Drive Cleaner Pop-up? Hijack Log Included

[shlbzma]

A good friend told me to post my log here for further help. I have run Symantic live update and full system scan, Adaware, Spybot, Trojan.Vundo repair (which Symantic said it was blocking) and taken care of everything that came up. The Drive Cleaner still comes up and Symantic lists the action as "partial". If there is anything else you need, or a better way to post the log please let me know. Any help would be greatly appreciated as it's making me crazy!!

Tracy W.

Hijack log:

Logfile of HijackThis v1.99.1

Scan saved at 8:23:12 AM, on 1/15/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINNT\system32\slserv.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\System32\hkcmd.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\SCANJET\PrecisionScanLT\hppwrsav.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jucheck.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe

C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE

C:\Program Files\MSWorks\Calendar\WKCALREM.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://p104.ezboard.com/bcrossstitchcrazy99277

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINNT\system32\fnglbqwo.dll",setvm

O4 - HKCU\..\Run: [sMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab

O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB

O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab

O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab

O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab

O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

[therock247uk]

First download AVG Anti-Spyware from HERE and save that file to your desktop.

This is a 30 day trial of the program

1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
   
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
   
3. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
     

[*]Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

[*]Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

[*]Under "Reports"

• Select "Automatically generate report after every scan"
  
• Un-Select "Only if threats were found"
  

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
   IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
   
2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
   
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
   
4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
   Once the scan is complete do the following:
   
5. If you have any infections you will prompted, then select "Apply all actions"
   
6. Next select the "Reports" icon at the top.
   
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
   
8. Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
   

[shlbzma]

First, thank you for replying!

I followed your directions and downloaded and ran the program. However, I have used this before so it said that Resident Shield was inactive. I actually scanned twice because I wasn't sure I ran the updated version the first time. My first log (the second follows it) included about 40 tracking cookies:

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 10:34:16 AM 1/15/2007

+ Scan result:

C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.

C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{8FD2FA2B-2516-48C7-84B3-8DB2D50A81D8}\{DCD1203E-51AD-41F8-86A4-0BB9865A2BBF}.tmp/{DCD1203E-51AD-41F8-86A4-0BB9865A2BBF}.tmp -> TrackingCookie.2o7 : No action taken.

C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Abcsearch : No action taken.

C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : No action taken.

C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{8FD2FA2B-2516-48C7-84B3-8DB2D50A81D8}\{22BB23C1-F23C-4EEF-B5C0-A79047BFFC6F}.tmp/{22BB23C1-F23C-4EEF-B5C0-A79047BFFC6F}.tmp -> TrackingCookie.Adserver : No action taken.

C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{8FD2FA2B-2516-48C7-84B3-8DB2D50A81D8}\{B6AB2F3B-DEFB-4792-86A0-C950EC3EBA92}.tmp/{B6AB2F3B-DEFB-4792-86A0-C950EC3EBA92}.tmp -> TrackingCookie.Atdmt : No action taken.

C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : No action taken.

C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.

C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Burstnet : No action taken.

C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{8FD2FA2B-2516-48C7-84B3-8DB2D50A81D8}\{4A207EC3-F471-4BB0-92A1-74B5F62823E1}.tmp/{4A207EC3-F471-4BB0-92A1-74B5F62823E1}.tmp -> TrackingCookie.Burstnet : No action taken.

C:\Documents and Settings\Owner\Cookies\owner@com[1].txt -> TrackingCookie.Com : No action taken.

C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{8FD2FA2B-2516-48C7-84B3-8DB2D50A81D8}\{F27639A9-C5E7-4F80-A45A-E403CC27D9CC}.tmp/{F27639A9-C5E7-4F80-A45A-E403CC27D9CC}.tmp -> TrackingCookie.Com : No action taken.

C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : No action taken.

C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[3].txt -> TrackingCookie.Cpvfeed : No action taken.

C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[4].txt -> TrackingCookie.Cpvfeed : No action taken.

C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[5].txt -> TrackingCookie.Cpvfeed : No action taken.

C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[6].txt -> TrackingCookie.Cpvfeed : No action taken.

C:\Documents and Settings\Owner\Cookies\owner@cpvfeed[7].txt -> TrackingCookie.Cpvfeed : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : No action taken.

C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{8FD2FA2B-2516-48C7-84B3-8DB2D50A81D8}\{3A5EAA27-979E-4FFB-BF05-0CFC7FC5A6F5}.tmp/{3A5EAA27-979E-4FFB-BF05-0CFC7FC5A6F5}.tmp -> TrackingCookie.Doubleclick : No action taken.

C:\Documents and Settings\Owner\Cookies\owner@enhance[1].txt -> TrackingCookie.Enhance : No action taken.

C:\Documents and Settings\Owner\Cookies\owner@findwhat[1].txt -> TrackingCookie.Findwhat : No action taken.

C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Information : No action taken.

C:\Documents and Settings\Owner\Cookies\owner@linkbuddies[1].txt -> TrackingCookie.Linkbuddies : No action taken.

C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : No action taken.

C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Myaffiliateprogram : No action taken.

C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Overture : No action taken.

C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Paypopup : No action taken.

C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt -> TrackingCookie.Qksrv : No action taken.

C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{8FD2FA2B-2516-48C7-84B3-8DB2D50A81D8}\{4706E157-694F-45A4-B9C5-0D6BBB50224F}.tmp/{4706E157-694F-45A4-B9C5-0D6BBB50224F}.tmp -> TrackingCookie.Questionmarket : No action taken.

C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{8FD2FA2B-2516-48C7-84B3-8DB2D50A81D8}\{295C1D1E-253B-4AAF-B990-2AC2A27AFBFD}.tmp/{295C1D1E-253B-4AAF-B990-2AC2A27AFBFD}.tmp -> TrackingCookie.Serving-sys : No action taken.

C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : No action taken.

C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : No action taken.

C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : No action taken.

C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : No action taken.

C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.

C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.

C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : No action taken.

C:\Documents and Settings\Owner\Cookies\owner@webstat[2].txt -> TrackingCookie.Web-stat : No action taken.

::Report end

The second run generated this report:

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 11:38:28 AM 1/15/2007

+ Scan result:

C:\Program Files\VSAdd-in\VSAdd-in.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).

::Report end

When I opened IE to post this I had hopes that the pop-up problem was gone, but I did end up with an ad opening a window itself. Any further help would be appreciated!!

Tracy W.

[therock247uk]

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  
• If it wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• When download is complete, click on My Computer to start the scan
  
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
  

[shlbzma]

Okay, I'm working with Panda right now. I am having a problem and don't know how to fix it. After I press the Scan Now button a new window opens, but it only opens far enough for me to see half of the contents. It won't maximize, and it won't drag and enlarge with the mouse.

What I see on the right is the scanning process and below it the categories, "Virus, Spyware, Hacking tools and rootkits..." Underneath that is a box that says "Your PC is infected". The Spyware and Hacking tools is orange just like the infected box. There is not a See/Save Report button in the window.

I ran the scan last night and it appeared to go all the way through. I am running it again now and will leave it open in case you have any way for me to fix it. Again, any help is appreciated!

Tracy W.

[therock247uk]

Try this online scan...

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
  
• Once the files have been downloaded click on NEXT
  
  
• Now click on Scan Settings
  
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
    
  • Extended (if available otherwise Standard)
    
  • Scan Options:
    
  • Scan Archives
    Scan Mail Bases
    

  [*]Click OK

  [*]Now under select a target to scan:

  • Select My Computer
    

  [*]This will program will start and scan your system.

  [*]The scan will take a while so be patient and let it run.

  [*]Once the scan is complete it will display if your system has been infected.

  • Now click on the Save as Text button:
    

  [*]Save the file to your desktop.

  [*]Copy and paste that information in your next post.

[shlbzma]

Okay, that worked. Here's what I found out...yikes!

Tracy W.

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Thursday, January 18, 2007 11:35:51 AM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 18/01/2007

Kaspersky Anti-Virus database records: 259522

-------------------------------------------------------------------------------

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

Scan Target - My Computer:

C:\

D:\

Scan Statistics:

Total number of scanned objects: 69513

Number of viruses found: 8

Number of infected objects: 41 / 0

Number of suspicious objects: 0

Duration of the scan process: 01:22:58

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Games\Zone.com Deluxe Games\Hexic Deluxe00.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1A2.tmp Infected: not-a-virus:AdWare.Win32.Agent.at skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine4E00000\45EAC662.VBN Infected: Trojan.Win32.BHO.g skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine4E00001\45EAD4AD.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine4E00002\45EB0D4F.VBN Infected: Trojan.Win32.BHO.g skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine5580000\457C673C.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine5580001\457CECAC.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine5580002\457CFA62.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine5580003\457CFADB.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine56C0000\457D8784.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine5E00000\45F5FA90.VBN Infected: Trojan.Win32.BHO.g skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine5E00001\45F60282.VBN Infected: Trojan.Win32.BHO.g skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine66C0000\477D0236.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine69C0000\47DE30F5.VBN Infected: Trojan.Win32.BHO.g skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine6A40000\47ECA1BA.VBN Infected: Trojan-Spy.Win32.Agent.ps skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine6A40001\47ECC093.VBN Infected: not-a-virus:AdWare.Win32.Agent.at skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine6B40000\47F5279E.VBN Infected: Trojan.Win32.BHO.g skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine6F00000\47F725E4.VBN Infected: Trojan.Win32.BHO.g skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7180000\479FD177.VBN Infected: Trojan.Win32.BHO.o skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine7180001\479FD487.VBN Infected: Trojan.Win32.BHO.o skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine8C40000\4DEEDB8C.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine9800000.VBN Infected: Trojan.Win32.BHO.g skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineA900000\4FD3AD41.VBN Infected: Trojan.Win32.BHO.g skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineAE80000\4FFDC432.VBN Infected: Trojan.Win32.Small.ju skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineAE80001\4FFDF920.VBN Infected: Trojan.Win32.Small.ju skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineBE00000\4FEEF63C.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineBE00001\4FEF121B.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineBE00002\4FEF29AF.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineBE00003\4FF045CE.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineC000000\4D367AC5.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineC000001\4D37CC35.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineC100000\4D33844C.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineC100001\4D33C956.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineC200000.VBN Infected: Trojan.Win32.BHO.g skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\QuarantineD340000\4D3D05A2.VBN Infected: Packed.Win32.Klone.k skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Application Data\Adobe\Acrobat\7.0\Updater\udlog.txt Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\Acr7E5B.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Program Files\Symantec AntiVirus\SAVRT21NAV~.TMP Object is locked skipped

C:\Program Files\Symantec AntiVirus\SAVRT681NAV~.TMP Object is locked skipped

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP4\change.log Object is locked skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\SchedLgU.Txt Object is locked skipped

C:\WINNT\SoftwareDistribution\EventCache\{00AB70D1-A8CD-4188-A047-08AE1EF246F5}.bin Object is locked skipped

C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINNT\Sti_Trace.log Object is locked skipped

C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped

C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\DEFAULT Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\SOFTWARE Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SYSTEM Object is locked skipped

C:\WINNT\system32\config\system.LOG Object is locked skipped

C:\WINNT\system32\config\systemprofile\Cookies\index.dat Object is locked skipped

C:\WINNT\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINNT\system32\h323log.txt Object is locked skipped

C:\WINNT\system32\hbvknwmj.dll Infected: Trojan-Spy.Win32.VBStat.j skipped

C:\WINNT\system32\lsvaotnn.dll Infected: Trojan-Spy.Win32.VBStat.j skipped

C:\WINNT\system32\olkvnnuv.dll Infected: Trojan-Spy.Win32.VBStat.j skipped

C:\WINNT\system32\qbscdmxo.dll Infected: Trojan.Win32.BHO.g skipped

C:\WINNT\system32\sbyxrgvo.dll Infected: Trojan-Spy.Win32.VBStat.j skipped

C:\WINNT\system32\tkuxpjtl.dll Infected: Trojan-Spy.Win32.VBStat.j skipped

C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINNT\wiadebug.log Object is locked skipped

C:\WINNT\wiaservc.log Object is locked skipped

C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

[therock247uk]

Right Click the Desktop and Select New--> Folder--> Name it SysClean

• Download the Sysclean Package to the folder you made.
  
• Next,download the Virus Pattern Files (Official Pattern Release) to your desktop from Here
  
• Right Click and Select Extract All to unzip the folder.
  
• Now,from the unzipped folder,move lpt$vpn.XXX file to the SysClean folder.
  
• Restart in SAFE MODE(Tap F8 when restarting)
  
• Open the SysClean Folder and doubleclick sysclean.com
  
• Be sure Automatically clean or delete detected files is checked.
  
• Click the Scan button to begin,please be patient,it will take a little bit to finish.
  
• Once complete,verify the log from the scan (SYSCLEAN.LOG) is in the SysClean folder and restart back to Normal Mode.
  
• Copy&Paste those results in the next reply.
  

Tutorial from Trend

http://esupport.trendmicro.com/support/vie...entID=en-125991

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, mark the drives that you want to scan.
  
• Select all drives. A red dot shows which drives have been chosen.
  
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, in the menu, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  

I need the following logs...

1.SYSCLEAN.LOG

2.DrWeb.csv

[shlbzma]

Okay, that went well. Here are the logs....Sysclean first:

THANKS!!

2007-01-18, 22:12:57, Auto-clean mode specified.

2007-01-18, 22:12:57, Running scanner "C:\Documents and Settings\Owner\Desktop\SysClean\TSC.BIN"...

2007-01-18, 22:13:15, Scanner "C:\Documents and Settings\Owner\Desktop\SysClean\TSC.BIN" has finished running.

2007-01-18, 22:13:15, TSC Log:

2007-01-18, 22:49:47, Files Detected:

Copyright © 1990 - 2004 Trend Micro Inc.

Report Date : 1/18/2007 22:15:48

VSAPI Engine Version : 8.000-1001

VSCANTM Version : 1.1-1001

Virus Pattern Version : 191 (151692 Patterns) (2007/01/18) (419100)

Command Line: C:\Documents and Settings\Owner\Desktop\SysClean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\SysClean

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1A2.tmp [TROJ_AGENT.GZU]

68713 files have been read.

68713 files have been checked.

62717 files have been scanned.

112360 files have been scanned. (including files in archived)

1 files containing viruses.

Found 1 viruses totally.

Maybe 0 viruses totally.

Stop At : 1/18/2007 22:49:47

---------*---------*---------*---------*---------*---------*---------*---------*

2007-01-18, 22:49:47, Files Clean:

Copyright © 1990 - 2004 Trend Micro Inc.

Report Date : 1/18/2007 22:15:48

VSAPI Engine Version : 8.000-1001

VSCANTM Version : 1.1-1001

Virus Pattern Version : 191 (151692 Patterns) (2007/01/18) (419100)

Command Line: C:\Documents and Settings\Owner\Desktop\SysClean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\SysClean

Success Clean [ TROJ_AGENT.GZU]( 1) from C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ1A2.tmp

68713 files have been read.

68713 files have been checked.

62717 files have been scanned.

112360 files have been scanned. (including files in archived)

1 files containing viruses.

Found 1 viruses totally.

Maybe 0 viruses totally.

Stop At : 1/18/2007 22:49:47 33 minutes 57 seconds (2036.66 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*

2007-01-18, 22:49:47, Clean Fail:

Copyright © 1990 - 2004 Trend Micro Inc.

Report Date : 1/18/2007 22:15:48

VSAPI Engine Version : 8.000-1001

VSCANTM Version : 1.1-1001

Virus Pattern Version : 191 (151692 Patterns) (2007/01/18) (419100)

Command Line: C:\Documents and Settings\Owner\Desktop\SysClean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\SysClean

68713 files have been read.

68713 files have been checked.

62717 files have been scanned.

112360 files have been scanned. (including files in archived)

1 files containing viruses.

Found 1 viruses totally.

Maybe 0 viruses totally.

Stop At : 1/18/2007 22:49:47 33 minutes 57 seconds (2036.66 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*

2007-01-18, 22:49:47, Scanner "C:\Documents and Settings\Owner\Desktop\SysClean\VSCANTM.BIN" has finished running.

smdobc.dll;c:\winnt\addins;Trojan.Virtumod;Will be cured after reboot.;

qbscdmxo.dll;c:\winnt\system32;Trojan.Juan;Deleted.;

riched20.dll;C:\Program Files\MSN Messenger;Adware.Msearch;;

A0000219.dll;C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP5;Trojan.Juan;Deleted.;

smdobc.dll;C:\WINNT\addins;Trojan.Virtumod;Will be cured after reboot.;

hbvknwmj.dll;C:\WINNT\system32;Trojan.Virtumod;Deleted.;

lsvaotnn.dll;C:\WINNT\system32;Trojan.Virtumod;Deleted.;

olkvnnuv.dll;C:\WINNT\system32;Trojan.Virtumod;Deleted.;

ovluhdmg.dll;C:\WINNT\system32;Trojan.Virtumod;Deleted.;

sbyxrgvo.dll;C:\WINNT\system32;Trojan.Virtumod;Deleted.;

tkuxpjtl.dll;C:\WINNT\system32;Trojan.Virtumod;Deleted.;

ttvthvvl.dll;C:\WINNT\system32;Trojan.Virtumod;Deleted.;

[therock247uk]

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
  
• Click the Scan for Vundo button.
  
• Once it's done scanning, click the Remove Vundo button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
  
• When completed, it will prompt that it will reboot your computer, click OK.
  
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.
  

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.