[thechi]

that file is no longer the temp directory. i am doing a search now, and the only thing i've found is a KUC.EXE-2E9A6410.pf in C:\WINDOWS\Prefetch. will that be of any use? if not.. the file is gone.

[Advertisements]

hmm rkr showed it and if you have not deleted any temp files it should still be there.

Try rebooting into safe mode and looking in that folder for it (not searching - using Windows Explorer and going directly into the Temp folder) and see if it's in there. If so, zip it up, if not, then I don't know where it went. Let me know

[Michelle]

hmm rkr showed it and if you have not deleted any temp files it should still be there.

Try rebooting into safe mode and looking in that folder for it (not searching - using Windows Explorer and going directly into the Temp folder) and see if it's in there. If so, zip it up, if not, then I don't know where it went. Let me know

[thechi]

rebooted into safe mode, used winExp and searched... still nothing.

[Michelle]

Allrighty, then we will get Killbox after it, if it's not there then good:

Killbox delete on reboot please:

C:\Documents and Settings\CHICO\Local Settings\Temp\KUC.exe

After reboot, we're going to use a program to clear those other files out of the temp folder:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Since you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

I will be going over the screenshots again to find out what else needs to go.

What kind of problems are you still having? Can't right-click to get to properties of a window? Does it just not allow you to right-click at all?

[thechi]

killbox did not find the file, so it's gone i guess.

downloaded and ran atf cleaner.. cool little program.

as far as the browser window.... when i open this thread, which is bookmarked on my desktop, i get a closed up browser window in the top left corner of my desktop. i can expand it to any size... there are no tool bars and no status bar... it's just blank. when i right click on it to get properties.. nothing happens.

i'm going to grab some dinner.. haven't eaten all day. i shall return shortly.
thanks again.

[Michelle]

But when you're in a browser normally, not from a shortcut on your desktop, does it load normally and allow you to right-click?

[thechi]

yes... it was just that one little window that was giving me problems. i didn't know if it was because of the shortcut or if it was somehow related to the ad/spy/malware issues i've been having.

[Michelle]

ok good I'm glad it's only that shortuct... Delete that shortcut from your desktop.
In firefox, Go up to Tools > Options
Click Web Features
Next to enable javascript, click Advanced.
uncheck "hide status bar" and uncheck "disable or replace context menus"

It's got something to do with the shortcut .. The size is remembered, if you resize without maximizing normally it should stay the size it was last closed. I don't know why that window insists on being small, but it's just a little glitch somewhere. Try making a new shortcut on your desktop and see what it does.

Also, open SpySweeper, click Options on the left
Click "Update definitions".
After it's updated run it as you did previously and post the log for me so i can make sure it got rid of what it found last time.

Then do you want to remove optional items from startup? It doesn't remove them from your system just keeps them from starting when the system does.

Also, about the Spam mail, it's not coming from your computer. I get a lot of spam as well and my system is clean as a whistle. About the only thing you can do there is change your e-mail address and give it out very sparingly and never use it for signing up for random things on the internet.

[thechi]

made the changes in firefox...

running spysweeper right now... i will post a log when it's done.

i would like to take most of those items from startup. they are usually unchecked. is it safe to do so now?

about the spam... it just started coming when i got this infection. the accounts i use with thunderbird is only used for my work. only about a dozen or so clients have it. i'll figure something out.

thanks

[Michelle]

Post a new HiJackThis log for me and we can remove the optional items now (make sure it's still on normal startup)

You had a bunch of stuff in your system so something could have collected your e-mail address and bad places got a hold of it, which is why I would recommend changing the address. We've gotten rid of the bad guys so that's about all i can recommend. Oh and I definitely recommend changing your passwords when we're done here.

[thechi]

********
12:12 AM: | Start of Session, Tuesday, January 10, 2006 |
12:12 AM: Spy Sweeper started
12:12 AM: Sweep initiated using definitions version 598
12:12 AM: Starting Memory Sweep
12:18 AM: Memory Sweep Complete, Elapsed Time: 00:06:19
12:18 AM: Starting Registry Sweep
12:19 AM: Found Trojan Horse: trojan-backdoor-us15info
12:19 AM: HKU\S-1-5-21-1687362960-3871003454-1726878895-1005\software\microsoft\windows\currentversion\run\ || shell (ID = 650813)
12:19 AM: Registry Sweep Complete, Elapsed Time:00:00:20
12:19 AM: Starting Cookie Sweep
12:19 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:19 AM: Starting File Sweep
12:53 AM: Found Adware: safeguard protect
12:53 AM: a0093973.dll (ID = 74246)
12:58 AM: Found Trojan Horse: trojan-downloader-dh
12:58 AM: a0093971.exe (ID = 208497)
12:58 AM: Warning: Failed to open file "c:\documents and settings\chico\favorites\links\free aol & unlimited internet.lnk". The system cannot find the file specified
1:05 AM: a0093972.dll (ID = 164073)
1:08 AM: Warning: Failed to read ADS-MFT entry 12146
1:08 AM: Warning: Failed to read ADS-MFT entry 12312
1:08 AM: Warning: Failed to read ADS-MFT entry 12264
1:08 AM: Warning: Failed to read ADS-MFT entry 12270
1:08 AM: Warning: Failed to read ADS-MFT entry 12285
1:08 AM: Warning: Failed to read ADS-MFT entry 11027
1:08 AM: Warning: Failed to read ADS-MFT entry 11120
1:08 AM: Warning: Failed to read ADS-MFT entry 11123
1:08 AM: Warning: Failed to read ADS-MFT entry 11151
1:08 AM: Warning: Failed to read ADS-MFT entry 11162
1:08 AM: Warning: Failed to read ADS-MFT entry 11175
1:08 AM: Warning: Failed to open file "d:\pr0n\now new\throwback\kira05-1000k-05.mpg". The system cannot find the file specified
1:08 AM: Warning: Failed to open file "d:\pr0n\now new\throwback\kira05-1000k-02.mpg". The system cannot find the file specified
1:13 AM: Warning: Unhandled Archive Type
1:13 AM: Warning: Unhandled Archive Type
1:14 AM: File Sweep Complete, Elapsed Time: 00:55:25
1:14 AM: Full Sweep has completed. Elapsed time 01:02:21
1:14 AM: Traces Found: 4
1:32 AM: Removal process initiated
1:33 AM: Quarantining All Traces: trojan-backdoor-us15info
1:33 AM: Quarantining All Traces: trojan-downloader-dh
1:33 AM: Quarantining All Traces: safeguard protect
1:33 AM: Removal process completed. Elapsed time 00:00:33
********
1:00 PM: | Start of Session, Saturday, January 07, 2006 |
1:00 PM: Spy Sweeper started
1:00 PM: Sweep initiated using definitions version 597
1:00 PM: Starting Memory Sweep
1:02 PM: Memory Sweep Complete, Elapsed Time: 00:02:32
1:02 PM: Starting Registry Sweep
1:02 PM: Found Adware: linkmaker
1:02 PM: HKLM\software\uvcep\ (5 subtraces) (ID = 129749)
1:02 PM: Found Adware: websearch toolbar
1:02 PM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (8 subtraces) (ID = 146518)
1:02 PM: Found Adware: safeguard protect
1:02 PM: HKLM\software\safeguard protect\ (4 subtraces) (ID = 879722)
1:02 PM: Found Adware: dollarrevenue
1:02 PM: HKLM\software\microsoft\drsmartload\ (1 subtraces) (ID = 916795)
1:02 PM: Found Adware: command
1:02 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
1:02 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
1:02 PM: Found Adware: drsnsrch.com hijack
1:02 PM: HKU\S-1-5-21-1687362960-3871003454-1726878895-1005\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
1:02 PM: HKU\S-1-5-21-1687362960-3871003454-1726878895-1005\software\safeguard protect\ (10 subtraces) (ID = 832657)
1:02 PM: Registry Sweep Complete, Elapsed Time:00:00:12
1:03 PM: Starting Cookie Sweep
1:03 PM: Found Spy Cookie: atwola cookie
1:03 PM: chico@atwola[1].txt (ID = 2255)
1:03 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
1:03 PM: Starting File Sweep
1:03 PM: Found System Monitor: win-spy monitor
1:03 PM: c:\windows\dll (ID = -2147480025)
1:03 PM: c:\windows\system32\dll (ID = -2147480023)
1:05 PM: Found Adware: look2me
1:05 PM: a0093422.exe (ID = 65722)
1:07 PM: a0093410.exe (ID = 65721)
1:10 PM: Found Adware: tibs dialer
1:10 PM: hot.lnk (ID = 79312)
1:18 PM: a0091878.dll (ID = 159)
1:20 PM: a0091911.dll (ID = 159)
1:20 PM: a0091897.dll (ID = 159)
1:20 PM: a0091930.dll (ID = 159)
1:20 PM: a0092028.dll (ID = 159)
1:22 PM: a0093503.dll (ID = 159)
1:24 PM: a0091920.dll (ID = 159)
1:24 PM: a0091941.dll (ID = 159)
1:24 PM: a0092033.dll (ID = 159)
1:25 PM: a0093474.dll (ID = 159)
1:26 PM: a0091946.dll (ID = 159)
1:26 PM: a0092015.dll (ID = 159)
1:26 PM: a0092029.dll (ID = 159)
1:27 PM: a0092030.dll (ID = 159)
1:27 PM: sfg_51cc.dll (ID = 74246)
1:27 PM: a0091962.dll (ID = 159)
1:27 PM: a0091953.dll (ID = 159)
1:27 PM: a0092032.dll (ID = 159)
1:31 PM: Found Trojan Horse: trojan-downloader-dh
1:31 PM: dh9013.exe (ID = 208497)
1:31 PM: sfg_01d1.dll (ID = 164073)
1:31 PM: a0093741.exe (ID = 65722)
1:31 PM: a0093742.exe (ID = 65721)
1:32 PM: a0091906.dll (ID = 159)
1:32 PM: a0092107.dll (ID = 159)
1:32 PM: a0092034.dll (ID = 159)
1:33 PM: a0093502.dll (ID = 159)
1:33 PM: a0091877.dll (ID = 159)
1:33 PM: a0092031.dll (ID = 159)
1:33 PM: a0092094.dll (ID = 159)
1:33 PM: a0093117.dll (ID = 159)
1:33 PM: a0092011.dll (ID = 159)
1:33 PM: a0093444.dll (ID = 159)
1:33 PM: a0092024.dll (ID = 159)
1:33 PM: a0092043.dll (ID = 159)
1:34 PM: a0093443.dll (ID = 159)
1:34 PM: a0093442.dll (ID = 159)
1:34 PM: a0093441.dll (ID = 159)
1:34 PM: a0093440.dll (ID = 159)
1:34 PM: a0093439.dll (ID = 159)
1:34 PM: a0093107.dll (ID = 159)
1:34 PM: a0092104.dll (ID = 159)
1:34 PM: a0092116.dll (ID = 159)
1:34 PM: a0093740.dll (ID = 159)
1:34 PM: a0093739.dll (ID = 159)
1:34 PM: a0093738.dll (ID = 159)
1:34 PM: a0093737.dll (ID = 159)
1:34 PM: a0093736.dll (ID = 159)
1:34 PM: a0093735.dll (ID = 159)
1:34 PM: a0093536.dll (ID = 159)
1:35 PM: a0091854.dll (ID = 159)
1:38 PM: a0093707.dll (ID = 159)
1:40 PM: Found Adware: netpal
1:40 PM: big fish games.url (ID = 70885)
1:40 PM: flyordie games.url (ID = 70890)
1:40 PM: drsmartload.dat (ID = 198788)
1:40 PM: Warning: Failed to access drive D:
1:40 PM: Warning: Failed to access drive D:
1:40 PM: Found System Monitor: potentially rootkit-masked files
1:40 PM: osn ______________________________________________________________________________________________.htm (ID = 0)
1:43 PM: Warning: Invalid Stream
1:43 PM: Warning: Invalid Stream
1:43 PM: File Sweep Complete, Elapsed Time: 00:40:38
1:43 PM: Full Sweep has completed. Elapsed time 00:43:37
1:43 PM: Traces Found: 111
3:14 AM: Removal process initiated
3:15 AM: Quarantining All Traces: look2me
3:15 AM: Quarantining All Traces: potentially rootkit-masked files
3:15 AM: potentially rootkit-masked files is in use. It will be removed on reboot.
3:15 AM: osn ______________________________________________________________________________________________.htm is in use. It will be removed on reboot.
3:15 AM: Quarantining All Traces: websearch toolbar
3:15 AM: Quarantining All Traces: win-spy monitor
3:15 AM: Quarantining All Traces: tibs dialer
3:15 AM: Quarantining All Traces: trojan-downloader-dh
3:15 AM: Quarantining All Traces: command
3:15 AM: Quarantining All Traces: dollarrevenue
3:15 AM: Quarantining All Traces: drsnsrch.com hijack
3:15 AM: Quarantining All Traces: linkmaker
3:15 AM: Quarantining All Traces: netpal
3:15 AM: Quarantining All Traces: safeguard protect
3:15 AM: Quarantining All Traces: atwola cookie
3:16 AM: Removal process completed. Elapsed time 00:01:24
9:58 PM: Updating spyware definitions
9:58 PM: Your definitions are up to date.
12:09 AM: Updating spyware definitions
12:09 AM: Your spyware definitions have been updated.
12:12 AM: | End of Session, Tuesday, January 10, 2006 |
********
12:56 PM: | Start of Session, Saturday, January 07, 2006 |
12:56 PM: Spy Sweeper started
12:58 PM: Your spyware definitions have been updated.
1:00 PM: | End of Session, Saturday, January 07, 2006 |

Logfile of HijackThis v1.99.1
Scan saved at 1:35:54 AM, on 1/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\apvxdwin.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\PopNot\PopNot.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\BootXP2\BootXP.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Popup XP\PopupXP.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Popup XP\PopupXPWebC.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\CHICO\Desktop\hijack\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\CHICO\Application Data\Mozilla\Profiles\default\40l8skcn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\CHICO\Application Data\Mozilla\Profiles\default\40l8skcn.slt\prefs.js)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [PNSetup] C:\Program Files\PopNot\PNSetup.exe
O4 - HKLM\..\Run: [PopNot] C:\Program Files\PopNot\PopNot.exe auto
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BootXP] C:\Program Files\BootXP2\BootXP.exe /min /change
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE
O4 - Global Startup: Popup XP.LNK = C:\Program Files\Popup XP\PopupXP.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: Allow Site's Pop-&ups - file://C:\Program Files\PopNot\trustsite.script
O8 - Extra context menu item: Always &Kill this Pop-up - file://C:\Program Files\PopNot\blocksite.script
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOffice\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GNXLWNYYO - Unknown owner - C:\DOCUME~1\CHICO\LOCALS~1\Temp\GNXLWNYYO.exe (file missing)
O23 - Service: KUC - Unknown owner - C:\DOCUME~1\CHICO\LOCALS~1\Temp\KUC.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: YOPRNDAF - Unknown owner - C:\DOCUME~1\CHICO\LOCALS~1\Temp\YOPRNDAF.exe (file missing)

[Michelle]

Ok SpySweeper found a few new things, but it's much better than the last (it looks worse than it is because the log from the last time you ran it is there as well )

Is this Folder supposed to be there: D:\pr0n?

Here are the items I found that aren't necessary on startup. If you want to keep any of them on startup do not put a check next to them. This removes them from startup completely and they will not be in msconfig. Keep that in mind incase there are any that you only disable sometimes or whatever.

Run HiJackThis. Place a check next to the following items and click FIX CHECKED:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE

Close HiJackThis.

These files were in your log, so please verify that they are gone and didn't magically reappear or anything:

C:\Documents and Settings\CHICO\Local Settings\Temp\GNXLWNYYO.exe
C:\Documents and Settings\CHICO\Local Settings\Temp\KUC.exe
C:\Documents and Settings\CHICO\Local Settings\Temp\YOPRNDAF.exe

Then, copy everything in the code box below (starting with @) and paste it into Notepad (you can open notepad by going to Start > run and typing notepad). In notepad, go up to File > Save As, then click the drop-down box to change the "Save As Type" to "All Files". Save it as remserv.bat on your desktop.

@echo off
sc stop GNXLWNYYO
sc delete GNXLWNYYO
sc stop KUC
sc delete KUC
sc stop YOPRNDAF
sc delete YOPRNDAF
exit

Double-click remserv.bat. A black window will open and close quickly, that's normal.

Reboot and post a new HiJackThis log for me please. Let me know what kinds of problems you're having now

[thechi]

pr0n folder.. what pr0n folder?? yeah.. that's supposed to be there.

everything seems to be working as it was before all the infections.

anyway... here's the new hijack log.
Logfile of HijackThis v1.99.1
Scan saved at 12:00:20 PM, on 1/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\AVENGINE.EXE
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\apvxdwin.exe
C:\Program Files\Panda Software\Panda Antivirus Titanium\pavProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\PopNot\PopNot.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\BootXP2\BootXP.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Popup XP\PopupXP.exe
C:\Program Files\Popup XP\PopupXPWebC.exe
C:\Documents and Settings\CHICO\Desktop\hijack\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\CHICO\Application Data\Mozilla\Profiles\default\40l8skcn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\CHICO\Application Data\Mozilla\Profiles\default\40l8skcn.slt\prefs.js)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [VAIO Recovery] C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [PNSetup] C:\Program Files\PopNot\PNSetup.exe
O4 - HKLM\..\Run: [PopNot] C:\Program Files\PopNot\PopNot.exe auto
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BootXP] C:\Program Files\BootXP2\BootXP.exe /min /change
O4 - Global Startup: Popup XP.LNK = C:\Program Files\Popup XP\PopupXP.exe
O8 - Extra context menu item: Allow Site's Pop-&ups - file://C:\Program Files\PopNot\trustsite.script
O8 - Extra context menu item: Always &Kill this Pop-up - file://C:\Program Files\PopNot\blocksite.script
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOffice\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: MCPClient - C:\Program Files\Common Files\Stardock\mcpstub.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - rundll32.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

thank you.

[Michelle]

You're welcome! We're happy we could help

yeah.. that's supposed to be there.

lol no worries, I just had to make sure it was there purposely! Which brings up another point.. be very, very careful with that... In fact I would strongly recommend staying far away from it.. That is one of the main reasons your system was so infected with malware and it won't be long before you're back here with your system infected again. But, alas, it is your computer that's just my opinion based on what I see all day long.

Congratulations your log is clean! Great job on the clean up

I recommend checking the http://www.microsoft.com website periodically for critical updates to install.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows. The google toolbar is available for Firefox!

Other necessary Programs:

• Firewall<= A firewall is definitely a must have. Three good free versions are ZoneAlarm and Sygate.

[thechi]

lol no worries, I just had to make sure it was there purposely! Which brings up another point.. be very, very careful with that...

oh.. no, it's not from the net... it's err... ummm... personal homemade type stuff.

thank you so very very much for all your help. you and coachwife saved my laptop from becoming a clay pigeon.

i will keep up on the critical updates and such that you recommended.

thanks again.