Thank you OwNt for all your help!
Here is my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 7:52:32 AM, on 11/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Ashrafi1\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.att.net/i...arch/index.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.att.netR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=111505 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.t...all/xscan60.cabO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky...can_unicode.cabO20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Here is my Kapersky scan logfile: (Am I correct in assuming I have to manually delete the virus files?)
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, November 06, 2005 02:20:53
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 6/11/2005
Kaspersky Anti-Virus database records: 158439
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
X:\
Scan Statistics:
Total number of scanned objects: 128235
Number of viruses found: 27
Number of infected objects: 48
Number of suspicious objects: 0
Duration of the scan process: 6366 sec
Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03A40000.VBN Infected: Trojan.JS.NoClose
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03A40001.VBN Infected: Trojan.JS.NoClose
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E00000.VBN Infected: Trojan.Win32.Qhost
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E00001.VBN Infected: Backdoor.Win32.SdBot.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E00002.VBN Infected: Backdoor.Win32.SdBot.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240000.VBN Infected: Backdoor.Win32.SdBot.abr
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240001.VBN Infected: Backdoor.Win32.SdBot.abr
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240002.VBN Infected: Backdoor.Win32.SdBot.abr
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240003.VBN Infected: Backdoor.Win32.SdBot.abr
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240004.VBN Infected: Backdoor.Win32.SdBot.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240005.VBN Infected: Backdoor.Win32.SdBot.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240006.VBN Infected: Backdoor.Win32.SdBot.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240007.VBN Infected: Backdoor.Win32.SdBot.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240008.VBN Infected: Backdoor.Win32.Agobot.lo
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05240009.VBN Infected: Trojan-Proxy.Win32.SpamPimp.d
C:\Documents and Settings\Ashrafi1\Local Settings\Temporary Internet Files\Content.IE5\8RVFIOPH\free_access[1].cab/YSBactivex.dll Infected: Trojan-Downloader.Win32.IstBar.gen
C:\Documents and Settings\Ashrafi1\Local Settings\Temporary Internet Files\Content.IE5\8RVFIOPH\free_access[1].cab Infected: Trojan-Downloader.Win32.IstBar.gen
C:\frank.exe/mirc.ini Infected: Backdoor.IRC.Zapchast
C:\frank.exe/rundll32.exe Infected: not-a-virus:RiskTool.Win32.HideWindows
C:\frank.exe/svchost.exe Infected: Backdoor.Win32.mIRC-based
C:\frank.exe Infected: Backdoor.Win32.mIRC-based
C:\windows\system\rundll32.exe Infected: not-a-virus:RiskTool.Win32.HideWindows
E:\Program Files\Yahoo!\YPSR\Quarantine\ppqF.tmp Infected: Backdoor.Win32.Agent.co
E:\Program Files\Yahoo!\YPSR\Quarantine\ppq12.tmp Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g
E:\WIN2K\Downloaded Program Files\fswinst.ocx Infected: not-a-virus:AdWare.Win32.FreeScratch.a
E:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06700000.VBN Infected: Net-Worm.Win32.Welchia.b
E:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06700001.VBN Infected: Email-Worm.Win32.Mimail.r
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\Rem2C3.exe Infected: not-a-virus:[bleep]-Dialer.Win32.Generic
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\toolbar.dll Infected: not-a-virus:AdWare.Win32.WebSearch.t
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\xam2C4.exe Infected: not-a-virus:[bleep]-Dialer.Win32.Generic
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\bar.exe/data0001 Infected: not-a-virus:AdWare.Win32.IeSearchBar
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\bar.exe Infected: not-a-virus:AdWare.Win32.IeSearchBar
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\tb_setup.exe Infected: not-a-virus:AdWare.Win32.WebSearch.ba
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\msbb.exe Infected: not-a-virus:AdWare.Win32.180Solutions
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\FLEOK\msbb.exe Infected: not-a-virus:AdWare.Win32.180Solutions
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\ss_cdt_setup.exe/data0002 Infected: not-a-virus:AdWare.Win32.Sidesearch.e
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\ss_cdt_setup.exe Infected: not-a-virus:AdWare.Win32.Sidesearch.e
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\soeqyt.exe Infected: Backdoor.Win32.Agent.cg
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\Temporary Internet Files\Content.IE5\8TQJC96Z\CA8DEVCH.htm Infected: Trojan-Downloader.JS.FlingStone
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\Temporary Internet Files\Content.IE5\RAOZ3T8L\kzpop[1].htm Infected: Trojan.JS.NoClose.i
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\Temporary Internet Files\Content.IE5\XJ7B11G6\hidden[1].htm Infected: Trojan.JS.NoClose.j
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\Temporary Internet Files\Content.IE5\8ZXFI67H\software[1].cab/soeqyt.exe Infected: Backdoor.Win32.Agent.cg
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\Temporary Internet Files\Content.IE5\8ZXFI67H\software[1].cab Infected: Backdoor.Win32.Agent.cg
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temporary Internet Files\Content.IE5\RRPJNL4K\home[8].aspx Infected: Trojan.JS.Cardst
E:\Documents and Settings\Old PC\My Documents\Music\kmd171gu_en.exe/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor
E:\Documents and Settings\Old PC\My Documents\Music\kmd171gu_en.exe/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor
E:\Documents and Settings\Old PC\My Documents\Music\kmd171gu_en.exe/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor
E:\Documents and Settings\Old PC\My Documents\Music\kmd171gu_en.exe Infected: not-a-virus:AdWare.Win32.Cydoor
Scan process completed.
Here is my Housecall Scan log:
Virus Scan 0 virus cleaned, 2 viruses deleted
Results:
We have detected 2 infected file(s) with 2 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 2 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
E:\Program Files\Yahoo!\YPSR\Quarantine\ppqF.tmp BKDR_BDI.A Deletion successful
E:\Documents and Settings\Omar Ashrafi.OMAR-GBHW705CZO-\Local Settings\Temp\Temporary Internet Files\Content.IE5\RAOZ3T8L\kzpop[1].htm JS_NOCLOSE.E Deletion successful
Trojan/Worm Check 0 worm/Trojan horse deleted
What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken
Spyware Check 10 spyware programs removed
What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 10 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 0 spyware(s) passed, 0 spyware(s) no action available
- 10 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken
COOKIE_45 Cookie Removal successful
COOKIE_281 Cookie Removal successful
COOKIE_442 Cookie Removal successful
COOKIE_722 Cookie Removal successful
COOKIE_1020 Cookie Removal successful
COOKIE_1433 Cookie Removal successful
COOKIE_1523 Cookie Removal successful
COOKIE_2631 Cookie Removal successful
COOKIE_3081 Cookie Removal successful
COOKIE_3235 Cookie Removal successful
Microsoft Vulnerability Check No vulnerability detected
What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 0 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix
Thanks for all your help.