Infected Laptop[RESOLVED]

[TheTerrorist_75]

As soon as I can get this stable I will load SP2. XP Home OEM is a legit install from Toshiba. They never had the brains to click on the flashing icon to let the updates install. I have had Outerinfo and RegCleaner popups plus the browser keeps closing. Right now I am using Portable Opera. I see PurityScan and need to look over the rest on my computer. There is a bunch of junk loaded on this from the kids.

There are two other accounts. I will follow up with those HJT logs shortly.

Known and suspected malware

Optional removal

Logfile of HijackThis v1.99.1

Scan saved at 12:23:00 PM, on 3/10/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\CePMTray.exe

C:\toshiba\ivp\ism\pinger.exe

C:\WINDOWS\System32\kernels8.exe

C:\WINDOWS\smss.exe

C:\WINDOWS\dsrss.exe

C:\Program Files\Common Files\{941AF0A4-0427-1033-1204-011031200001}\Update.exe

C:\DOCUME~1\Liz\MYDOCU~1\APPATC~1\rundll.exe

C:\Documents and Settings\Liz\My Documents\S?mantec\?ttrib.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\WINDOWS\System32\PackethSvc.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\System32\wuauclt.exe

C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: ib15_27.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\System32\ib15.dll

O2 - BHO: (no name) - {45A4902E-4479-4EAE-A186-8D0F7E4C78DE} - C:\Program Files\Starware358\bin\Starware358.dll

O2 - BHO: (no name) - {478E4951-D696-FD17-C52F-89CD5C6A8494} - C:\WINDOWS\System32\lfwoli.dll (file missing)

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll

O2 - BHO: (no name) - {973F7E31-BFAF-E555-F1AD-BFDEC8C10AC7} - C:\WINDOWS\System32\ndbyrel.dll

O2 - BHO: (no name) - {A74CCB17-06D7-7000-8A4E-5F9099D06F9C} - C:\WINDOWS\System32\bybqj.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Starware Entertainment Toolbar - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - C:\Program Files\Starware358\bin\Starware358.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [system] C:\WINDOWS\System32\kernels8.exe

O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe

O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe

O4 - HKLM\..\Run: [WinSysModule] dsrss.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Osus] "C:\DOCUME~1\Liz\MYDOCU~1\APPATC~1\rundll.exe" -vt yazr

O4 - HKCU\..\Run: [sjfqyaj] C:\Documents and Settings\Liz\My Documents\S?mantec\?ttrib.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - Startup: PowerReg Scheduler V3.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v45/bejeweled/bejeweled.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejewel...aploader_v6.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Edited March 11, 2007 by TheTerrorist_75

[TheTerrorist_75]

Justin's account.

Logfile of HijackThis v1.99.1

Scan saved at 2:05:21 PM, on 3/10/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\CePMTray.exe

C:\toshiba\ivp\ism\pinger.exe

C:\WINDOWS\System32\kernels8.exe

C:\WINDOWS\smss.exe

C:\WINDOWS\dsrss.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\System32\PackethSvc.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Justin Schultz\My Documents\HJT Justin\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: ib15_27.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\System32\ib15.dll

O2 - BHO: (no name) - {45A4902E-4479-4EAE-A186-8D0F7E4C78DE} - C:\Program Files\Starware358\bin\Starware358.dll

O2 - BHO: (no name) - {478E4951-D696-FD17-C52F-89CD5C6A8494} - C:\WINDOWS\System32\lfwoli.dll (file missing)

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll

O2 - BHO: (no name) - {973F7E31-BFAF-E555-F1AD-BFDEC8C10AC7} - C:\WINDOWS\System32\ndbyrel.dll

O2 - BHO: (no name) - {A74CCB17-06D7-7000-8A4E-5F9099D06F9C} - C:\WINDOWS\System32\bybqj.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Starware Entertainment Toolbar - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - C:\Program Files\Starware358\bin\Starware358.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [system] C:\WINDOWS\System32\kernels8.exe

O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe

O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe

O4 - HKLM\..\Run: [WinSysModule] dsrss.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v45/bejeweled/bejeweled.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejewel...aploader_v6.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Edited March 11, 2007 by TheTerrorist_75

[TheTerrorist_75]

Buck's account.

Logfile of HijackThis v1.99.1

Scan saved at 2:18:07 PM, on 3/10/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\CePMTray.exe

C:\toshiba\ivp\ism\pinger.exe

C:\WINDOWS\System32\kernels8.exe

C:\WINDOWS\smss.exe

C:\WINDOWS\dsrss.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\System32\PackethSvc.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Buc\My Documents\HJT Buck\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: ib15_27.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\System32\ib15.dll

O2 - BHO: (no name) - {45A4902E-4479-4EAE-A186-8D0F7E4C78DE} - C:\Program Files\Starware358\bin\Starware358.dll

O2 - BHO: (no name) - {478E4951-D696-FD17-C52F-89CD5C6A8494} - C:\WINDOWS\System32\lfwoli.dll (file missing)

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll

O2 - BHO: (no name) - {973F7E31-BFAF-E555-F1AD-BFDEC8C10AC7} - C:\WINDOWS\System32\ndbyrel.dll

O2 - BHO: (no name) - {A74CCB17-06D7-7000-8A4E-5F9099D06F9C} - C:\WINDOWS\System32\bybqj.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Starware Entertainment Toolbar - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - C:\Program Files\Starware358\bin\Starware358.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [system] C:\WINDOWS\System32\kernels8.exe

O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe

O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe

O4 - HKLM\..\Run: [WinSysModule] dsrss.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\Regclean.exe" -startminimize

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v45/bejeweled/bejeweled.cab

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejewel...aploader_v6.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Edited March 11, 2007 by TheTerrorist_75

[sari]

TheTerrorist_75,

I'm currently reviewing all your logs, and will be posting something soon. For the most part, the infections are PC-wide, so we can run the fixes on user only, which will help with the process. There is purityscan on one user only, which will have to be addressed separately. Keep your eyes open for my next reply.

sari

[TheTerrorist_75]

I have already downloaded and ran AVG Anti-Spyware, AdAware SE, GMer. Scanned with Housecall. I will be providing the logs soon. I have also installed AVG 7.5 AV and scanned. I went to Add or Remove and removed any of the questionable programs from the list and have booted into Safe mode and removed any of the infected files plus folders still left behind plus some I discovered while searching such as BVER.BAT, ToshDefs.reg, TSession.reg and a couple of others all associated with trojans.

I have also used ATF to clean files on all accounts, Used ProcessExplorer to turn off one trojan to regain the use of Task Manager and AutoRuns and Startup Control Panel to stop some annoying programs. I also have disabled any of the backdoor Services that are unnecessary and insecure.

I have installed the MVPs Host file, Spyware Blaster and will follow up with IESpyad once IE is updated.

I also created a new restore point after the scans and cleaning up bad files/folders then deleted the rest with Disk Cleanup. I reran the scans then when notified that all was clean I install SP1a. I am now in the process of removing all restore points by turning off System Restore, reboot a couple of times, create a new RP then start installing critical updates and make sure none affect this laptop. Once that is done and all tests well I will attempt SP2.

I have updated many program such as Adobe, Java, DirectX and Flash. Many more to follow.

I haven't yet decided yet if I will use the XP firewall or another. It needs to be simple for Liz.

If you can think of anything additional it would be appreciated. I am locking this PC down so the kids can't mess up as easily.

BTW. I am Whiskeyman at GTG/GeekU and followed the canned speeches. This was good practice for me.

Edited March 12, 2007 by TheTerrorist_75

[TheTerrorist_75]

Here's where I am so far. Nothing shows on any scans now.

Initial scan with AVG AS

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 12:39:08 PM 3/11/2007

+ Scan result:

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP125\A0019307.exe/nickarcade.dll -> Adware.BHO : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP125\A0019536.dll -> Adware.BHO : Cleaned with backup (quarantined).

C:\Program Files\Cowabanga\uninstaller.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP134\A0023878.dll -> Adware.Comet : Cleaned with backup (quarantined).

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP125\A0019310.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP113\A0012760.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP113\A0013815.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP113\A0013850.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP113\A0013906.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP113\A0014071.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP122\A0019154.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP122\A0019155.exe -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP125\A0019190.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP125\A0019197.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP125\A0019198.exe -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP125\A0019251.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP125\A0019252.exe -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP128\A0020030.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP128\A0020031.exe -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP129\A0020039.exe -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP129\A0020103.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP129\A0023249.exe -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP129\A0023254.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP130\A0023455.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP134\A0023863.dll -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP134\A0023957.exe -> Adware.PurityScan : Cleaned with backup (quarantined).

HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).

C:\Program Files\Common Files\{941AF0A4-0427-1033-1204-011031200001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).

C:\Program Files\Common Files\{941AF0A4-0427-1033-1204-011031200001}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).

C:\RECYCLER\S-1-5-21-793999233-2163411867-2876842818-1005\Dc85.exe -> Adware.Softomate : Cleaned with backup (quarantined).

C:\command.exe -> Downloader.Agent.axh : Cleaned with backup (quarantined).

C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\W5QVST2F\ie_vb1[1].htm -> Downloader.Psyme.di : Cleaned with backup (quarantined).

C:\Documents and Settings\Liz\Local Settings\Temp\!update.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).

C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\W9UB89AZ\!update-4295[1].0000 -> Downloader.PurityScan.co : Cleaned with backup (quarantined).

C:\Documents and Settings\Liz\Desktop\1.exe -> Dropper.VB.nn : Cleaned with backup (quarantined).

C:\WINDOWS\dsrss.exe -> Logger.KeyLogger.lp : Cleaned with backup (quarantined).

HKLM\SOFTWARE\Classes\CLSID\{1E6CE4CD-161B-4847-B8BF-E2EF72299D69} -> Logger.Sters : Cleaned with backup (quarantined).

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E6CE4CD-161B-4847-B8BF-E2EF72299D69} -> Logger.Sters : Cleaned with backup (quarantined).

C:\WINDOWS\smss.exe -> Logger.Sters.an : Cleaned with backup (quarantined).

C:\Documents and Settings\Liz\Local Settings\Temporary Internet Files\Content.IE5\W5QVST2F\ib15[1].dll -> Logger.Sters.ao : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP134\A0023955.dll -> Logger.Sters.ao : Cleaned with backup (quarantined).

C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.a : Cleaned with backup (quarantined).

C:\Documents and Settings\Justin Schultz\Cookies\justin schultz@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.

C:\Documents and Settings\Liz\Local Settings\Temp\Cookies\liz@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.

C:\Documents and Settings\Liz\Local Settings\Temp\Cookies\liz@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.

C:\Documents and Settings\Liz\Local Settings\Temp\Cookies\liz@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.

C:\Documents and Settings\Liz\Local Settings\Temp\Cookies\liz@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.

C:\Documents and Settings\Liz\Local Settings\Temp\Cookies\liz@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.

C:\Documents and Settings\Liz\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned.

C:\Documents and Settings\Liz\Local Settings\Temp\Cookies\liz@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.

C:\Documents and Settings\Liz\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Information : Cleaned.

C:\Documents and Settings\Liz\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.

C:\Documents and Settings\Liz\Local Settings\Temp\Cookies\liz@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.

C:\Documents and Settings\Liz\Local Settings\Temp\Cookies\liz@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.

C:\Documents and Settings\Liz\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned.

C:\Documents and Settings\Liz\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned.

C:\Documents and Settings\Liz\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.

C:\RECYCLER\S-1-5-21-793999233-2163411867-2876842818-1005\Dc163 -> Trojan.Qhost.hl : Cleaned with backup (quarantined).

C:\RECYCLER\S-1-5-21-793999233-2163411867-2876842818-1005\Dc165 -> Trojan.Qhost.hl : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP113\A0012761.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP113\A0012822.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP113\A0013845.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP113\A0013905.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP113\A0014076.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP122\A0019159.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP123\A0019177.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP124\A0019186.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP125\A0019202.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP125\A0019256.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP125\A0019537.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP128\A0020034.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP129\A0020101.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP129\A0023253.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP130\A0023454.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP134\A0023864.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\WINDOWS\system32\wnsintcc.exe -> Trojan.Small : Cleaned with backup (quarantined).

C:\WINDOWS\Downloaded Program Files\win32.exe -> Worm.Banwarum.f : Cleaned with backup (quarantined).

C:\WINDOWS\system32\kernels8.exe -> Worm.Banwarum.f : Cleaned with backup (quarantined).

::Report end

Initial AdAware SE scan

ArchiveData(auto-quarantine- 2007-03-11 14-55-38.bckp)

Referencefile : SE1R157 05.03.2007

======================================================

MRU LIST

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

obj[0]=MRU FileReference : C:\Documents and Settings\Liz\recent\4073_TopRightPicture[1].jpg (2).lnk

obj[1]=MRU FileReference : C:\Documents and Settings\Liz\recent\4073_TopRightPicture[1].jpg.lnk

obj[2]=MRU FileReference : C:\Documents and Settings\Liz\recent\ATOMINST.lnk

obj[3]=MRU FileReference : C:\Documents and Settings\Liz\recent\Autorun.lnk

obj[4]=MRU FileReference : C:\Documents and Settings\Liz\recent\Autoruns.zip.lnk

obj[5]=MRU FileReference : C:\Documents and Settings\Liz\recent\autumn dashnau.lnk

obj[6]=MRU FileReference : C:\Documents and Settings\Liz\recent\autumns folder (2).lnk

obj[7]=MRU FileReference : C:\Documents and Settings\Liz\recent\autumns folder.lnk

obj[8]=MRU FileReference : C:\Documents and Settings\Liz\recent\Beethoven's Symphony No. 9 (Scherzo).lnk

obj[9]=MRU FileReference : C:\Documents and Settings\Liz\recent\CD Drive (2).lnk

obj[10]=MRU FileReference : C:\Documents and Settings\Liz\recent\CD Drive.lnk

obj[11]=MRU FileReference : C:\Documents and Settings\Liz\recent\CDROM.lnk

obj[12]=MRU FileReference : C:\Documents and Settings\Liz\recent\Click to Find and Fix Errors.url

obj[13]=MRU FileReference : C:\Documents and Settings\Liz\recent\Desktop.ini

obj[14]=MRU FileReference : C:\Documents and Settings\Liz\recent\docs.lnk

obj[15]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\search assistant\acmru\5001

obj[16]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\search assistant\acmru\5603

obj[17]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\search assistant\acmru\5604

obj[18]=MRU FileReference : C:\Documents and Settings\Liz\recent\DUKE3D.lnk

obj[19]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\applets\paint\recent file list

obj[20]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru\*

obj[21]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.bmp

obj[22]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.DOC

obj[23]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.GRP

obj[24]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.htm

obj[25]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.inf

obj[26]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.INI

obj[27]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.jpg

obj[28]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.log

obj[29]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.pdf

obj[30]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.rar

obj[31]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.rtf

obj[32]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.sam

obj[33]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.TXT

obj[34]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.url

obj[35]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.wma

obj[36]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\.zip

obj[37]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\recentdocs\Folder

obj[38]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru\url

obj[39]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\nico mak computing\winzip\filemenu

obj[40]=MRU RegReference : .DEFAULT\software\microsoft\windows media\wmsdk\general computername

obj[41]=MRU RegReference : S-1-5-18\software\microsoft\windows media\wmsdk\general computername

obj[42]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\windows media\wmsdk\general computername

obj[43]=MRU FileReference : C:\Documents and Settings\Liz\recent\TENGAME.lnk

obj[44]=MRU FileReference : C:\Documents and Settings\Liz\recent\Tibia.lnk

obj[45]=MRU FileReference : C:\Documents and Settings\Liz\recent\Tibia_MULTI-ip_changer.lnk

obj[46]=MRU FileReference : C:\Documents and Settings\Liz\recent\TOSHOFER.lnk

obj[47]=MRU FileReference : C:\Documents and Settings\Liz\recent\ULTRAMID.lnk

obj[48]=MRU FileReference : C:\Documents and Settings\Liz\recent\untitled.lnk

obj[49]=MRU FileReference : C:\Documents and Settings\Liz\recent\userguide.lnk

obj[51]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\direct3d\mostrecentapplication name

obj[52]=MRU RegReference : software\microsoft\direct3d\mostrecentapplication name

obj[53]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\direct3d\mostrecentapplication name

obj[54]=MRU RegReference : software\microsoft\direct3d\mostrecentapplication name

obj[55]=MRU RegReference : software\microsoft\directdraw\mostrecentapplication name

obj[56]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\directinput\mostrecentapplication name

obj[57]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\directinput\mostrecentapplication id

obj[58]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\internet explorer download directory

obj[59]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\internet explorer\main save directory

obj[60]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\mediaplayer\player\recentfilelist

obj[61]=MRU RegReference : .DEFAULT\software\microsoft\mediaplayer\preferences lastplaylist

obj[62]=MRU RegReference : S-1-5-18\software\microsoft\mediaplayer\preferences lastplaylist

obj[63]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\mediaplayer\preferences lastplaylist

obj[64]=MRU RegReference : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\microsoft management console\recent file list

ADWARE.MYTOOLBAR

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

obj[26]=Regkey : typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}

obj[27]=Regkey : interface\{c6f2214e-0b54-45a9-b90d-7dd4ba45ed0b}

obj[29]=RegValue : S-1-5-21-793999233-2163411867-2876842818-1005\software\microsoft\internet explorer\toolbar\Webbrowser "{c004dec2-2623-438e-9ca2-c9043ab28508}"

obj[31]=Regkey : luckytoolbar.luckytoolbarobj

obj[32]=Regkey : luckytoolbar.luckytoolbarobj.1

WIN32.TROJANSPY.BANKER

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

obj[28]=Regkey : typelib\{14a5f3e7-b235-4d98-9264-5c67d2657bc4}

TRACKING COOKIE

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

obj[30]=IECache Entry : C:\Documents and Settings\Liz\Local Settings\Temp\Cookies\liz@unicast[1].txt

PURITYSCAN

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

obj[33]=File : C:\System Volume Information\_restore{E126D0E1-B902-48D5-B5DE-630CE9695C8A}\RP134\A0023962.exe

Housecall and AVG AV foundnothing after these scans.

[sari]

I know you're whiskeyman at Geeks to Go, and you have access to everything there. I don't know if you recognized that you had an sdbot infection and should have run sdfix. Did you not really want help with the logs? I'm a little confused, and don't really know what's left on there since I don't really know everything that you did.

[TheTerrorist_75]

Yes I needed some guidance to clean this laptop. Thanks for the SDFix reminder.

Sorry if I sounded a bit condescending or terse but the laptop owner was driving me nuts because her kids couldn't live without MySpace or AIM. I have had three phone calls since I picked this up Saturday afternoon. On top of that I quit smoking four days ago and I needed a cigarette more than those brats needed MySpace. Besides that, this is for a friend and therefore a freebie.

SDFix: Version 1.71

Run by Liz - Mon 03/12/2007 / 18:23:28.08

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\Documents and Settings\Liz\Desktop\SDFix

Safe Mode:

Checking Services:

Restoring Windows Registry Entries

Restoring Default Hosts File

Rebooting...

Normal Mode:

Checking Files:

Below files will be copied to Backups folder then removed:

C:\DOCUME~1\Liz\LOCALS~1\Temp\temp.exe - Deleted

C:\WINDOWS\system32\dlh9jkdq8.exe - Deleted

ADS Check:

C:\WINDOWS\system32

No streams found.

Final Check:

Remaining Services:

------------------

Remaining Files:

---------------

Backups Folder: - C:\DOCUME~1\Liz\Desktop\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

Finished

Logfile of HijackThis v1.99.1

Scan saved at 6:35:35 PM, on 3/12/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\CePMTray.exe

C:\toshiba\ivp\ism\pinger.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Java\jre1.6.0\bin\jusched.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: Virtual NIC Service (PackethSvc) - Unknown owner - C:\WINDOWS\System32\PackethSvc.exe (file missing)

The other accounts are the same as the above log.

Edited March 12, 2007 by TheTerrorist_75

[sari]

Whiskeyman,

That looks a lot better, but your Java version is very out of date, which still leaves this laptop vulnerable. You need to update (you can do that via the Java control panel), as well as uninstall any older versions. You should be able to update XP SP2 now as well. Finally, did you change security settings in IE? I ask because of this line:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

This often present with a protection program such as Spybot Search and Destroy's Teatimer, which I don't see, but I figured you may have restricted the security settings in order to provide more protection.

sari

[TheTerrorist_75]

Java is updated to JRE 6.0 (1.6.0). I set the security setting for IE in SpywareBlaster. I definitely am locking this laptop down. The kids may get mad, but oh well. The main games that matter are Pogo. Liz plays them to reduce her stress. With those kids she needs it.

I did download and install SP1a and am now watching as the next 61 critical updates install. I will see how the laptop reacts then try SP2.

Thanks.

Mark as resolved. All updates (108 + SP2) are installed and it still comes up clean on all scans.

Edited March 14, 2007 by TheTerrorist_75

[Matt]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.