[silencedmessage]

Hey there Mary Ann!

Thanks for the log! A few other things showed their ugly little heads. Now its time to get rid of this junk!

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

We will need to show the hidden and system files for this next step. We will hide them again once you are clean.

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

c:\documents and settings\all users\application data\WinAntiVirus Pro 2006



Killbox:

• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\Documents and Settings\odirish\Local Settings\Temporary Internet Files\Ssk.log
  c:\windows\loadnew.exe
  C:\777.htm
  C:\WINDOWS\xondh5hm.exe
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

Please reboot into safemode again:

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.


Also, with all of this done, would you please tell me how your computer is running now?

Thanks again for your patience and your cooperation!

-Silenced Messagea

[Advertisements]

I'll try to get done what I can today. I am working a 12 hour shift today and possibly tomorrow.
I downloaded AproposFix to my desktop. When I rebooted to Safe Mode, the icon was not on my desktop.
Only shows up in normal mode. I followed instructions all thr way through the Killbox. Should I proceed with
AproposFix in normal mode?


Mary Ann

Edited by odirish, 18 January 2007 - 07:34 AM.

[odirish]

I'll try to get done what I can today. I am working a 12 hour shift today and possibly tomorrow.
I downloaded AproposFix to my desktop. When I rebooted to Safe Mode, the icon was not on my desktop.
Only shows up in normal mode. I followed instructions all thr way through the Killbox. Should I proceed with
AproposFix in normal mode?


Mary Ann

Edited by odirish, 18 January 2007 - 07:34 AM.

[silencedmessage]

Hi Mary Ann,

Please do not do it from normal mode. Just so you know, I will still be here whenever you get a chance to do this!

When you booted into safemode, did you log into you were on when you downloaded and extracted aproposfix? You will need to log into the same account you used when you downloaded the file because the folder will only show on that desktop.

IF it is still not showing up in safemode in your account, Please right click on the aproposfix folder and select cut. Go to start > my computer > Local disk C and right-click in an empty spot and select paste. Reboot into safemode and run RunThis.bat. which should be in the C:\aproposfix folder.

-Silenced Message

[odirish]

When I downloaded it, I was logged in under normal mode under my log in. When I went to safe mode, I had to log in under administrator (that's me right?) and it wasn't on my desktop. I'll try again when I get home from work.

Mary Ann

[silencedmessage]

Hi Mary Ann,

When in safe mode, you need to log in the same way you would in normal windows. It should be there, it will not be under the Administrator account. It would be safest not to use that account

-Silenced Message

Edited by silencedmessage, 18 January 2007 - 09:28 PM.

[odirish]

The only thing in safe mode is the Administrator login and my sons. Under normal mode, I login as odirish.
Under safe mode it just says administrator.

Mary Ann

Edited by odirish, 19 January 2007 - 09:06 AM.

[odirish]

Are you still here? I am working 3-11 shift this week, but I check in at work and home.
I posted above, you may have missed it.

Mary Ann

[silencedmessage]

Hi again Mary Ann

I am still here . Sorry for the long delay, three people were fired from my work this week... so that means lots of OT for me .

About Safe Mode
If you have a mouse with a scroll wheel, you can use that to scroll down to your profile at the login screen. If you do not have a scroll wheel or if that does not work for you, at the login screen, hit ctrl + alt + del twice. This will bring up the "classic login". Please type your username, odirish and you password (if you have one, if not just leave it blank). That should get you into your account in safemode!

-Silenced Message

[odirish]

Logfile of HijackThis v1.99.1
Scan saved at 10:48:54 AM, on 1/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\hjt.exe\hjt.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\odirish\Desktop\aproposfix

************



Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!

Does that look right to you? My computer has no more popups, but I get a gazillion emails and it runs very slow.

mary Ann

Edited by odirish, 21 January 2007 - 09:57 AM.

[silencedmessage]

Hi there Mary Ann,

Does that look right to you? My computer has no more popups, but I get a gazillion emails and it runs very slow.

Well both the logs came back as clean! The emails are probably just due to you being on different lists. The best way to get around them is to use a good spam filter unfortunately. Also, a slow computer does not always mean that it is still infected; however, in this case, I believe it is worth another check just to be sure!

If this next scan comes back clean, I will let you know which tools you should get rid of, and give my recommendations on which ones may be good to keep. Also, I will give you a few tips to speed up your computer.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

• Click Download Now to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply.

-Silenced Message

[odirish]

12:44 AM: Removal process completed. Elapsed time 00:02:01
12:44 AM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST2E2.tmp". Reason: The system cannot find the file specified
12:44 AM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
12:44 AM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST2E2.tmp". Reason: The system cannot find the file specified
12:44 AM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
12:44 AM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST2E3.tmp". Reason: The system cannot find the file specified
12:44 AM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
12:44 AM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST2E3.tmp". Reason: The system cannot find the file specified
12:44 AM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
12:44 AM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST2E3.tmp". Reason: The system cannot find the file specified
12:44 AM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
12:44 AM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST2E4.tmp". Reason: The system cannot find the file specified
12:44 AM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
12:44 AM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST2E4.tmp". Reason: The system cannot find the file specified
12:44 AM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
12:44 AM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST2E4.tmp". Reason: The system cannot find the file specified
12:44 AM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
12:44 AM: Quarantining All Traces: zedo cookie
12:44 AM: Quarantining All Traces: realtracker cookie
12:44 AM: Quarantining All Traces: trafficmp cookie
12:44 AM: Quarantining All Traces: webtrendslive cookie
12:44 AM: Quarantining All Traces: server.iad.liveperson cookie
12:44 AM: Quarantining All Traces: ecomplanet cookie
12:44 AM: Quarantining All Traces: overture cookie
12:44 AM: Quarantining All Traces: casalemedia cookie
12:44 AM: Quarantining All Traces: azjmp cookie
12:44 AM: Quarantining All Traces: atlas dmt cookie
12:44 AM: Quarantining All Traces: ask cookie
12:44 AM: Quarantining All Traces: tacoda cookie
12:44 AM: Quarantining All Traces: advertising cookie
12:44 AM: Quarantining All Traces: go.com cookie
12:44 AM: Quarantining All Traces: 2o7.net cookie
12:44 AM: Quarantining All Traces: tribalfusion cookie
12:44 AM: Quarantining All Traces: mediaplex cookie
12:44 AM: Quarantining All Traces: pointroll cookie
12:44 AM: Quarantining All Traces: yieldmanager cookie
12:44 AM: Quarantining All Traces: hi5 toolbar
12:44 AM: Quarantining All Traces: coolsavings
12:43 AM: Quarantining All Traces: linkmaker
12:43 AM: Quarantining All Traces: targetsaver
12:43 AM: Quarantining All Traces: maxifiles
12:43 AM: Quarantining All Traces: purityscan
12:43 AM: Quarantining All Traces: trojan-downloader-nurech
12:43 AM: Quarantining All Traces: trojan-backdoor-progdav
12:43 AM: Quarantining All Traces: virtumonde
12:42 AM: Removal process initiated
12:41 AM: Traces Found: 68
12:41 AM: Full Sweep has completed. Elapsed time 01:18:11
12:41 AM: File Sweep Complete, Elapsed Time: 01:02:47
12:33 AM: Warning: Failed to access drive E:
12:33 AM: Warning: Failed to access drive D:
12:17 AM: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F7.tmp (ID = 193496)
12:17 AM: C:\WINDOWS\system32\yrwmhje.aka (ID = 276229)
12:17 AM: Found Adware: linkmaker
12:16 AM: Access to Hosts file blocked for C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE
12:07 AM: C:\RECYCLER\S-1-5-21-1177238915-507921405-1708537768-500\Dc2\iqmwd\class-barrel (ID = 78229)
12:01 AM: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F8.tmp (ID = 193501)
11:56 PM: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq337.tmp\Squiggly.CGD (ID = 53868)
11:51 PM: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq337.tmp\Piggy.CGD (ID = 53867)
11:49 PM: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4F1.tmp (ID = 330712)
11:42 PM: C:\QooBox\Purity\Program Files\Common Files\SMANTE~1\chkntfs.exe (ID = 447)
11:42 PM: Found Adware: purityscan
11:39 PM: C:\WINDOWS\system32\wsnpoem (4 subtraces) (ID = 2147533502)
11:38 PM: Starting File Sweep
11:38 PM: Warning: Failed to access drive A:
11:38 PM: Cookie Sweep Complete, Elapsed Time: 00:00:06
11:38 PM: c:\documents and settings\odirish\cookies\odirish@zedo[1].txt (ID = 3762)
11:38 PM: Found Spy Cookie: zedo cookie
11:38 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 3242)
11:38 PM: Found Spy Cookie: realtracker cookie
11:38 PM: c:\documents and settings\odirish\cookies\odirish@tribalfusion[2].txt (ID = 3589)
11:38 PM: c:\documents and settings\odirish\cookies\odirish@trafficmp[2].txt (ID = 3581)
11:38 PM: Found Spy Cookie: trafficmp cookie
11:38 PM: c:\documents and settings\odirish\cookies\odirish@tacoda[1].txt (ID = 6444)
11:38 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 3667)
11:38 PM: Found Spy Cookie: webtrendslive cookie
11:38 PM: c:\documents and settings\odirish\cookies\[email protected][2].txt (ID = 3341)
11:38 PM: Found Spy Cookie: server.iad.liveperson cookie
11:38 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 2729)
11:38 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 3106)
11:38 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 1958)
11:38 PM: c:\documents and settings\odirish\cookies\odirish@mediaplex[1].txt (ID = 6442)
11:38 PM: c:\documents and settings\odirish\cookies\odirish@go[1].txt (ID = 2728)
11:38 PM: c:\documents and settings\odirish\cookies\odirish@ecomplanet[1].txt (ID = 2577)
11:38 PM: Found Spy Cookie: ecomplanet cookie
11:38 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 3106)
11:38 PM: Found Spy Cookie: overture cookie
11:38 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 1958)
11:38 PM: c:\documents and settings\odirish\cookies\odirish@casalemedia[1].txt (ID = 2354)
11:38 PM: Found Spy Cookie: casalemedia cookie
11:38 PM: c:\documents and settings\odirish\cookies\odirish@azjmp[1].txt (ID = 2270)
11:38 PM: Found Spy Cookie: azjmp cookie
11:38 PM: c:\documents and settings\odirish\cookies\odirish@atdmt[2].txt (ID = 2253)
11:38 PM: Found Spy Cookie: atlas dmt cookie
11:38 PM: c:\documents and settings\odirish\cookies\odirish@ask[1].txt (ID = 2245)
11:38 PM: Found Spy Cookie: ask cookie
11:38 PM: c:\documents and settings\odirish\cookies\[email protected][2].txt (ID = 6445)
11:38 PM: Found Spy Cookie: tacoda cookie
11:38 PM: c:\documents and settings\odirish\cookies\odirish@advertising[1].txt (ID = 2175)
11:38 PM: Found Spy Cookie: advertising cookie
11:38 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 3148)
11:38 PM: c:\documents and settings\odirish\cookies\[email protected][2].txt (ID = 3751)
11:38 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 2729)
11:38 PM: Found Spy Cookie: go.com cookie
11:38 PM: c:\documents and settings\odirish\cookies\odirish@2o7[2].txt (ID = 1957)
11:38 PM: Found Spy Cookie: 2o7.net cookie
11:38 PM: c:\documents and settings\fr1dg3\cookies\fr1dg3@tribalfusion[1].txt (ID = 3589)
11:38 PM: Found Spy Cookie: tribalfusion cookie
11:38 PM: c:\documents and settings\fr1dg3\cookies\fr1dg3@mediaplex[1].txt (ID = 6442)
11:38 PM: Found Spy Cookie: mediaplex cookie
11:38 PM: c:\documents and settings\fr1dg3\cookies\[email protected][1].txt (ID = 3148)
11:38 PM: Found Spy Cookie: pointroll cookie
11:38 PM: c:\documents and settings\fr1dg3\cookies\[email protected][2].txt (ID = 3751)
11:38 PM: Found Spy Cookie: yieldmanager cookie
11:38 PM: Starting Cookie Sweep
11:38 PM: Registry Sweep Complete, Elapsed Time:00:01:51
11:38 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\explorer\ || {f710fa10-2031-3106-8872-93a2b5c5c620} (ID = 1858203)
11:38 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\explorer\ || {6780a29e-6a18-0c70-1dff-1610dde00108} (ID = 1858202)
11:38 PM: HKU\S-1-5-21-1177238915-507921405-1708537768-1003\software\microsoft\windows\currentversion\explorer\ || {f710fa10-2031-3106-8872-93a2b5c5c620} (ID = 1858203)
11:38 PM: HKU\S-1-5-21-1177238915-507921405-1708537768-1003\software\microsoft\windows\currentversion\explorer\ || {6780a29e-6a18-0c70-1dff-1610dde00108} (ID = 1858202)
11:38 PM: HKU\S-1-5-21-1177238915-507921405-1708537768-1003\software\unker\ (ID = 1630527)
11:38 PM: HKU\S-1-5-21-1177238915-507921405-1708537768-1003\software\ipwins\ (ID = 1516546)
11:38 PM: HKU\S-1-5-21-1177238915-507921405-1708537768-1003\software\idl\ (ID = 1351285)
11:38 PM: Found Adware: targetsaver
11:37 PM: HKU\WRSS_Profile_S-1-5-21-1177238915-507921405-1708537768-1008\software\microsoft\windows\currentversion\explorer\ || {f710fa10-2031-3106-8872-93a2b5c5c620} (ID = 1858203)
11:37 PM: HKU\WRSS_Profile_S-1-5-21-1177238915-507921405-1708537768-1008\software\microsoft\windows\currentversion\explorer\ || {6780a29e-6a18-0c70-1dff-1610dde00108} (ID = 1858202)
11:37 PM: HKU\WRSS_Profile_S-1-5-21-1177238915-507921405-1708537768-1008\software\unker\ (ID = 1630527)
11:37 PM: HKU\WRSS_Profile_S-1-5-21-1177238915-507921405-1708537768-1010\software\microsoft\windows\currentversion\explorer\ || {f710fa10-2031-3106-8872-93a2b5c5c620} (ID = 1858203)
11:37 PM: HKU\WRSS_Profile_S-1-5-21-1177238915-507921405-1708537768-1010\software\microsoft\windows\currentversion\explorer\ || {6780a29e-6a18-0c70-1dff-1610dde00108} (ID = 1858202)
11:37 PM: HKU\WRSS_Profile_S-1-5-21-1177238915-507921405-1708537768-1010\software\unker\ (ID = 1630527)
11:37 PM: Found Trojan Horse: trojan-downloader-nurech
11:37 PM: HKU\WRSS_Profile_S-1-5-21-1177238915-507921405-1708537768-500\software\microsoft\windows\currentversion\explorer\ || {f710fa10-2031-3106-8872-93a2b5c5c620} (ID = 1858203)
11:37 PM: HKU\WRSS_Profile_S-1-5-21-1177238915-507921405-1708537768-500\software\microsoft\windows\currentversion\explorer\ || {6780a29e-6a18-0c70-1dff-1610dde00108} (ID = 1858202)
11:37 PM: Found Trojan Horse: trojan-backdoor-progdav
11:37 PM: HKLM\system\currentcontrolset\services\com+ messages\ (ID = 1895892)
11:37 PM: HKLM\system\controlset002\services\com+ messages\ (ID = 1895883)
11:37 PM: HKLM\system\controlset002\enum\root\legacy_com+_messages\ (ID = 1895874)
11:37 PM: HKLM\system\controlset001\services\com+ messages\ (ID = 1895861)
11:37 PM: HKLM\system\controlset001\enum\root\legacy_com+_messages\ (ID = 1895850)
11:37 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ipwins\ (ID = 1516581)
11:37 PM: Found Adware: maxifiles
11:36 PM: HKCR\toolbar.toolbarobj.1\ (ID = 127132)
11:36 PM: HKCR\toolbar.toolbarobj\ (ID = 127131)
11:36 PM: Found Adware: hi5 toolbar
11:36 PM: HKLM\software\classes\clsid\{11bdb904-c0bc-41ce-910b-0d12fd619fd0}\ (ID = 107005)
11:36 PM: HKCR\clsid\{11bdb904-c0bc-41ce-910b-0d12fd619fd0}\ (ID = 106999)
11:36 PM: Found Adware: coolsavings
11:36 PM: Starting Registry Sweep
11:36 PM: Memory Sweep Complete, Elapsed Time: 00:12:55
11:23 PM: Starting Memory Sweep
11:23 PM: HKLM\system\currentcontrolset\services\com+ messages\ || imagepath (ID = 1910991)
11:23 PM: Found Adware: virtumonde
11:23 PM: Start Full Sweep
11:23 PM: Sweep initiated using definitions version 842
11:23 PM: Spy Sweeper 5.2.3.2138 started
11:23 PM: | Start of Session, Sunday, January 21, 2007 |
********
11:23 PM: | End of Session, Sunday, January 21, 2007 |
11:16 PM: Access to Hosts file blocked for C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\AVGAS.EXE
Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
11:11 PM: Shield States
11:11 PM: Spyware Definitions: 842
11:08 PM: Spy Sweeper 5.2.3.2138 started
1:08 PM: | End of Session, Sunday, January 21, 2007 |
Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
1:04 PM: Messenger service has been disabled.
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
1:04 PM: Shield States
1:04 PM: Spyware Definitions: 842
1:04 PM: Warning: Virus definitions files are invalid, please update your virus definitions. 220
1:03 PM: Spy Sweeper 5.2.3.2138 started
1:01 PM: Spy Sweeper 5.2.3.2138 started
1:01 PM: Spy Sweeper 5.2.3.2138 started
1:01 PM: | Start of Session, Sunday, January 21, 2007 |
********
1:31 PM: Sweep Status: 29 Items Found
1:31 PM: Traces Found: 69
1:31 PM: File Sweep Complete, Elapsed Time: 00:11:27
1:31 PM: Sweep Canceled
1:30 PM: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4F1.tmp (ID = 330712)
1:23 PM: C:\QooBox\Purity\Program Files\Common Files\SMANTE~1\chkntfs.exe (ID = 447)
1:23 PM: Found Adware: purityscan
1:20 PM: C:\WINDOWS\system32\wsnpoem (4 subtraces) (ID = 2147533502)
1:19 PM: Starting File Sweep
1:19 PM: Warning: Failed to access drive A:
1:19 PM: Cookie Sweep Complete, Elapsed Time: 00:00:09
1:19 PM: c:\documents and settings\odirish\cookies\odirish@zedo[1].txt (ID = 3762)
1:19 PM: Found Spy Cookie: zedo cookie
1:19 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 3242)
1:19 PM: Found Spy Cookie: realtracker cookie
1:19 PM: c:\documents and settings\odirish\cookies\odirish@tribalfusion[2].txt (ID = 3589)
1:19 PM: c:\documents and settings\odirish\cookies\odirish@trafficmp[2].txt (ID = 3581)
1:19 PM: c:\documents and settings\odirish\cookies\odirish@tacoda[1].txt (ID = 6444)
1:19 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 3667)
1:19 PM: Found Spy Cookie: webtrendslive cookie
1:19 PM: c:\documents and settings\odirish\cookies\[email protected][2].txt (ID = 3341)
1:19 PM: Found Spy Cookie: server.iad.liveperson cookie
1:19 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 2729)
1:19 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 3106)
1:19 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 1958)
1:19 PM: c:\documents and settings\odirish\cookies\odirish@mediaplex[1].txt (ID = 6442)
1:19 PM: c:\documents and settings\odirish\cookies\odirish@go[1].txt (ID = 2728)
1:19 PM: c:\documents and settings\odirish\cookies\odirish@ecomplanet[1].txt (ID = 2577)
1:19 PM: Found Spy Cookie: ecomplanet cookie
1:19 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 3106)
1:19 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 1958)
1:19 PM: c:\documents and settings\odirish\cookies\odirish@casalemedia[1].txt (ID = 2354)
1:19 PM: c:\documents and settings\odirish\cookies\odirish@azjmp[1].txt (ID = 2270)
1:19 PM: Found Spy Cookie: azjmp cookie
1:19 PM: c:\documents and settings\odirish\cookies\odirish@atdmt[2].txt (ID = 2253)
1:19 PM: c:\documents and settings\odirish\cookies\odirish@ask[1].txt (ID = 2245)
1:19 PM: Found Spy Cookie: ask cookie
1:19 PM: c:\documents and settings\odirish\cookies\[email protected][2].txt (ID = 6445)
1:19 PM: Found Spy Cookie: tacoda cookie
1:19 PM: c:\documents and settings\odirish\cookies\odirish@advertising[1].txt (ID = 2175)
1:19 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 3148)
1:19 PM: c:\documents and settings\odirish\cookies\[email protected][2].txt (ID = 3751)
1:19 PM: c:\documents and settings\odirish\cookies\[email protected][1].txt (ID = 2729)
1:19 PM: Found Spy Cookie: go.com cookie
1:19 PM: c:\documents and settings\odirish\cookies\odirish@2o7[2].txt (ID = 1957)
1:19 PM: Found Spy Cookie: 2o7.net cookie
1:19 PM: c:\documents and settings\fr1dg3\cookies\fr1dg3@tribalfusion[1].txt (ID = 3589)
1:19 PM: Found Spy Cookie: tribalfusion cookie
1:19 PM: c:\documents and settings\fr1dg3\cookies\fr1dg3@trafficmp[2].txt (ID = 3581)
1:19 PM: Found Spy Cookie: trafficmp cookie
1:19 PM: c:\documents and settings\fr1dg3\cookies\fr1dg3@realmedia[1].txt (ID = 3235)
1:19 PM: Found Spy Cookie: realmedia cookie
1:19 PM: c:\documents and settings\fr1dg3\cookies\fr1dg3@overture[1].txt (ID = 3105)
1:19 PM: Found Spy Cookie: overture cookie
1:19 PM: c:\documents and settings\fr1dg3\cookies\fr1dg3@mediaplex[1].txt (ID = 6442)
1:19 PM: Found Spy Cookie: mediaplex cookie
1:19 PM: c:\documents and settings\fr1dg3\cookies\fr1dg3@casalemedia[1].txt (ID = 2354)
1:19 PM: Found Spy Cookie: casalemedia cookie
1:19 PM: c:\documents and settings\fr1dg3\cookies\fr1dg3@atdmt[2].txt (ID = 2253)
1:19 PM: Found Spy Cookie: atlas dmt cookie
1:19 PM: c:\documents and settings\fr1dg3\cookies\fr1dg3@advertising[2].txt (ID = 2175)
1:19 PM: Found Spy Cookie: advertising cookie
1:19 PM: c:\documents and settings\fr1dg3\cookies\fr1dg3@adserver[1].txt (ID = 2141)
1:19 PM: Found Spy Cookie: adserver cookie
1:19 PM: c:\documents and settings\fr1dg3\cookies\[email protected][2].txt (ID = 3148)
1:19 PM: Found Spy Cookie: pointroll cookie
1:19 PM: c:\documents and settings\fr1dg3\cookies\[email protected][2].txt (ID = 3751)
1:19 PM: Found Spy Cookie: yieldmanager cookie
1:19 PM: Starting Cookie Sweep
1:19 PM: Registry Sweep Complete, Elapsed Time:00:01:31
1:19 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\explorer\ || {f710fa10-2031-3106-8872-93a2b5c5c620} (ID = 1858203)
1:19 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\explorer\ || {6780a29e-6a18-0c70-1dff-1610dde00108} (ID = 1858202)
1:19 PM: HKU\S-1-5-21-1177238915-507921405-1708537768-1003\software\microsoft\windows\currentversion\explorer\ || {f710fa10-2031-3106-8872-93a2b5c5c620} (ID = 1858203)
1:19 PM: HKU\S-1-5-21-1177238915-507921405-1708537768-1003\software\microsoft\windows\currentversion\explorer\ || {6780a29e-6a18-0c70-1dff-1610dde00108} (ID = 1858202)
1:19 PM: HKU\S-1-5-21-1177238915-507921405-1708537768-1003\software\unker\ (ID = 1630527)
1:19 PM: HKU\S-1-5-21-1177238915-507921405-1708537768-1003\software\ipwins\ (ID = 1516546)
1:19 PM: HKU\S-1-5-21-1177238915-507921405-1708537768-1003\software\idl\ (ID = 1351285)
1:19 PM: Found Adware: targetsaver
1:19 PM: HKU\WRSS_Profile_S-1-5-21-1177238915-507921405-1708537768-1008\software\microsoft\windows\currentversion\explorer\ || {f710fa10-2031-3106-8872-93a2b5c5c620} (ID = 1858203)
1:19 PM: HKU\WRSS_Profile_S-1-5-21-1177238915-507921405-1708537768-1008\software\microsoft\windows\currentversion\explorer\ || {6780a29e-6a18-0c70-1dff-1610dde00108} (ID = 1858202)
1:19 PM: HKU\WRSS_Profile_S-1-5-21-1177238915-507921405-1708537768-1008\software\unker\ (ID = 1630527)
1:19 PM: HKU\WRSS_Profile_S-1-5-21-1177238915-507921405-1708537768-1010\software\microsoft\windows\currentversion\explorer\ || {f710fa10-2031-3106-8872-93a2b5c5c620} (ID = 1858203)
1:19 PM: HKU\WRSS_Profile_S-1-5-21-1177238915-507921405-1708537768-1010\software\microsoft\windows\currentversion\explorer\ || {6780a29e-6a18-0c70-1dff-1610dde00108} (ID = 1858202)
1:19 PM: HKU\WRSS_Profile_S-1-5-21-1177238915-507921405-1708537768-1010\software\unker\ (ID = 1630527)
1:19 PM: Found Trojan Horse: trojan-downloader-nurech
1:19 PM: HKU\WRSS_Profile_S-1-5-21-1177238915-507921405-1708537768-500\software\microsoft\windows\currentversion\explorer\ || {f710fa10-2031-3106-8872-93a2b5c5c620} (ID = 1858203)
1:19 PM: HKU\WRSS_Profile_S-1-5-21-1177238915-507921405-1708537768-500\software\microsoft\windows\currentversion\explorer\ || {6780a29e-6a18-0c70-1dff-1610dde00108} (ID = 1858202)
1:19 PM: Found Trojan Horse: trojan-backdoor-progdav
1:18 PM: HKLM\system\currentcontrolset\services\com+ messages\ (ID = 1895892)
1:18 PM: HKLM\system\controlset002\services\com+ messages\ (ID = 1895883)
1:18 PM: HKLM\system\controlset002\enum\root\legacy_com+_messages\ (ID = 1895874)
1:18 PM: HKLM\system\controlset001\services\com+ messages\ (ID = 1895861)
1:18 PM: HKLM\system\controlset001\enum\root\legacy_com+_messages\ (ID = 1895850)
1:18 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ipwins\ (ID = 1516581)
1:18 PM: Found Adware: maxifiles
1:18 PM: HKCR\toolbar.toolbarobj.1\ (ID = 127132)
1:18 PM: HKCR\toolbar.toolbarobj\ (ID = 127131)
1:18 PM: Found Adware: hi5 toolbar
1:18 PM: HKLM\software\classes\clsid\{11bdb904-c0bc-41ce-910b-0d12fd619fd0}\ (ID = 107005)
1:18 PM: HKCR\clsid\{11bdb904-c0bc-41ce-910b-0d12fd619fd0}\ (ID = 106999)
1:18 PM: Found Adware: coolsavings
1:18 PM: Starting Registry Sweep
1:18 PM: Memory Sweep Complete, Elapsed Time: 00:09:16
1:18 PM: Warning: Out of memory
1:08 PM: Starting Memory Sweep
1:08 PM: HKLM\system\currentcontrolset\services\com+ messages\ || imagepath (ID = 1910991)
1:08 PM: Found Adware: virtumonde
1:08 PM: Start Full Sweep
1:08 PM: Sweep initiated using definitions version 842
1:08 PM: Spy Sweeper 5.2.3.2138 started
1:08 PM: | Start of Session, Sunday, January 21, 2007 |
********

Mary Ann

[silencedmessage]

Hi Mary Ann!

I have great news! Your computer is now clean!!!!

Here are a list of things that you have downloaded during the fix that I recomend you remove:
Webroot Spysweeper (this is only a two week trial, feel free to keep it until the trial period is up)

Approposfix (just delete the folder and the .zip folder)

Killbox (you can just delete it and also delete the folder found at C:\!KillBox )

StartUpList (same procedure as appropsfix)

GMER ( start > control panel > add/remove programs )

Combofix (just delete the file combofix.exe)

The Avenger


The following tools I recommend that you hang on to, as they may be useful to keep your PC clean from infection:

ATF Cleaner Running this regularly can help speed up your computer and save space as well

HijackThis Although you should never fix anything yourself until you consult with an expert, it is not a large file, and if anything goes wrong in the future, at least you have it

AVG Anti-Spyware This is a trial program, but you can still use it after the trial period is over. Just make sure you update it regularly and do scans (once a week is recommended). This will also keep your PC clean.

The following tools/resources will be very helpful to you in the future to help prevent anymore malware. It is not required that you download these, but feel free to look at them and their descriptions and determine which ones (if any) that you like!

Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

SpywareBlaster - Great prevention tool to keep nasties from installing on your system.

SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein


It has been a pleasure working with you Mary Ann, and let me know how things are running now!

-Silenced Message

[odirish]

Thanks so much for your help. Can you give me a few ideas on how to speed up my computer? I normally delete Temp. Int. files, and do a defrag. it still is slow. Thanks again.

Mary Ann

[odirish]

I really appreciate the help, I have no more popups, but this computer is so slow, I could just smash it.

Mary Ann

[silencedmessage]

Hi again Mary Ann,

Sorry again for the delay,

I really appreciate the help, I have no more popups, but this computer is so slow, I could just smash it.

You are very welcome! Smashing the computer is always very tempting, but I can assure you that it will not help out too much.

As you said, regular defragments and cleaning temp files is always a great way to keep the computer running fast. There are a few other things I can suggest as well.

You have a few un-necessary programs running on startup, which can use up valuable system resources! The following will list the items that are safe to disable from startup, and you can choose which ones to remove. I will tell you how to remove the items from startup after the list:

qttask - This item is a part of quicktime, and will be started whenever you use something that requires it to start.

Corel Photo - This program can be started whenever you wish to use it, and it can also be taking up a lot of your system resources. I would recommend disabling this from startup.

AVG Anti-Spyware - Although this is a great program, it is not needed to run on startup for two reasons: 1. It is only a trial and the active guard will not be available after the trial period is over. 2. You already have Yahoo! Anti-Vrius, so your computer should be protected.

jushed - This is a part of the newest version of java that you have downloaded. It is not required to run at startup because any time it is needed, it will start automatically.

msmsgs - Windows Messenger. Not needed if you do not use windows messenger. If you do, you can always start the program manually.

Adobe Reader Speed Launch - This program just makes Adobe Reader launch quicker. It is not needed for the program to function properly.


Please sort through the list and decide which programs you do and do not want running on startup. To disable them, go to start > run > type msconfig and click OK. In the window that pops up, please select the "Selective Startup" option. Now click on the Startup tab. Go through and un-check the items you do NOT wish to have running when you start your computer. Reboot when it asks you to.

Keep in mind that some entries will be re-enabled in the startups each time you use that particular program. If that is the case, you will have to find the option in that program's preferences that says something like "Load with Windows" or "Run when Windows Starts" and disable that option.


Another thing you can do is to run chkdsk to check your hard drive for errors.

To use Chkdsk, click Start and My Computer. Right-click the hard drive you want to check, and click Properties. Select the Tools tab and click Check Now. Check both boxes. Click Start. You'll get a message that the computer must be rebooted to run a complete check. Click Yes and reboot. Chkdsk will take awhile, so run it when you don't need to use the computer for something else.


Finally, another problem would be the amount of memory you have on your computer. There are a couple ways of increasing the performance of your memory without having to buy more. One way would be to use a memory optimizer. The following product is a free one that you can use and it may help out a little.
FreeRamXP

Another great tool is TuneUp Utilities They only offer free 30 day trials, but feel free to check it out and see if you like it. A couple of the better things about it is that is also includes a registry defragmenter, and a lot of other tools. One of those tools gives you suggestions on what you can do to speed up your computer. Once again though, this is only a 30 day trial.


After following these steps, your computer should be running faster!

-Silenced Message