[astrosoup]

Good luck with all of that!

The system is running much faster now. Boot-up is a little slow, but I can take care of that. You might want to take a peek into the C Drive. The POStemp files are gone, but there are a handful of files named "sqmdata##.sqm". I scanned a few of them with Avast and it said they weren't infected, but I am still suspicious as they are all only 1 KB in size, just like the POStemp files. They probably can't hurt anything, but I don't see why they would need to be there. The red X icon still marks the C Drive, but other than she seems pretty clean. I am really grateful for all of of your hard work, andrewuk. You've been super fast and very post-efficient . Many thanks.

[Advertisements]

in this post we will update your java and clear the infections found in the scans. the vast majority of the infections found were either safely quarantined already or in restore points. the avast, malwarebytes and SUPERantispyware removed all the infections they found leaving us just to remove one file which we will do via combofix so that i can take one final look at your logs.

You might want to take a peek into the C Drive. The POStemp files are gone, but there are a handful of files named "sqmdata##.sqm". I scanned a few of them with Avast and it said they weren't infected, but I am still suspicious as they are all only 1 KB in size, just like the POStemp files. They probably can't hurt anything, but I don't see why they would need to be there.

these are windows live messenger files, and are harmless. By default, you participate in a data-gathering program. Open Live Messenger, click on Help, then on Customer Experience Improvement Program, then de-check the radio button which says you want to participate. there is some further info here

The red X icon still marks the C Drive

we will gather information in this post to tackle that in the next post.

i suspect we are 3 more quick posts away from wraping this up


====STEP 1====
Removing the one final infected file found......

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\Marnie Jones\Local Settings\Application Data\Wildtangent\Cdacache\00\00\17.dat

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

====STEP 2====
Updating Java and Clearing Cache

• Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
• It will say "Java Plug-in" under the icon.
  Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
• If you are unable to update you can manually update by going here:
  
  • Java Runtime Environment (JRE) 6 Update 5
• After the reboot, go back into the Control Panel and double-click the Java Icon.
• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 Checked
  Downloaded Applets
  Downloaded Applications
  Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

====STEP 3====
gathering information on the Red X issue......

Open Notepad and Copy (Control+C) and Paste (Control+V) the following code into the Notepad window.

@ECHO OFF
If exist DrvIconQuery.txt Del DrvIconQuery.txt
Echo Report>>DrvIconQuery.txt
Echo %date% %time% >>DrvIconQuery.txt
Echo.>>DrvIconQuery.txt
@ECHO Working.......
Reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /s >> DrvIconQuery.txt
start notepad DrvIconQuery.txt

Click on 'File' then 'Save As'
In the Save in drop down box select Desktop
In the File name box type in FixService.bat
In the Save as type drop down box select All Files
Close Notepad.

Now, find FixService.bat on your Desktop and Double click it
A window will open and close, do not be concerned this is normal.


Make sure you attach the report in your reply - it will be too large to copy and paste.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

In your next reply could i see:
1. the combofix log
2. a new hyjackthis log
3. the attached report from Step 3

andrewuk

[andrewuk]

in this post we will update your java and clear the infections found in the scans. the vast majority of the infections found were either safely quarantined already or in restore points. the avast, malwarebytes and SUPERantispyware removed all the infections they found leaving us just to remove one file which we will do via combofix so that i can take one final look at your logs.

You might want to take a peek into the C Drive. The POStemp files are gone, but there are a handful of files named "sqmdata##.sqm". I scanned a few of them with Avast and it said they weren't infected, but I am still suspicious as they are all only 1 KB in size, just like the POStemp files. They probably can't hurt anything, but I don't see why they would need to be there.

these are windows live messenger files, and are harmless. By default, you participate in a data-gathering program. Open Live Messenger, click on Help, then on Customer Experience Improvement Program, then de-check the radio button which says you want to participate. there is some further info here

The red X icon still marks the C Drive

we will gather information in this post to tackle that in the next post.

i suspect we are 3 more quick posts away from wraping this up


====STEP 1====
Removing the one final infected file found......

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\Marnie Jones\Local Settings\Application Data\Wildtangent\Cdacache\00\00\17.dat

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

====STEP 2====
Updating Java and Clearing Cache

• Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
• It will say "Java Plug-in" under the icon.
  Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
• If you are unable to update you can manually update by going here:
  
  • Java Runtime Environment (JRE) 6 Update 5
• After the reboot, go back into the Control Panel and double-click the Java Icon.
• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 Checked
  Downloaded Applets
  Downloaded Applications
  Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

====STEP 3====
gathering information on the Red X issue......

Open Notepad and Copy (Control+C) and Paste (Control+V) the following code into the Notepad window.

@ECHO OFF
If exist DrvIconQuery.txt Del DrvIconQuery.txt
Echo Report>>DrvIconQuery.txt
Echo %date% %time% >>DrvIconQuery.txt
Echo.>>DrvIconQuery.txt
@ECHO Working.......
Reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /s >> DrvIconQuery.txt
start notepad DrvIconQuery.txt

Click on 'File' then 'Save As'
In the Save in drop down box select Desktop
In the File name box type in FixService.bat
In the Save as type drop down box select All Files
Close Notepad.

Now, find FixService.bat on your Desktop and Double click it
A window will open and close, do not be concerned this is normal.


Make sure you attach the report in your reply - it will be too large to copy and paste.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

In your next reply could i see:
1. the combofix log
2. a new hyjackthis log
3. the attached report from Step 3

andrewuk

[astrosoup]

ComboFix Log

ComboFix 08-03-21.1 - Marnie Jones 2008-03-23 11:57:07.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.238 [GMT -8:00]
Running from: E:\ComboFix.exe
Command switches used :: E:\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Marnie Jones\Local Settings\Application Data\Wildtangent\Cdacache\00\00\17.dat
.

((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-23 11:56 . 2008-03-23 11:56 3,631 --a------ C:\583.tmp
2008-03-22 21:29 . 2008-03-22 22:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-03-22 21:29 . 2008-03-22 21:29 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-22 21:29 . 2008-03-22 21:34 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-03-22 21:29 . 2008-03-22 21:34 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-03-22 21:29 . 2008-03-22 21:34 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-03-22 20:06 . 2008-03-22 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-22 20:04 . 2008-03-22 22:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-22 20:04 . 2008-03-22 20:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-22 20:04 . 2008-03-22 20:04 <DIR> d-------- C:\Documents and Settings\Marnie Jones\Application Data\SUPERAntiSpyware.com
2008-03-22 18:57 . 2008-03-22 19:13 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-22 18:57 . 2008-03-22 18:57 <DIR> d-------- C:\Documents and Settings\Marnie Jones\Application Data\Malwarebytes
2008-03-22 18:57 . 2008-03-22 18:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-21 20:33 . 2008-03-21 20:33 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-21 20:33 . 2007-12-04 05:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-03-21 20:33 . 2004-01-09 02:13 380,928 --a------ C:\WINDOWS\SYSTEM32\actskin4.ocx
2008-03-21 20:33 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-03-21 20:33 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon2.sys
2008-03-21 20:33 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswmon.sys
2008-03-21 20:33 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswTdi.sys
2008-03-21 20:33 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aavmker4.sys
2008-03-21 20:33 . 2007-12-04 06:53 23,152 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aswRdr.sys
2008-03-21 17:33 . 2008-03-21 17:33 3,631 --a------ C:\2C.tmp
2008-03-21 16:26 . 2008-03-21 16:26 3,631 --a------ C:\12.tmp
2008-03-16 14:21 . 2008-03-22 18:31 <DIR> d-------- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 06:15 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-23 06:14 --------- d-----w C:\Program Files\QuickTime
2008-03-23 06:13 --------- d-----w C:\Program Files\MSN Messenger
2008-03-23 06:12 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2008-03-23 06:10 --------- d-----w C:\Program Files\iTunes
2008-03-23 06:10 --------- d-----w C:\Program Files\Dell Support
2008-03-23 06:08 --------- d-----w C:\Program Files\Common Files\Funk Software
2008-03-21 19:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-09 01:57 --------- d-----w C:\Program Files\Yahoo!
2008-03-02 01:32 --------- d-----w C:\Documents and Settings\Marnie Jones\Application Data\Viewpoint
2008-03-02 01:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-02 01:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-02 01:26 --------- d-----w C:\Program Files\IrfanView
.

((((((((((((((((((((((((((((( snapshot@2008-03-21_16.28.26.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 16:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
+ 2008-03-23 04:05:03 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-03-23 04:05:03 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-03-29 17:20:50 110,592 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\as.dll
+ 2006-10-06 00:15:26 233,472 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\ascontrol.dll
+ 2005-06-03 22:03:18 96,256 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\asmdat.dll
+ 2003-08-01 19:00:16 36,864 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\certdll.dll
+ 2005-05-20 21:42:44 86,016 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\instlsp.dll
+ 2007-11-12 17:46:18 26,112 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\JID.dll
+ 2006-02-17 02:20:20 4,608 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\memvfile.dll
+ 2005-10-26 02:08:32 348,160 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\msvcr71.dll
+ 2007-11-26 19:10:36 61,440 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\NanoWrapper.dll
+ 2004-05-04 23:01:02 139,264 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pavaleas.dll
+ 2006-07-14 21:04:10 45,056 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pavdr.exe
+ 2006-04-10 18:50:02 159,832 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pavexcom.dll
+ 2006-02-14 21:05:38 94,208 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pavinas.dll
+ 2006-02-17 02:35:38 180,224 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pavoe.dll
+ 2006-10-06 00:15:38 122,880 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pavpz.dll
+ 2007-06-04 19:31:52 57,344 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pavsddl.dll
+ 2006-06-30 22:13:38 8,704 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pfdnnt.exe
+ 2004-02-04 22:08:42 49,152 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\port32.dll
+ 2007-10-30 18:04:14 36,864 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\Prescan.dll
+ 2006-08-01 21:23:10 69,632 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pscpu.dll
+ 2007-11-21 18:00:06 376,832 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskahk.dll
+ 2007-10-31 21:05:06 32,768 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\PSKAHKPRESCAN.dll
+ 2006-08-17 19:38:14 10,752 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskalloc.dll
+ 2006-09-04 19:49:54 61,440 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskas.dll
+ 2006-08-18 16:46:18 779,264 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskavs.dll
+ 2007-03-26 22:25:34 417,792 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskcmp.dll
+ 2006-08-09 18:42:24 90,112 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskfss.dll
+ 2006-07-19 18:55:58 208,896 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskhtml.dll
+ 2006-01-21 00:57:00 9,728 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskmas.dll
+ 2006-05-17 17:50:12 14,336 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskmdfs.dll
+ 2006-08-16 18:58:12 33,280 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskpack.dll
+ 2006-06-30 22:42:36 266,240 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskscs.dll
+ 2006-08-17 22:33:14 62,976 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskutil.dll
+ 2006-08-08 21:13:10 13,312 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskvfile.dll
+ 2006-08-18 16:53:08 69,632 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskvfs.dll
+ 2006-08-18 16:49:50 167,936 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskvm.dll
+ 2007-10-18 17:30:16 105,472 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\psnahk.dll
+ 2007-11-23 22:29:08 10,752 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\psndsk.dll
+ 2007-10-18 17:30:38 42,496 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\psnflg.dll
+ 2007-10-30 19:19:22 98,304 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\psnglknt.dll
+ 2007-08-22 16:52:00 20,272 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\psnhsh.dll
+ 2007-11-12 23:49:34 11,776 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\psnjidsign.dll
+ 2007-08-22 16:52:04 76,080 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\psnkrnl.dll
+ 2007-08-22 16:52:06 21,296 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\psnmem.dll
+ 2007-10-04 23:26:28 28,672 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\PsnPen.dll
+ 2007-10-23 19:40:10 86,016 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\psntuc.dll
+ 2007-05-24 19:27:36 27,136 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\PSNXprs.dll
+ 2007-04-19 01:16:04 353,840 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\psscan.dll
+ 2007-01-22 22:42:48 35,328 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\rawvfile.dll
+ 2007-06-08 17:44:36 8,576 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\RKPavProc.sys
+ 2007-06-05 18:56:40 44,928 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\sdthook.sys
+ 1997-09-18 14:12:32 9,488 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\sporder.dll
+ 2006-03-01 01:23:40 69,632 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\tcpvfile.dll
+ 2007-09-17 17:14:08 126,976 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\Tucan.dll
+ 2006-08-02 20:39:06 73,728 ----a-w C:\WINDOWS\SYSTEM32\asuninst.exe
- 2008-03-21 04:22:59 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2008-03-23 05:07:13 16,384 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2008-03-21 04:22:59 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2008-03-23 05:07:13 32,768 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2008-03-21 04:22:59 49,152 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2008-03-23 05:07:13 49,152 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
+ 2003-03-26 02:53:50 11,776 ----a-w C:\WINDOWS\SYSTEM32\ZPORT4AS.dll
+ 2008-03-23 05:07:16 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_61c.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 05:51 306688]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 09:54 5674352]
"Creative WebCam Tray"="C:\Program Files\Creative\Shared Files\CamTray.exe" [2005-03-28 22:13 258048]
"Yahoo! Pager"="1" []
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 15:16 454784]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 02:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-27 16:09 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-27 15:56 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 14:48 32881]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-04-22 13:23 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-04-22 13:23 507904]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-14 22:04 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-18 22:01 110592]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 17:15 290816]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 08:43 53248]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2004-03-04 08:36 211828]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-03-04 17:59 487424]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-09-20 18:09 26112]
"HostManager"="C:\Program Files\Common Files\AOL\1125192965\ee\AOLHostManager.exe" [2005-08-02 11:33 159832]
"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 09:01 36864 C:\WINDOWS\SYSTEM32\P0630Pin.dll]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 12:45 278528]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-29 15:55 155648]
"PRISMSVR.EXE"="C:\WINDOWS\System32\PRISMSVR.exe" [ ]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 18:26 368706]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 04:51 442455]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2007-10-17 16:00:08 217088]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56 65588]
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2007-01-14 16:13:37 36864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [2003-11-13 11:29]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 13:38]
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\CBTNDIS5.SYS [2003-07-16 20:28]
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\System32\DRIVERS\odysseyIM4.sys [2004-09-24 21:36]
S3 P0630VID;Creative WebCam Live!;C:\WINDOWS\System32\DRIVERS\P0630Vid.sys [2005-06-05 17:44]

*Newly Created Service* - RKPAVPROC
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 11:59:42
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-23 12:00:21
ComboFix-quarantined-files.txt 2008-03-23 20:00:06
ComboFix2.txt 2008-03-22 01:36:00
ComboFix3.txt 2008-03-22 00:28:54


HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:56 PM, on 3/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\AOL\1125192965\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1125192965\ee\AOLServiceHost.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\explorer.exe
E:\MedKit\Scan\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1125192965\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9161 bytes

DrvIconQuery.txt (Part One)

I had to split this one up, as it was >100KB

 DrvIconQuery.txt   45.88KB   211 downloads

Also, I forgot about the Java step and ran it last, after I took all of these logs. Let me know if you need me to redo any of them.

[astrosoup]

DrvIconQuery (Part 2)

 DrvIconQuery2.txt   74.5KB   917 downloads

[andrewuk]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please let me know if the Red X is still there.

(i dont need to see a combofix log nor a hijackthis log.

andrewuk

[astrosoup]

I ran that combofix and it worked like a charm. The C Drive no longer looks as if it is infected with POSVundo.

[andrewuk]

great

we just need update you to SP2

Service Pack 2
You also do not have Service Pack 2 for Windows XP installed, which is a CRITICAL part of keeping your system protected. Without the Service Pack 2 installed, your system is vulnerable and wide open to re-infection. I suggest you visit the Windows Update Site immediately which can be found Here

Please let me know if you encounter any errors in the process of installing SP2. If you do, it may mean that your PC is still infected so please let me know.

Please post a HJT log after the above along with letting me know how the SP2 installation went.

andrewuk

Edited by andrewuk, 23 March 2008 - 11:00 PM.

[astrosoup]

Here you are. The installation went perfectly, and I've followed up the installation with all of the latest security updates without issue. I've done some housecleaning in the HKLM...Run and HKCU...Run slots in the registry so that is why the log looks a little different.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:06 AM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\system32\wuauclt.exe
E:\MedKit\Scan\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PD0630 STISvc] RunDLL32.exe P0630Pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CamTray.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8394 bytes

[andrewuk]

Hi astrosoup

congratulations, your logs are clean

in this post we will clear away the fix tools, reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.


====STEP 1====
Clearing away the fix points and resetting your system restore.....

Click START then RUN

• Now type Combofix /u in the runbox and click OK
  
  
  
  • 
  
  
• When shown the disclaimer, Select "2"

The above procedure will:

• Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Reset System Restore.

If you have trouble with this, let me know and we will clear away the fix tools and reset your restore points another way


you can also clear away any other fix tools we used.


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  
• AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  
• SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  
• IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  
• ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

andrewuk

[astrosoup]

Thank you so much for being so helpful, and speedy to boot! You've saved the day for sure. The computer is running great and is showing no signs of infection. It is finally a working laptop again! Thanks again, andrewuk!

[andrewuk]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.