[amm007]

By the way, please tell me what logs to post for computer 1 so i can start posting it...thanks again.

[Advertisements]

The only problem is whatever you had wasn't showing in the logs at all.

SInce you say that after reformatting the redirects were still present then I would have to say that it has to do with some of your backup files.
I would just bite the bullet and format all drives and reformat Computer 1 as well again since it is now reinfected..
Without plugging in your back up drive see if the redirects are still present.

You can let me know hen you are finished with it and I will give you a log to post.

[kahdah]

The only problem is whatever you had wasn't showing in the logs at all.

SInce you say that after reformatting the redirects were still present then I would have to say that it has to do with some of your backup files.
I would just bite the bullet and format all drives and reformat Computer 1 as well again since it is now reinfected..
Without plugging in your back up drive see if the redirects are still present.

You can let me know hen you are finished with it and I will give you a log to post.

[amm007]

Our last action in removing redirection did the trick. I suppose the only thing that made the virus resilient is that i plugged my removable hard disk after. could we give it one last try? my files are extremely important hence, i cannot format it right away.backing it up with cd's is impractical 'coz they are 30 GB in total. thanks!

[kahdah]

Do this first and then tell me if the redirects are still present.

Boot into Safe mode to run this after you download it.

Download the HostsXpert 4.2 - Hosts File Manager.

• Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
• Run HostsXpert 4.2 - Hosts File Manager from its new home
• Click on "File Handling".
• Click on "Restore MS Hosts File".
• Click OK on the Confirmation box.
• Click on "Make Read Only?"
• Click the X to exit the program.
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

==================
Then::
Please download Runscanner to your desktop and run it.

• When the first page comes up select Beginner Mode
• On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
• At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
• On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log file
• Call the .run file "Select a name" and save it to your desktop. You will see the .run file on your desktop. Upload that file here.

[amm007]

Runscanner logfile http://www.runscanner.net

* = signed file
- = file not found

General info
------------
Computer name : OFFICE
Creation time : 8/24/2008 10:03:26 PM
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 6.0.2900.2180
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.7.0.0
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS

Running processes
-----------------
* C:\WINDOWS\System32\alg.exe (Microsoft Corporation)
* C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
* C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
* C:\PROGRA~1\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
* C:\PROGRA~1\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
* C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
C:\Program Files\ChikkaV4\ChikkaLauncher.exe
* C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)
* C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
* C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
* C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
C:\Documents and Settings\Adrian\Desktop\HostsXpert.exe (funkytoad.com)
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (Nero AG)
* C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)
* C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
C:\Program Files\Microsoft Encarta\Encarta Premium Suite 2005\EDICT.EXE (Microsoft Corporation)
* C:\Documents and Settings\Adrian\Desktop\RunScanner.exe (Runscanner.net)
* C:\WINDOWS\system32\services.exe (Microsoft Corporation)
* C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation)
* C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
* C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation)
* c:\windows\System32\smss.exe (Microsoft Corporation)
* C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation)
* C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)

Unrated items
-------------
003 * C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
003 * C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
010 C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe LM Service)
010 C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (ASP.NET State Service)
010 C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (InCD Helper)
011 C:\WINDOWS\system32\drivers\InCDRm.sys (InCD Reader)
011 C:\WINDOWS\system32\drivers\InCDPass.sys (InCDPass)
030 C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
030 C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
030 C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1E66F26B-79EE-11D2-8710-00C04F79ED0D}
031 C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\MSERO.DLL (Microsoft Corporation) {B0D92A71-886B-453B-A649-1B91F93801E7}
031 C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation) {0A9007C0-4076-11D3-8789-0000F8105754}
035 C:\WINDOWS\system32\mscories.dll (Microsoft Corporation) {89B4C1CD-B018-4511-B0A1-5476DBF70820}
042 GUID / CLSID not found {B205A35E-1FC4-4CE3-818B-899DBBB3388C}
052 * C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.) {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
061 C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation) {1D2680C9-0E2A-469d-B787-065558BC7D43}
061 C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG) {B327765E-D724-4347-8B16-78AE18552FC3}
061 C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG) {7F1CF152-04F8-453A-B34C-E609530A9DC8}
061 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
061 * C:\Program Files\Yahoo!\Common\YMMAPI.dll (Yahoo! Inc.) {5464D816-CF16-4784-B9F3-75C0DB52B499}
062 C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG) {7D4D6379-F301-4311-BEBA-E26EB0561882}
069 C:\WINDOWS\system32\mdimon.dll (Microsoft Corporation)
100 Default_Search_URL HKLM : http://us.rd.yahoo.c...//www.yahoo.com
100 Search Page HKCU : http://us.rd.yahoo.c...//www.yahoo.com
100 Search Page HKLM : http://us.rd.yahoo.c...//www.yahoo.com
100 SearchUrl HKCU : http://us.rd.yahoo.c...//www.yahoo.com
102 GUID / CLSID not found {32683183-48a0-441b-a342-7c2a440a9478}
102 C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL (Microsoft Corporation) {9455301C-CF6B-11D3-A266-00C04F689C50}
104 * C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Yahoo! Inc.) {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
105 E&xport to Microsoft Excel : res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
173 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)
173 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
173 * C:\Program Files\Yahoo!\Common\YMMAPI.dll (Yahoo! Inc.) {5464D816-CF16-4784-B9F3-75C0DB52B499}
221 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)
221 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
221 * C:\Program Files\Yahoo!\Common\YMMAPI.dll (Yahoo! Inc.) {5464D816-CF16-4784-B9F3-75C0DB52B499}
225 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)
225 C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll (Nero AG)
225 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
225 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
227 C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA}
231 C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll (Nero AG) NeroDigitalExt.NeroDigitalColumnHandler

Missing files
-------------
011 C:\WINDOWS\system32\drivers\Abiosdsk.sys
011 C:\WINDOWS\system32\drivers\abp480n5.sys
011 C:\WINDOWS\system32\drivers\adpu160m.sys
011 C:\WINDOWS\system32\drivers\Aha154x.sys
011 C:\WINDOWS\system32\drivers\aic78u2.sys
011 C:\WINDOWS\system32\drivers\aic78xx.sys
011 C:\WINDOWS\system32\drivers\AliIde.sys
011 C:\WINDOWS\system32\drivers\amsint.sys
011 C:\WINDOWS\system32\drivers\asc.sys
011 C:\WINDOWS\system32\drivers\asc3350p.sys
011 C:\WINDOWS\system32\drivers\asc3550.sys
011 C:\WINDOWS\system32\drivers\Atdisk.sys
011 C:\WINDOWS\system32\drivers\cd20xrnt.sys
011 C:\WINDOWS\system32\drivers\Changer.sys
011 C:\WINDOWS\system32\drivers\CmdIde.sys
011 C:\WINDOWS\system32\drivers\Cpqarray.sys
011 C:\WINDOWS\system32\drivers\dac2w2k.sys
011 C:\WINDOWS\system32\drivers\dac960nt.sys
011 C:\WINDOWS\system32\drivers\dpti2o.sys
011 C:\WINDOWS\system32\drivers\hpn.sys
011 C:\WINDOWS\system32\drivers\hpt3xx.sys
011 C:\WINDOWS\system32\drivers\i2omgmt.sys
011 C:\WINDOWS\system32\drivers\i2omp.sys
011 C:\WINDOWS\system32\drivers\ini910u.sys
011 C:\WINDOWS\system32\drivers\IntelIde.sys
011 C:\WINDOWS\system32\drivers\lbrtfdc.sys
011 C:\WINDOWS\system32\drivers\mraid35x.sys
011 C:\WINDOWS\system32\drivers\PCIDump.sys
011 C:\WINDOWS\system32\drivers\PDCOMP.sys
011 C:\WINDOWS\system32\drivers\PDFRAME.sys
011 C:\WINDOWS\system32\drivers\PDRELI.sys
011 C:\WINDOWS\system32\drivers\PDRFRAME.sys
011 C:\WINDOWS\system32\drivers\perc2.sys
011 C:\WINDOWS\system32\drivers\perc2hib.sys
011 C:\WINDOWS\system32\drivers\ql1080.sys
011 C:\WINDOWS\system32\drivers\Ql10wnt.sys
011 C:\WINDOWS\system32\drivers\ql12160.sys
011 C:\WINDOWS\system32\drivers\ql1240.sys
011 C:\WINDOWS\system32\drivers\ql1280.sys
011 C:\WINDOWS\system32\drivers\Simbad.sys
011 C:\WINDOWS\system32\drivers\Sparrow.sys
011 C:\WINDOWS\system32\drivers\sym_hi.sys
011 C:\WINDOWS\system32\drivers\sym_u3.sys
011 C:\WINDOWS\system32\drivers\symc810.sys
011 C:\WINDOWS\system32\drivers\symc8xx.sys
011 C:\WINDOWS\system32\drivers\TosIde.sys
011 C:\WINDOWS\system32\drivers\ultra.sys
011 C:\WINDOWS\system32\drivers\ViaIde.sys
011 C:\WINDOWS\system32\drivers\WDICA.sys
061 deskpan.dll

Attached Files

•  select_a_name.run   137.4KB   250 downloads

[kahdah]

Hi please e-mail me this following file and save it as an attachment please in the e-mail.
My e-mail address is kahdah at aol.com replace at with @
====================================================
Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
• In the Drivers section click on Non-Microsoft.
• Under Additional Scans click the checkboxes in front of the following items to select them:
  • Reg - BotCheck
    File - Additional Folder Scans
    Rootkit Search -Yes
    Drivers -Non Microsoft
    
• Do not change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.

[amm007]

attached

Attached Files

•  OTScanIt.Txt   305.15KB   154 downloads

Edited by amm007, 25 August 2008 - 03:23 AM.

[kahdah]

Can you send it to me in an e-mail as an attachment?
The format is messed up when it is attached here.
My e-mail address is kahdah at aol.com replace at with @

[kahdah]

Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
< Drives - Autoruns > -> 
NY -> autorun.inf [] -> F:\autorun.inf [ NTFS ]
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
==============
After that Download the HostsXpert 4.2 - Hosts File Manager.

• Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
• Run HostsXpert 4.2 - Hosts File Manager from its new home
• Click on "File Handling".
• Click on "Restore MS Hosts File".
• Click OK on the Confirmation box.
• Click on "Make Read Only?"
• Click the X to exit the program.
• Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

================
Then let me know about any redirects again please.
Also how things are running?

[amm007]

[Registry - Non-Microsoft Only]
Folder move failed. F:\autorun.inf scheduled to be moved on reboot.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\bundle1.exe scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\NSISdl.dll scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\nsis_winamp.dll scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\etilqs_o9a0ON974D97dK52eg8t scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\fla20.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\nsa19.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Temp\Perflib_Perfdata_c5c.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
RecycleBin -> emptied.
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 08312008_183038

Files moved on Reboot...
Folder move failed. F:\autorun.inf scheduled to be moved on reboot.
File C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\bundle1.exe not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\NSISdl.dll not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\nsq1A.tmp\nsis_winamp.dll not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\etilqs_o9a0ON974D97dK52eg8t not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\fla20.tmp not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\nsa19.tmp not found!
File C:\Documents and Settings\Adrian\Local Settings\Temp\Perflib_Perfdata_c5c.dat not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Adrian\Local Settings\Application Data\Mozilla\Firefox\Profiles\0c1p9h85.default\XUL.mfl moved successfully.

[amm007]

hi kahdah.unfortunately, redirects are still present.no flash drives are plugged yet except my removable hard disk

[kahdah]

That's ok it is because the offending file was not moved.

1. Please download The Avenger2 by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
F:\autorun.inf

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

[amm007]

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "F:\autorun.inf"
Deletion of file "F:\autorun.inf" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.

btw, can u repost the link to where application for training is? I visited it previously but it is closed until September 1. I'd like to give it a try. Thanks!

[amm007]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:35 PM, on 8/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\Microsoft Encarta\Encarta Premium Suite 2005\EDICT.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1219513847656
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe

--
End of file - 5934 bytes

[kahdah]

Ok what drive is Drive F:?
http://www.geekstogo...a...&page=GeekU