-03 19:56]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-15 15:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2007-04-02 13:10:02]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

S2 ohbusb;Open Host Controller Miniport USB Driver;\??\C:\WINDOWS\System32\drivers\ohbusb.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 16:35:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-16 16:37:32 - machine was rebooted
.
--- E O F ---
patty s
Regular Member
 
Posts: 19
Joined: October 15th, 2007, 8:32 am
Location: pennsylvania, USA

Unread postby askey127 » October 16th, 2007, 6:52 pm

patty s,
Some more work to do.
-----------------------------------------------------------
Peer to Peer File Sharing
Please note that as long as you're using any form of Peer-to-Peer networking ( Azureus, Morpheus, Limewire, etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur.

When you use Peer-to-peer (P2P) programs, you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. It's hardly surprising that many of the available downloads are being used by malware purveyors as a delivery method for their infections. Further, if your P2P program is not configured correctly you may be sharing more files than you realize. See here : http://www.infoworld.com/article/07/09/06/Seattle-man-arrested-for-p-to-p-ID-theft_1.html

Even if you have one of the SAFE P2P programs, the practice of file-sharing is very UNSAFE for the health of your PC.
You may decide to continue P2P sharing, but keep in mind that this practice may be the source of major PC infections.
Better ask yourself if you and your system CD are REALLY ready to reformat your Hard Drive and Re-install Windows.

The risks of using P2P programs are described here Sourceforge webpage and in this Information Week article.
Some malware help forums are now refusing to help those who show up with infections from P2P usage.

I think you should stop using and Uninstall Limewire , but it's your decision.
-----------------------------------------------------------
Use Add/Remove Programs In Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

Full Tilt Poker
Limewire
Ad-Aware <== we need to remove this for now because it interferes with fixing things

Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

O15 - Trusted Zone: *.whataboutadog.com

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
Download and Run AVG Anti-Spyware: This is NOT the same as your AVG AntiVirus!
Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open. Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports. <== This is important
    • Under What to scan? - Select Scan every file.
Close all open windows.
  • Click on Scanner on the program's toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
-----------------------------------------------------------
Post a New HiJackThis Log

Reboot your computer. Start HijackThis (reveal.exe).

Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with the AVG Anti-Spyware report..

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

hjt log and AVG Spyware report

Unread postby patty s » October 16th, 2007, 8:18 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:13, on 2007-10-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe
C:\Program Files\NetZero DSL\ConnectionCenter.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Trend Micro\HijackThis\reveal.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.netzero.net/search?action ... search_dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.netzero.net/search?action ... search_dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/ ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: NetZero DSL - {8E613EAF-E16E-415C-BD39-F71D6A3B5518} - C:\Program Files\NetZero DSL\Toolbar.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\bak\bak\Smax4.exe" /tray
O4 - HKLM\..\Run: [NetZeroDSL] "C:\Program Files\NetZero DSL\ConnectionCenter.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4389 bytes
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:04 2007-10-16

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : Cleaned with backup (quarantined).
C:\WINDOWS\system32\Tools\Restart.exe -> Not-A-Virus.Tool.Win32.RestartCounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Patty\Cookies\patty@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F2.tmp -> TrackingCookie.2o7 : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Patty\Cookies\patty@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F5.tmp -> TrackingCookie.Addynamix : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp -> TrackingCookie.Addynamix : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9.tmp -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Patty\Cookies\patty@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Patty\Cookies\patty@media.adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Patty\Cookies\patty@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Patty\Cookies\patty@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5EF.tmp -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Patty\Cookies\patty@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Patty\Cookies\patty@atdmt[3].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq50.tmp -> TrackingCookie.Atdmt : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F4.tmp -> TrackingCookie.Atdmt : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC.tmp -> TrackingCookie.Atdmt : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq13.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq14.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq15.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq18.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq19.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1D.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1E.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq20.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq21.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq22.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq23.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq24.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq25.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq26.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq27.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq28.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq29.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2B.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2D.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2E.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2F.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq30.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq31.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq32.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq33.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq34.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq37.tmp -> TrackingCookie.Clickbank : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Patty\Cookies\patty@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Patty\Cookies\patty@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA7.tmp -> TrackingCookie.Euroclick : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F1.tmp -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Patty\Cookies\patty@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA8.tmp -> TrackingCookie.Questionmarket : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3C.tmp -> TrackingCookie.Realmedia : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F3.tmp -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Patty\Cookies\patty@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq40.tmp -> TrackingCookie.Statcounter : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq41.tmp -> TrackingCookie.Statcounter : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq42.tmp -> TrackingCookie.Statcounter : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqA9.tmp -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Patty\Cookies\patty@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5EE.tmp -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4E.tmp -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{C756FE82-EAEB-4640-B0CC-CE6967909040}\RP12\A0001655.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINDOWS\system32\wnsinticomsv.exe.vir -> Trojan.Small : Cleaned with backup (quarantined).


::Report end
patty s
Regular Member
 
Posts: 19
Joined: October 15th, 2007, 8:32 am
Location: pennsylvania, USA

Unread postby askey127 » October 16th, 2007, 9:34 pm

patty s,
That's a lot better.
If it's running well, we can do a bit of cleanup, and some extra security for the future.

tell me how it's running.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

computer performance

Unread postby patty s » October 17th, 2007, 6:56 am

Askey127,
Thank you so much! This was not as intimidating as I thought it would be, fascinating process. Your patience and knowledge are greatly appreciated.

Things are much better, I've been avoiding using the Internet since contacting you so as not to mess anything up. I am no longer getting the pop ups, which used to occur everytime I clicked anything, such as going to yahoo-p/u, go to mail-p/u, enter ID+password-p/u, etc.

I deleted limewire, and informed teenage son of its evils. I deleted Full Tilt Poker, and advised husband of same.

I will await your instruction re: Ad-Aware,firewall,spyware or whatever you advise.
patty s
Regular Member
 
Posts: 19
Joined: October 15th, 2007, 8:32 am
Location: pennsylvania, USA

Unread postby askey127 » October 17th, 2007, 8:08 am

patty s,
This looks long, but looks worse than it is.
A few general comments.
Most Poker sites provide unwanted side effects, but PokerStars appears to be free of malware.
I would keep AVG Anti-spyware. If you choose to pay for a subscription, good. It's not expensive. If not, it will still run, but after 30 days, you will have to do updates manually (I would say weekly at least).
-----------------------------------------------------------
Disable WinXP System Restore
Disable your System Restore to remove malware files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing them. The only way to erase these files is to temporarily disable System Restore. You will lose all previous Restore points, including those likely to be infected, and a new Restore Point will be established..
- Right-click My Computer, and then click Properties.
- On the System Restore tab, put a Check mark in the Turn Off System Restore check box.
- Click OK twice, and then click Yes when you are prompted to restart the computer.
If you are not prompted to reboot, do it on your own.
-----------------------------------------------------------
After the Reboot,
Enable WinXP System Restore
- Right-click My Computer, and then click Properties.
- On the System Restore tab, Clear the Check mark beside the Turn Off System Restore check box.
- Click OK twice, and then click Yes when you are prompted to restart the computer.
The Disable/Re-enable System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware.
-----------------------------------------------------------
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs. Available from http://www.javacoolsoftware.com/spywareblaster.html
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.
-----------------------------------------------------------
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from inadvertently connecting to malware, spyware and adware sites by redirecting the connection request back to your own machine address (127.0.0.1). It is a very effective defense system. You may see a few more websites that give access errors. It means you probably shouldn't go tthere!

Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
If this isn't done first, the next reboot may take a VERY LONG TIME.
This is how to do it. First be sure you are signed in as a user with administrative privileges:
Stop and Disable the DNS Client Service
Go to Start, Run and type Services.msc and click OK.
Under the Extended Tab, Scroll down and find this service.
DNS Client
Right-Click on the DNS Client Service. Choose Properties
Select the General tab. Click on the Stop button.
Click the Arrow-down tab on the right-hand side at the Start-up Type box.
From the drop-down menu, click on Manual
Click the Apply tab, then click OK


Download BlueTack's HOSTS Manager here:
http://www.bluetack.co.uk/forums/index.php?act=dscript&CODE=showdetails&f_id=5
Download and install the Hosts Manager first, then run it and click Download.
When it finishes, click Replace, and then Save.
You can use this manager to handle your HOSTS file download, edits, and most any other HOSTS issue.

Read an excellent instruction about HOSTS files (the Bluetack version) here:
http://www.bluetack.co.uk/forums/index.php?showtopic=8406

There is a very detailed resource for those wanting to spend more time reading up, or to have as a reference:
http://www.bluetack.co.uk/forums/index.php?showtopic=8337
-------------------------------------------------------------------------------------------------------------
You can see another HOSTS file tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
and choose to download the MVPS HOSTS File instead of using the BlueTack HOSTS.
The BlueTack version (80k+ entries) is more aggressive than the mvps (11k + entries), and targets adware sites as well as more dangerous ones.
-----------------------------------------------------------
Install WinPatrol - Download and Install the Free WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html
- WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system. It also provides selective cookie management.

Once a month or so, Go To Start, Run and type cleanmgr and let it clean your C:\ drive. You can read about each cleanup item. I wouldn't do any "compress files".
You should be just fine and much better protected. You can also re-install Ad-aware if you wish, but I wouldn't consider it a necessity.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

completed all downloads

Unread postby patty s » October 18th, 2007, 8:43 am

Askey127,
OK I did :
the off restore/on restore thing,
downloads spyware blaster
disable DNS Client
Bluetack host mngr
Win patrol
This was actually the most difficult, the Host mngr download was confusing.
I'm ready for the next round of instructions
patty s
Regular Member
 
Posts: 19
Joined: October 15th, 2007, 8:32 am
Location: pennsylvania, USA

Unread postby askey127 » October 18th, 2007, 9:22 am

patty s,
You are good to go, and should be quite safe in the Internet world, with reasonable care.

Sorry you had some trouble with the HOSTS manager instructions.
I'll do some work on my instructions there to try and improve the clarity.

Glad we could be of service to you.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 301 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware