[andrewuk]

looking good so far.

in this post we will do 3 scans to see what else is lurking on your machine.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.

====STEP 1====
yes, you certainly should have an antivirus on your machine. This program is basic for the security of your computer and in todays age not having one will probably lead to disaster for your computer. we will only be chasing our tails as you get re-infected.

Please go http://www.avast.com.../down_home.html and download avast! 4 Home Edition to your desktop. Locate the file that you just downloaded, double-click on the file to launch the installation of avast!

Click Next on the avast! Setup window and on the next window with the ReadMe File.
Now you will see the Legal Agreement, just click I agree, and then click Next to continue.

You will be prompted with Configuration window, make sure that you choose Typical configuration and then click Next. Click Next to the windows that will follow, when the installation will finish, you will be given an option to schedule a boot time scan, select No

Now you have to restart your machine, select Restart and then click Finish.

After you restart you will get a message about avast! it will give you the general "Hello and Thank you for choosing our Product." Also after you restart you will notice 2 new icons in the bottom right corner of the screen.

VERY IMPORTANT - after restarting, right click on the a in the taskbar and select Updating, then highlight and click Program.

You will get popup after its done updating. If avast! had to download anything for your computer you may get a message asking you to restart.

After you have updated avast! right click the small icon a in task bar and click Start Avast! AntiVirus

Click Program Registration and you will be taken to their website. Fill out the form and then check you e-mail. Once you get an e-mail from them (usually about 1 minute after submitting the form) copy and paste the serial they provided into the highlighted box. Then click ok.

After this, you will need to Schedule Boot-Time Scan with avast! Click on the little button placed up in the left corner, and select Schedule Boot-Time Scan. Read also this tutorial http://www.schmahl.n...astbootscan.htm it may make it easier to you to follow the steps.

Next, choose
Scan all local disks
scan archive files
click on Schedule
On the next dialog Operating system restart needed select Yes
Now avast! will restart your computer and start to scan before Windows fully loads.

IMPORTANT NOTE since your system has infections on it, avast! will give you dialog box with recommended actions, and options, please make sure if this happens, to click the Move to Chest button, and not to delete any reported files.

On completion of the boot scan there will be a report at this location C:\Program Files\Alwil Software\Avast4\DATA\report\AswBoot.txt Please post that in your next reply.



====STEP 2====
i see you already have SUPERantispyware, so we will update it and do a scan with it.

• Double-click the SUPERantispyware icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

====STEP 3====
Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

In your next reply could i see:
1. the AswBoot.txt log
2. the SUPERantispyware log
3. the kaspersky scan log

andrewuk

[Advertisements]

Thanks for all your help. I will start on this and post you the results tomorrow.

[Mikey P]

Thanks for all your help. I will start on this and post you the results tomorrow.

[andrewuk]

i will be here

[Mikey P]

Ok, back again.
Here is the ASWBOOT.txt:
03/15/2008 23:04
Scan of all local drives
File C:\Documents and Settings\Dad\My Documents\Dad's\RuthRobert.zip\VegasVacation014.jpg Error 42125 {ZIP archive is corrupted.}
File C:\WINDOWS\system32\ActiveScan\pskavs.dll is infected by Win32:CTX, Repair: Error 42060 {The file was not repaired.}, Moved to chest

Number of searched folders: 12118
Number of tested files: 439541
Number of infected files: 1

And the superantispyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/16/2008 at 06:55 PM

Application Version : 4.0.1154

Core Rules Database Version : 3420
Trace Rules Database Version: 1412

Scan type : Complete Scan
Total Scan Time : 09:54:37

Memory items scanned : 633
Memory threats detected : 0
Registry items scanned : 6422
Registry threats detected : 0
File items scanned : 108981
File threats detected : 108

Adware.Tracking Cookie
C:\Documents and Settings\Dad\Cookies\dad@advertising[2].txt
C:\Documents and Settings\Dad\Cookies\dad@revsci[1].txt
C:\Documents and Settings\Dad\Cookies\dad@tacoda[2].txt
C:\Documents and Settings\Dad\Cookies\dad@atwola[1].txt
C:\Documents and Settings\Dad\Cookies\dad@2o7[1].txt
C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
C:\Documents and Settings\Dad\Cookies\dad@toplist[1].txt
C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
C:\Documents and Settings\Dad\Cookies\dad@atdmt[1].txt
C:\Documents and Settings\Adam\Cookies\adam@2o7[2].txt
C:\Documents and Settings\Adam\Cookies\[email protected][2].txt
C:\Documents and Settings\Adam\Cookies\adam@adrevolver[2].txt
C:\Documents and Settings\Adam\Cookies\adam@apmebf[1].txt
C:\Documents and Settings\Adam\Cookies\adam@atdmt[2].txt
C:\Documents and Settings\Adam\Cookies\adam@casalemedia[2].txt
C:\Documents and Settings\Adam\Cookies\adam@doubleclick[1].txt
C:\Documents and Settings\Adam\Cookies\adam@eyewonder[1].txt
C:\Documents and Settings\Adam\Cookies\adam@fastclick[1].txt
C:\Documents and Settings\Adam\Cookies\adam@imrworldwide[2].txt
C:\Documents and Settings\Adam\Cookies\adam@interclick[2].txt
C:\Documents and Settings\Adam\Cookies\[email protected][2].txt
C:\Documents and Settings\Adam\Cookies\[email protected][3].txt
C:\Documents and Settings\Adam\Cookies\[email protected][2].txt
C:\Documents and Settings\Adam\Cookies\adam@overture[1].txt
C:\Documents and Settings\Adam\Cookies\[email protected][2].txt
C:\Documents and Settings\Adam\Cookies\adam@tribalfusion[2].txt
C:\Documents and Settings\Jeremy\Cookies\jeremy@2o7[2].txt
C:\Documents and Settings\Jeremy\Cookies\[email protected][2].txt
C:\Documents and Settings\Jeremy\Cookies\jeremy@adrevolver[2].txt
C:\Documents and Settings\Jeremy\Cookies\jeremy@apmebf[1].txt
C:\Documents and Settings\Jeremy\Cookies\jeremy@atdmt[2].txt
C:\Documents and Settings\Jeremy\Cookies\jeremy@casalemedia[1].txt
C:\Documents and Settings\Jeremy\Cookies\jeremy@doubleclick[1].txt
C:\Documents and Settings\Jeremy\Cookies\jeremy@fastclick[1].txt
C:\Documents and Settings\Jeremy\Cookies\jeremy@interclick[2].txt
C:\Documents and Settings\Jeremy\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeremy\Cookies\[email protected][3].txt
C:\Documents and Settings\Jeremy\Cookies\[email protected][2].txt
C:\Documents and Settings\Jeremy\Cookies\jeremy@mediaplex[1].txt
C:\Documents and Settings\Jeremy\Cookies\[email protected][1].txt
C:\Documents and Settings\Jeremy\Cookies\jeremy@overture[1].txt
C:\Documents and Settings\Jeremy\Cookies\[email protected][2].txt
C:\Documents and Settings\Jeremy\Cookies\jeremy@realmedia[2].txt
C:\Documents and Settings\Jeremy\Cookies\jeremy@tribalfusion[2].txt
C:\Documents and Settings\Kristen\Cookies\kristen@2o7[2].txt
C:\Documents and Settings\Kristen\Cookies\[email protected][2].txt
C:\Documents and Settings\Kristen\Cookies\[email protected][1].txt
C:\Documents and Settings\Kristen\Cookies\[email protected][1].txt
C:\Documents and Settings\Kristen\Cookies\kristen@advertising[2].txt
C:\Documents and Settings\Kristen\Cookies\kristen@apmebf[1].txt
C:\Documents and Settings\Kristen\Cookies\kristen@atdmt[2].txt
C:\Documents and Settings\Kristen\Cookies\kristen@doubleclick[2].txt
C:\Documents and Settings\Kristen\Cookies\[email protected][2].txt
C:\Documents and Settings\Kristen\Cookies\kristen@fastclick[2].txt
C:\Documents and Settings\Kristen\Cookies\kristen@hitbox[2].txt
C:\Documents and Settings\Kristen\Cookies\kristen@interclick[2].txt
C:\Documents and Settings\Kristen\Cookies\kristen@media6degrees[2].txt
C:\Documents and Settings\Kristen\Cookies\kristen@questionmarket[2].txt
C:\Documents and Settings\Kristen\Cookies\kristen@realmedia[1].txt
C:\Documents and Settings\Kristen\Cookies\kristen@specificclick[2].txt
C:\Documents and Settings\Kristen\Cookies\kristen@trafficmp[1].txt
C:\Documents and Settings\Logan\Cookies\logan@2o7[1].txt
C:\Documents and Settings\Logan\Cookies\[email protected][1].txt
C:\Documents and Settings\Logan\Cookies\logan@adrevolver[2].txt
C:\Documents and Settings\Logan\Cookies\logan@apmebf[2].txt
C:\Documents and Settings\Logan\Cookies\logan@atdmt[2].txt
C:\Documents and Settings\Logan\Cookies\logan@casalemedia[1].txt
C:\Documents and Settings\Logan\Cookies\logan@doubleclick[1].txt
C:\Documents and Settings\Logan\Cookies\logan@fastclick[2].txt
C:\Documents and Settings\Logan\Cookies\logan@imrworldwide[2].txt
C:\Documents and Settings\Logan\Cookies\logan@interclick[2].txt
C:\Documents and Settings\Logan\Cookies\[email protected][2].txt
C:\Documents and Settings\Logan\Cookies\[email protected][3].txt
C:\Documents and Settings\Logan\Cookies\[email protected][2].txt
C:\Documents and Settings\Logan\Cookies\logan@overture[1].txt
C:\Documents and Settings\Logan\Cookies\[email protected][2].txt
C:\Documents and Settings\Logan\Cookies\logan@specificclick[2].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&_dad@247realmedia[1].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&_dad@2o7[2].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&[email protected][1].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&[email protected][2].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&[email protected][1].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&[email protected][1].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&_dad@advertising[1].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&_dad@apmebf[1].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&[email protected][1].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&_dad@atdmt[2].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&_dad@atwola[2].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&_dad@doubleclick[1].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&_dad@fastclick[2].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&_dad@imrworldwide[2].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&_dad@media6degrees[2].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&_dad@mediaplex[1].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&_dad@questionmarket[2].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&_dad@realmedia[1].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&_dad@revsci[2].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&_dad@tacoda[1].txt
C:\Documents and Settings\Mom & Dad\Cookies\mom_&_dad@trafficmp[2].txt

Malware.Installer-Pkg/Gen
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{651956B7-1969-42AA-9453-E0B813019D54}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
C:\PROGRAM FILES\WILDTANGENT\APPS\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE

Running Kaspersky now.

[Mikey P]

Here is Kaspersky log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 16, 2008 9:24:27 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/03/2008
Kaspersky Anti-Virus database records: 634534
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 114046
Number of viruses found: 2
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 01:16:47

Infected Object Name / Virus Name / Last Action
C:\1ef9c1fc747cc3bc35ada9d9813d74\DSC_1773.JPG Object is locked skipped
C:\1ef9c1fc747cc3bc35ada9d9813d74\DSC_1774.JPG Object is locked skipped
C:\1ef9c1fc747cc3bc35ada9d9813d74\DSC_1775.JPG Object is locked skipped
C:\1ef9c1fc747cc3bc35ada9d9813d74\DSC_1776.JPG Object is locked skipped
C:\1ef9c1fc747cc3bc35ada9d9813d74\DSC_2635[1].jpg Object is locked skipped
C:\1ef9c1fc747cc3bc35ada9d9813d74\DSC_2638[1].jpg Object is locked skipped
C:\1ef9c1fc747cc3bc35ada9d9813d74\DSC_2651[1].jpg Object is locked skipped
C:\1ef9c1fc747cc3bc35ada9d9813d74\DSC_2673[1].jpg Object is locked skipped
C:\1ef9c1fc747cc3bc35ada9d9813d74\DSC_2679[1].jpg Object is locked skipped
C:\1ef9c1fc747cc3bc35ada9d9813d74\DSC_2690.JPG Object is locked skipped
C:\1ef9c1fc747cc3bc35ada9d9813d74\DSC_5047.JPG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\BFTS\BFTSDatabase.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\64f7b03389560c56dc7339caab0edbe6_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\Dad\.housecall6.6\Quarantine\FishTycoon-dm[1].exe.bac_a03728 Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-3-16-2008( 18-58-30 ).LOG Object is locked skipped
C:\Documents and Settings\Dad\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Musicmatch\Jukebox\Portables.log Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\MSHist012008031620080317\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\JETE3F7.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\~DF1733.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\~DF173F.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\My Documents\Dad's\Katana\agreement.hta Infected: Trojan-Clicker.VBS.Qhost.c skipped
C:\Documents and Settings\Dad\My Documents\Dad's\Katana\bill_of_sale.hta Infected: Trojan-Clicker.VBS.Qhost.c skipped
C:\Documents and Settings\Dad\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dad\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\hpcmerr.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP664\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{2217E4B7-B31B-4958-BAC7-C4F6849F6A40}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_5b0.dat Object is locked skipped
C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

[andrewuk]

Hi Mikey P

The SUPERantispyware picked up mostly cookies and a separate infection which it cleared, the Kaspersky scan picked up a couple of infected files which we will remove now.

====STEP 1====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


====STEP 2====
1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\Dad\My Documents\Dad's\Katana\agreement.hta
C:\Documents and Settings\Dad\My Documents\Dad's\Katana\bill_of_sale.hta

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

In your next reply could i see:
1. the malwarebytes scan
2. the combofix log
3. a new hijackthis log
4. some idea of how your machine is running now

andrewuk

[Mikey P]

Malware info clean:
Malwarebytes' Anti-Malware 1.08
Database version: 499

Scan type: Quick Scan
Objects scanned: 42194
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Mikey P]

Question?
When I run notepad .exe I see:
File::
C:\WINDOWS\system32\drivers\sycglqlwvynj.sys

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFEXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

This is the info I added early in the session. Do I add the new line to this or has this already been added by combofix and I can just paste over it?
I will wait for a reply before I continue.

Also, I have several spyware programs loaded on my computer, should I remove any?
AVG antispyware
Super antispyware
Spyhunter
Spyware doctor

Computer is running much better now. I have not been getting redirected to the google site for ad.yieldmanager.

[andrewuk]

Question?
When I run notepad .exe I see:
File::
C:\WINDOWS\system32\drivers\sycglqlwvynj.sys

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFEXE]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

This is the info I added early in the session. Do I add the new line to this or has this already been added by combofix and I can just paste over it?
I will wait for a reply before I continue.

you can just paste over it, those entries are now fixed so we dont need to do that again.

Also, I have several spyware programs loaded on my computer, should I remove any?
AVG antispyware
Super antispyware
Spyhunter
Spyware doctor

i will leave you with a list of prgrams at the end, but now is as good a time as any to address this question.

as a rule, you should only have one anti-spyware program running in the background.

keep AVG antispyware - it runs in the background and is your constant level of protection.

uninstall spyware doctor - it also runs in the background and therefore will conflict with AVG anti-spyware and thus will slow down your machine.

Keep SUPERantispyware - the free version is an on demand antispyware program and so does not run in the background and therefore will not conflict with AVG.

uninstall Spyhunter, i dont think it is as good as the others.


andrewuk

[Mikey P]

Here is combofix:
ComboFix 08-03-14.4 - Dad 2008-03-17 17:18:11.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1503 [GMT -5:00]
Running from: C:\Documents and Settings\Dad\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dad\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Dad\My Documents\Dad's\Katana\agreement.hta
C:\Documents and Settings\Dad\My Documents\Dad's\Katana\bill_of_sale.hta
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dad\My Documents\Dad's\Katana\agreement.hta
C:\Documents and Settings\Dad\My Documents\Dad's\Katana\bill_of_sale.hta

.
((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.

2008-03-17 08:06 . 2008-03-17 08:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-17 08:06 . 2008-03-17 08:06 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Malwarebytes
2008-03-17 08:06 . 2008-03-17 08:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-16 19:03 . 2008-03-16 19:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-16 19:03 . 2008-03-16 19:03 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-16 19:03 . 2008-03-16 19:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-15 22:49 . 2008-03-15 22:49 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-15 22:49 . 2007-12-04 07:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-03-15 22:49 . 2004-01-09 03:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-03-15 22:49 . 2007-12-04 06:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-03-15 22:49 . 2007-12-04 08:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-03-15 22:49 . 2007-12-04 08:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-03-15 22:49 . 2007-12-04 08:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-03-15 22:49 . 2007-12-04 08:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-03-15 22:49 . 2007-12-04 08:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-03-15 22:19 . 2008-03-15 22:20 317 --a------ C:\Documents and Settings\Dad\.exe
2008-03-15 21:11 . 2008-03-15 21:11 <DIR> d-------- C:\Deckard
2008-03-14 16:46 . 2008-03-14 16:46 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Nova Development
2008-03-12 19:55 . 2008-03-12 19:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-11 11:41 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-11 11:41 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-10 17:41 . 2008-03-10 17:41 <DIR> d-------- C:\Documents and Settings\Logan\Application Data\Grisoft
2008-03-10 17:39 . 2008-03-10 17:39 <DIR> d-------- C:\Documents and Settings\Jeremy\Application Data\Grisoft
2008-03-10 17:37 . 2008-03-10 17:37 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\Grisoft
2008-03-10 17:35 . 2008-03-10 17:35 <DIR> d-------- C:\Documents and Settings\Kristen\Application Data\Grisoft
2008-03-10 17:29 . 2008-03-10 17:29 <DIR> d-------- C:\Documents and Settings\Mom & Dad\Application Data\Grisoft
2008-03-10 17:15 . 2008-03-10 17:15 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-03-10 17:14 . 2008-03-10 17:14 <DIR> d-------- C:\Program Files\MSECACHE
2008-03-10 15:59 . 2008-03-10 15:59 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-10 02:29 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-10 02:15 . 2008-03-16 08:48 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-10 02:15 . 2008-03-10 02:15 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-10 02:15 . 2008-03-10 02:15 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-10 02:15 . 2008-03-10 02:15 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-09 18:22 . 2008-03-12 19:36 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-09 18:22 . 2008-03-09 18:22 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\SUPERAntiSpyware.com
2008-03-09 18:22 . 2008-03-09 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-09 18:21 . 2008-03-09 18:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-09 16:31 . 2008-03-09 16:31 <DIR> d-------- C:\Documents and Settings\Dad\Application Data\Grisoft
2008-03-09 16:30 . 2008-03-09 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-09 16:30 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-21 01:40 . 2008-02-21 01:43 <DIR> d-------- C:\Program Files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 16:42 --------- d-----w C:\Documents and Settings\Adam\Application Data\AOL
2008-03-16 03:20 317 ----a-w C:\Documents and Settings\Dad\.exe
2008-03-10 08:31 --------- d-----w C:\Program Files\QuickTime
2008-03-10 08:25 --------- d-----w C:\Program Files\Digital Line Detect
2008-03-10 08:21 --------- d-----w C:\Program Files\Common Files\aolshare
2008-03-10 08:20 --------- d-----w C:\Program Files\BAE
2008-03-10 08:20 --------- d-----w C:\Program Files\AOL 9.0
2008-03-10 08:20 --------- d-----w C:\Program Files\America Online 9.0
2008-03-09 23:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-06 22:35 --------- d-----w C:\Program Files\Spyware Doctor
2008-03-03 23:36 --------- d-----w C:\Documents and Settings\Kristen\Application Data\LimeWire
2008-02-28 23:17 83,584 -c--a-w C:\Documents and Settings\Mom & Dad\Application Data\GDIPFONTCACHEV1.DAT
2008-02-25 23:19 --------- d-----w C:\Program Files\LimeWire
2008-02-25 22:53 --------- d-----w C:\Documents and Settings\Mom & Dad\Application Data\LimeWire
2008-02-21 16:48 --------- d-----w C:\Program Files\McAfee
2008-02-21 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-31 01:37 --------- d-----w C:\Program Files\DIGStream
2008-01-30 22:02 --------- d-----w C:\Program Files\XoftSpySE
2008-01-30 21:56 --------- d-----w C:\Program Files\Viewpoint
2008-01-30 21:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-24 22:55 --------- d-----w C:\Program Files\Guitar Pro 5
2008-01-21 13:43 --------- d-----w C:\Documents and Settings\Jeremy\Application Data\CyberLink
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-09-10 15:15 72,336 -c--a-w C:\Documents and Settings\Kristen\Application Data\GDIPFONTCACHEV1.DAT
2007-09-05 23:46 72,336 -c----w C:\Documents and Settings\Adam\Application Data\GDIPFONTCACHEV1.DAT
2007-02-26 22:09 71,400 -c--a-w C:\Documents and Settings\Logan\Application Data\GDIPFONTCACHEV1.DAT
2006-10-06 18:27 71,400 -c--a-w C:\Documents and Settings\Jeremy\Application Data\GDIPFONTCACHEV1.DAT
2007-01-07 19:17 88 -csh--r C:\WINDOWS\system32\E546349AF4.sys
2007-04-23 21:00 4,184 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-03-15_21.47.06.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-03-16 23:58:07 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_5b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-12 19:36 1481968]
"AOL Fast Start"="C:\Program Files\AOL 9.0\AOL.exe" [2007-04-18 01:49 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 20:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 20:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 20:50 114688]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20 122940]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 11:24 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-06-26 18:50 212992]
"iTunesHelper"="C:\Documents and Settings\Kristen\My Documents\iTunesHelper.exe" [2005-12-20 21:54 278528]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12 94208]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01 67584]
"HostManager"="C:\Program Files\Common Files\AOL\1154635686\ee\AOLSoftware.exe" [2007-05-25 12:16 42032]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 22:10 151552]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-28 20:39 155648]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-09-18 14:46 110592]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-09-18 14:46 8192]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 07:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-07-31 07:17:13 24576]
Event Reminder.lnk - C:\Program Files\PrintMaster 16\pmremind.exe [2004-01-20 12:10:38 339968]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-03-12 19:36 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McShield"=2 (0x2)
"aolavupd"=2 (0x2)
"MpfService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\Kristen\\My Documents\\iTunes.exe"=
"C:\\Program Files\\Common Files\\AOL\\1154635686\\ee\\aolsoftware.exe"=
"C:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"C:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=

S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 13:53]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 17:19:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-17 17:20:18
ComboFix-quarantined-files.txt 2008-03-17 22:20:16
ComboFix2.txt 2008-03-16 03:23:10
ComboFix3.txt 2008-03-16 02:47:35
.
2008-03-13 00:34:53 --- E O F ---

[Mikey P]

And HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:56 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Documents and Settings\Kristen\My Documents\iTunesHelper.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Documents and Settings\Kristen\My Documents\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\AOL\1154635686\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\Kristen\My Documents\iTunesHelper.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154635686\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpeedUpMyPC.lnk = C:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...wlscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1205179627703
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1205182394312
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Documents and Settings\Kristen\My Documents\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9412 bytes

[andrewuk]

Hi Mikey P

congratulations, your logs are clean

if this is not a file you know, could you manually delete this file C:\Documents and Settings\Dad\.exe

in this post we will wrap this up by flushing your temp folders, clearing away the fix tools, reseting your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection

====STEP 1====
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 2====

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
  
  
  
  • 
  
  
• When shown the disclaimer, Select "2"

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

If you have trouble with this, let me know and we will clear away the fix tools and reset your restore points another way

you can also clear away the other fix tools that we used.


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  
• AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  
• SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  
• IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein


andrewuk

[Mikey P]

I deleted the .exe file, which I believe was one of the notepad files I pasted into combofix earlier. I ran ATF cleaner and did the uninstall on combofix.
Thank you so much for all your help. I also removed spyhunter and spyware doctor.

On your list of suggested tools, should I run those in addition to Super antispyware and AVG antispyware? Which one's are on demand and which one's run in the background? I am referring to #1 - 5. I understand #6 - 9.

[andrewuk]

On your list of suggested tools, should I run those in addition to Super antispyware and AVG antispyware? Which one's are on demand and which one's run in the background? I am referring to #1 - 5. I understand #6 - 9.

yes, you can run them all.

spybot search & destroy and adaware are both programs you run on demand (make sure you update them before you run them).

spywareblaster (acts more as a shield) and spywareguard are nice additions to AVG antispyware and you will find do not take up noticably resourses.

IE-SpyAd just puts sites in your restricted zone - so keep it updated weekly is my advise.

i tend to run one anti-virus and one anti-spyware as well as spywareblaster and spywareguard all the time. and then each week i make sure all my security programs are updated and i run a full system scan with spybot search & destroy, adaware, my anti-spyware and my antivirus program. takes 2 hours. but its worth it.

andrewuk

[Mikey P]

Thanks again for all your help. I just dealt with the problem for almost 2 months and now I am free. I will attempt to stay that way so you can help other people!