Hello everyone,

Glad I found this site. All the info is great.

A client was infested by numerous malware/spyware pests. I followed your tutorials and I think everything is back to normal. I was not able to run the Panda online scan. Here are the logs that I could get my hands on following the countless scans. Can you guys tell me if I’m clean and if not, what else should I do to make it squeaky clean? ;-)

Thanks
Mike

Logfile of HijackThis v1.99.1
Scan saved at 15:07:46, on 2007-09-19
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\Inoculan\InoRpc.exe
C:\Inoculan\InoRT.exe
C:\Inoculan\InoTask.exe
C:\CA_LIC\LogWatNT.exe
C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Inoculan\realmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\WINNT\system32\wfxsnt40.exe
C:\Program Files\Symantec\WinFax\wfxctl32.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINNT\System32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/accueilpage.html
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Realtime Monitor] C:\Inoculan\realmon.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: WinFax Application Port Starter.lnk = C:\WINNT\system32\wfxsnt40.exe
O4 - Startup: WinFax PRO Controller.lnk = C:\Program Files\Symantec\WinFax\wfxctl32.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/accueilpage.html
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://fr.encyclopedia.yahoo.com/rsc/tdserver.cab
O16 - DPF: {037B3D58-D14A-4C41-BDFD-BD779B0B97BA} (vxiewer control) - http://www.thepaymentcentre.com/build/vxiewer.cab
O16 - DPF: {07637823-C894-4A52-B3F9-5D777FD8E36A} - http://www.mydailyhoroscope.net/mdh/install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190228432453
O16 - DPF: {68A2C3BD-7809-11D3-8ACF-0050046F2F9A} (AXELPlayer Class) - http://www.mindavenue.com/Downloads/AXELPlayerAX_Win32.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://terminotix.webex.com/client/T23L/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BDA066CF-C782-4FCC-8814-667FEDBEB04A}: NameServer = 206.191.0.210,206.191.0.140
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client de licence CA (CA_LIC_CLNT) - Computer Associates - C:\CA_LIC\lic98rmt.exe
O23 - Service: Serveur de licence CA (CA_LIC_SRVR) - Computer Associates - C:\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Inoculan\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Inoculan\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Inoculan\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\CA_LIC\LogWatNT.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\pppoeservice.exe

********************************************************************************
**********

Adobe Download Manager (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe FrameMaker v5.5
Adobe Reader 6.0.1
Adobe Reader 6.0.1 - Français
Alcatel SpeedTouch USB Software
AnswerWorks Runtime
AOpen FM56-PX Controllerless PCI Modem
AVG Anti-Spyware 7.5
Beyond 2020 Professional Browser 7.0 SP3
Bridge
CA eTrust Antivirus
Citrix ICA Client
Corel Applications
Corel Uninstaller
Désinstalleur HP LaserJet 1200
DSS VPlayer Patch
DVIPS™ VPlayer Plus
Efficient Networks SpeedStream DSL
EPSON Logiciel imprimante
Freedom Security & Privacy
Gestionnaire d'accès
Google Earth
Google Toolbar for Internet Explorer
Hijackthis 1.99.1
HijackThis 1.99.1
IBM TranslationManager
Intel® 845G Chipset Graphics Driver Software
Intel® PRO Ethernet Adapter and Software
Lotus SmartSuite 97
Macromedia Shockwave Player
Microsoft Data Access Components KB870669
Microsoft FrontPage 2000 SR-1
Microsoft Internet Explorer 6 SP1
Microsoft Office 2000 Professional
Microsoft Office 2000 SR-1 Standard
Microsoft VGX Q833989
Mise à jour système du Lecteur Windows Media (Série 9)
MSN
MSN Messenger 7.0
Multidictionnaire
OLYMPUS CAMEDIA Master 4.2
Outlook Express Q823353
QuickTime
Soulseek Client 152
SUPERAntiSpyware Free Edition
Visio Standard
WebEx
WebExpert v3
Win32 BI Application
Windows 2000 Hotfix - KB819696
Windows 2000 Hotfix - KB823182
Windows 2000 Hotfix - KB823559
Windows 2000 Hotfix - KB823980
Windows 2000 Hotfix - KB824105
Windows 2000 Hotfix - KB824141
Windows 2000 Hotfix - KB824146
Windows 2000 Hotfix - KB825119
Windows 2000 Hotfix - KB826232
Windows 2000 Hotfix - KB828028
Windows 2000 Hotfix - KB828035
Windows 2000 Hotfix - KB828741
Windows 2000 Hotfix - KB828749
Windows 2000 Hotfix - KB834707
Windows 2000 Hotfix - KB835732
Windows 2000 Hotfix - KB837001
Windows 2000 Hotfix - KB839643
Windows 2000 Hotfix - KB839645
Windows 2000 Hotfix - KB840315
Windows 2000 Hotfix - KB840987
Windows 2000 Hotfix - KB841356
Windows 2000 Hotfix - KB841533
Windows 2000 Hotfix - KB841872
Windows 2000 Hotfix - KB841873
Windows 2000 Hotfix - KB842526
Windows 2000 Hotfix - KB873339
Windows 2000 Hotfix - KB885835
Windows 2000 Hotfix - KB885836
Windows 2000 Hotfix - KB889293
Windows 2000 Hotfix (Pre-SP4) [See q323172 for more information]
Windows 2000 Hotfix (Pre-SP4) [See Q324096 for more information]
Windows 2000 Hotfix (Pre-SP4) [See Q324380 for more information]
Windows 2000 Hotfix (Pre-SP4) [See Q326830 for more information]
Windows 2000 Hotfix (Pre-SP4) [See Q326886 for more information]
Windows 2000 Hotfix (Pre-SP4) [See Q329115 for more information]
Windows 2000 Hotfix (Pre-SP4) [See Q329834 for more information]
Windows 2000 Hotfix (Pre-SP4) Q328310
Windows 2000 Hotfix (Pre-SP4) Q329170
Windows 2000 Hotfix (Pre-SP4) Q331953
Windows 2000 Hotfix (Pre-SP4) Q810833
Windows 2000 Hotfix (SP4) KB810217
Windows 2000 Hotfix (SP4) KB817606
Windows 2000 Hotfix (SP4) KB822679
Windows 2000 Hotfix (SP4) Q329553
Windows 2000 Hotfix (SP4) Q811493
Windows 2000 Hotfix (SP4) Q814033
Windows 2000 Hotfix (SP4) Q815021
Windows Media Player Hotfix [See wm828026 for more information]
WinFax PRO
WSEM Update
XoftSpy 3.44

********************************************************************************
********

Username "ihogue" - 2007-09-17 15:53:24 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Alcatel\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"Realtime Monitor"="C:\\Inoculan\\realmon.exe -s"
"axfbed"="C:\\WINNT\\system32\\khtpczcx.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinAVX"="C:\\WINNT\\system32\\WinAvXX.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"WinAVX"="C:\\WINNT\\system32\\WinAvXX.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

********************************************************************************
*******


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/19/2007 at 02:38 PM

Application Version : 3.9.1008

Core Rules Database Version : 3309
Trace Rules Database Version: 1314

Scan type : Complete Scan
Total Scan Time : 00:46:03

Memory items scanned : 325
Memory threats detected : 0
Registry items scanned : 4062
Registry threats detected : 0
File items scanned : 34231
File threats detected : 2

Adware.eXact Advertising
C:\WINNT\SYSTEM32\EXUL.EXE

Trojan.Downloader-Gen/NoMultiTask
C:\WINNT\SYSTEM32\VTR.DLL