[Ardent]

could you give me links to these 2 scan programs"start-up log and a panda scan" They do not seem to be on my pc after I did the restore.

Thank you

[Advertisements]

Sorry. I thought you had run it before.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Click on this link.

http://www.bleepingc...l#HTStartupList
Go to Start-up listing and follow the instructions. Post the log here. Please don't attach.

[coachwife6]

Sorry. I thought you had run it before.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Click on this link.

http://www.bleepingc...l#HTStartupList
Go to Start-up listing and follow the instructions. Post the log here. Please don't attach.

[Ardent]

Here is the Panda file

Incident Status Location

Adware:adware/topconvert Not disinfected Windows Registry
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Mark\cookies\mark@2o7[1].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Mark\cookies\mark@ask[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Mark\cookies\mark@did-it[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Mark\cookies\mark@go[2].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Mark\cookies\[email protected][1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Mark\cookies\[email protected][1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mark\cookies\mark@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Mark\cookies\mark@zedo[2].txt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Mark\Cookies\mark@2o7[1].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Mark\Cookies\mark@ask[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Mark\Cookies\mark@did-it[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Mark\Cookies\mark@go[2].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Mark\Cookies\[email protected][1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Mark\Cookies\[email protected][1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mark\Cookies\mark@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Mark\Cookies\mark@zedo[2].txt
Possible Virus. Not disinfected C:\My Downloads\cdcbase276.exe[elp82.dll]
Possible Virus. Not disinfected C:\Program Files\Canon\ZoomBrowser EX\Program\DatabaseManager.dll
Virus:Eicar.Mod Not disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Adware:Adware/SideStep Not disinfected C:\WINDOWS\SbCIe0261.dll
Adware:Adware/eZula

[Ardent]

here is the startup list

StartupList report, 1/10/2006, 6:32:47 PM
StartupList version: 1.52.2
Started from : C:\Program Files\hijakthis\hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GE\97769 Dual Scroll Optical Mouse\Amoumain.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\DynDNS.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\spider.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijakthis\hijackthis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

WheelMouse = Amoumain.exe
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
Logitech Utility = Logi_MwX.Exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
DVDSentry = C:\WINDOWS\System32\DSentry.exe
Dimension4 = C:\Program Files\D4\D4.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

DynDNS Updater = "C:\WINDOWS\DynDNS.exe"
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
Spyware Doctor = "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - (no file) - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - C:\PROGRA~1\Odigo\Bin\OdigoBHO.dll (file missing) - {6754A456-BAD9-11D4-93D3-00B0D03A2F91}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll - {B56A7D7D-6927-48C8-A975-17DF180C71AC}
(no name) - (no file) - {E3215F20-3212-11D6-9F8B-00D0B743919D}

--------------------------------------------------

Enumerating Task Scheduler jobs:

ISP signup reminder 1.job

--------------------------------------------------

Enumerating Download Program Files:

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msgrchkr.dll
CODEBASE = http://messenger.zon...ry/msgrchkr.cab

[StagingUI Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\StagingUI.ocx
CODEBASE = http://zone.msn.com/...UI.cab40641.cab

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zon...nt.cab27571.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[Windows Genuine Advantage]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.dll
CODEBASE = http://go.microsoft....204&clcid=0x409

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://download.micr...b?1093441524203

[Minesweeper Flags Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\minesweeper.dll
CODEBASE = http://messenger.zon...MineSweeper.cab

[FilePlanet Download Control Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FilePlanetDownloadCtrl.dll
CODEBASE = http://www.fileplane...DC_1_0_0_44.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[Microsoft.WinRep]
InProcServer32 = C:\WINDOWS\system32\Winrep.dll
CODEBASE = https://webresponse....iveX/winrep.cab

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\System32\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B}]

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zon...StatsClient.cab

[InstallShield International Setup Player]
InProcServer32 = c:\windows\downlo~1\isetup.dll
CODEBASE = http://www.installen...gine/isetup.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoft...free/asinst.cab

[WebCam Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ACTIVE~1.OCX
CODEBASE = http://webcamnow.com...tiveXWebCam.cab

[{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}]
CODEBASE = http://install.wildt...lim/install.cab

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/z...s/heartbeat.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://zone.msn.com/...ro.cab34246.cab

[Downloader Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\dwnldr.dll
CODEBASE = http://www.stopzilla...ller/dwnldr.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
CODEBASE = https://www-secure.s...ta/SymAData.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.3\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/z...s/heartbeat.cab

[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll
CODEBASE = https://www-secure.s.../ActiveData.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Config.Msi\1404adf.rbf|||i

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 9,475 bytes
Report generated in 0.109 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[coachwife6]

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

[coachwife6]

Ardent: My apologies for missing this infection. Apologies aren't sufficient enough. Please run the above instructions and I belive we will be on the road to recovery with the thanks also to all the trusted techs.

[Ardent]

No aplogies are necessary . You have been very patient with me and explained things well. I appreciate all the help you have given me!

[Ardent]

I'm having problems running the program you suggested. I've got it on my desktop in a folder unzipped and when I run 'Runthisbat. it brings up a black box with warnings about only using this with supervision and then says press any key to continue. I press a key and the insertion point keep blinking, I wait and press again and still nothing. Am I missing something? Shouldn't it do something? or is it working even when it says press any key to continue?

Thanks

[coachwife6]

Please disable any programs that block changes on your computer, such as Microsoft Antispyware, Spyware Doctor, to name a few.

There are quite a few programs available that offer protection features to help keep a computer from getting infected. While this is normally a helpful feature, it can keep a victim from making the changes necessary to clean their comptuer.

These programs need to be uninstalled

AdWatch

These programs can just be disabled

Microsoft Antispyware
TeaTimer
SpySweeper
Win Patrol
Spyware Guard
Pestpatrol
Regrun
Diamonds Process controler

See if that helps.

[Ardent]

Ok it worked this time. I did not uninstall adwatch? I will. I did run across something interesting in my startup when I went to msconfig. There were several items in a folder that said HKLM Software and one I think was HICU software. Being unfamiliar with this I thought it might be one of those items you wanted me to disable. Both of these folder seem to be connected to Troj/Kronos-a a trojan.

here is the log text

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Mark\Desktop\aproposfix

************

Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!

Hope this helps !

[coachwife6]

could I also see a hijack this log?

[Ardent]

here it is

Thanks

[coachwife6]

Did you post it?

[Ardent]

here it is as an attached file

[coachwife6]

I don't see it. Please copy and paste. Thanks.