Please help with HJTL file if possible.

Byron172

Just wondreing if anyone has time to have a look at this Hijack This Log File. Any help will be greatly appreciated.
Thanks.........

Logfile of HijackThis v1.99.1
Scan saved at 9:23:54 AM, on 21/03/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://zond.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://zond.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://zond.directwebsearch.net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\JOHNHO~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F1 - win.ini: run=fntldr.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\msinfo.exe
F2 - REG:system.ini: Shell=Explorer.exe monitor.exe
O1 - Hosts: 64.124.210.140 alltheweb.com
O1 - Hosts: 64.124.210.140 www.alltheweb.com
O1 - Hosts: 64.124.210.140 content.overture.com
O1 - Hosts: 64.124.210.140 www.content.overture.com
O1 - Hosts: 64.124.210.140 google.com
O1 - Hosts: 64.124.210.140 www.google.com
O1 - Hosts: 64.124.210.140 www2.google.com
O1 - Hosts: 64.124.210.140 www3.google.com
O1 - Hosts: 64.124.210.140 #uto.
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9FFAF598-21BC-4C3D-88AD-D14C789B7945} - C:\WINDOWS\System32\afd.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.31.79.100/winsearchie32.chm::/winsearchie32.exe
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://69.50.170.212:80/iex/ofile.exe?url=http://69.50.170.212:80/dexAU190.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O18 - Filter: text/html - {90C9FFB2-0DAF-422C-A78F-666729E09E40} - C:\WINDOWS\System32\afd.dll
O18 - Filter: text/plain - {90C9FFB2-0DAF-422C-A78F-666729E09E40} - C:\WINDOWS\System32\afd.dll
O19 - User stylesheet: C:\WINDOWS\hh.htt (file missing) (HKLM)
O20 - AppInit_DLLs: c:\windows\system32\d3danpl.dll
O21 - SSODL: systemie - {419B8A60-F436-419B-B947-64C08D56AC74} - sysie.dll (file missing)
O21 - SSODL: systemha - 00000409{7C1DC40A-B4B1-42E8-BF87-5F256 - (no file)
O21 - SSODL: systemp - {C0BBB2D0-2954-4681-AEFF-B56A4B51FB04} - systemp.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

Rahina-Rescue

Hello Byron172 you are Infected :sad2:

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster.

Download CWShredder.

Download SpSeHjfix.

Download and install CleanUp!

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Unzip About:Buster

• Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.

Update CWShredder

• Open CWShredder and click I AGREE
• Click Check For Update
• Close CWShredder

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:

• Click Begin Removal to allow AboutBuster to scan for Alternate Data Streams.
• Click Yes to allow it to shutdown explorer.exe.
• It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
• When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
• Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.


After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

Byron172

Hi Rahina,
Thanks for getting back to me. I had a feeling that this laptop was infected...if you think it would be less hassle I can wipe this drive clean and do a clean install of Windows. This laptop has recently been given to me and has no important data on it. I have attemtped to start the process that you have outlined however the Cleanup.exe will not install (downloads fine but error message appears when trying to install).
I look forward to hearing back from you, thank you again, I appreciate your time and assistance.
Kind Regards,
Byron172

Rahina-Rescue

Alright, This is not a Big deal for me, i'm just glad i can help you with this, i Hope you decide to continue cleaning

Please to the rest of the Instructions also.

Thanks

Byron172

Thanks Rahina,
I have followed your instructions and attached is a copy of the three log files requested. Unfortunately I have been unable to run Cleanup.exe, do you have any suggestions as to how I can obtain an uncorrupted copy of the application file or perhaps I could use a different clean up tool? Again, I appreciate your help with this.....Cheers

AboutBuster 6.06
Scan started on [21/03/2007] at [8:11:42 PM]

---

Internet Explorer Instances Terminated!
HomeSearch Service stopped if present

---

No Ads Found!

---

No Files Found!

---

Scan was COMPLETED SUCCESSFULLY at 8:14:59 PM


AboutBuster 6.06
Scan started on [21/03/2007] at [8:23:02 PM]

---

Internet Explorer Instances Terminated!
HomeSearch Service stopped if present

---

No Ads Found!

---

No Files Found!

---

Scan was COMPLETED SUCCESSFULLY at 8:26:14 PM




SPSeHjFix LOG FILE:

(3/21/07 8:28:26 PM) SPSeHjFix started v1.1.2
(3/21/07 8:28:26 PM) OS: WinXP Service Pack 2 (5.1.2600)
(3/21/07 8:28:26 PM) Language: english
(3/21/07 8:28:26 PM) Win-Path: C:\WINDOWS
(3/21/07 8:28:26 PM) System-Path: C:\WINDOWS\system32
(3/21/07 8:28:26 PM) Temp-Path: C:\DOCUME~1\Tiffins\LOCALS~1\Temp\
(3/21/07 8:28:40 PM) Disinfection started
(3/21/07 8:28:40 PM) Bad-Dll(IEP): (not found)
(3/21/07 8:28:40 PM) Bad-Dll(IEP) in BHO: (not found)
(3/21/07 8:28:40 PM) UBF: 4 - UBB: 2 - UBR: 1
(3/21/07 8:28:40 PM) UBF: 4 - UBB: 2 - UBR: 1
(3/21/07 8:28:40 PM) Bad IE-pages:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
(3/21/07 8:28:40 PM) Stealth-String not found
(3/21/07 8:28:40 PM) Not infected->END



HijackThis Log File:

Logfile of HijackThis v1.99.1
Scan saved at 8:40:17 PM, on 21/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9FFAF598-21BC-4C3D-88AD-D14C789B7945} - C:\WINDOWS\System32\afd.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.31.79.100/winsearchie32.chm::/winsearchie32.exe
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://69.50.170.212:80/iex/ofile.exe?url=http://69.50.170.212:80/dexAU190.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79FFC57F-0CDE-49CF-A535-DBFA9E144288}: NameServer = 203.2.75.132 198.142.0.51
O19 - User stylesheet: (file missing) (HKLM)
O20 - AppInit_DLLs: c:\windows\system32\d3danpl.dll
O21 - SSODL: systemie - {419B8A60-F436-419B-B947-64C08D56AC74} - sysie.dll (file missing)
O21 - SSODL: systemha - 00000409{7C1DC40A-B4B1-42E8-BF87-5F256 - (no file)
O21 - SSODL: systemp - {C0BBB2D0-2954-4681-AEFF-B56A4B51FB04} - systemp.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

Byron172

Just to update you I managed to install cleanup.exe and all went well.
Did you need me to post another HJTL file or can you still use the one submitted in the previous reply?

Rahina-Rescue

Ahoy there, looking better already

we have Few things to do

Please open HiJackThis and scan. Check the boxes next to all the entries listed below

O2 - BHO: (no name) - {9FFAF598-21BC-4C3D-88AD-D14C789B7945} - C:\WINDOWS\System32\afd.dll (file missing)
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.31.79.100/winsearchie32.ch...searchie32.exe
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://69.50.170.212:80/iex/ofile.ex...0/dexAU190.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/fu...tup1.0.0.6.cab
O19 - User stylesheet: (file missing) (HKLM)
O20 - AppInit_DLLs: c:\windows\system32\d3danpl.dll
O21 - SSODL: systemie - {419B8A60-F436-419B-B947-64C08D56AC74} - sysie.dll (file missing)
O21 - SSODL: systemha - 00000409{7C1DC40A-B4B1-42E8-BF87-5F256 - (no file)
O21 - SSODL: systemp - {C0BBB2D0-2954-4681-AEFF-B56A4B51FB04} - systemp.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis

Please go heere to see how to show hidden files in windows.

Now, Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

sysie.dll
systemp.dll

_________________

Please download the OTMoveIt.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\SYSTEM32\d3danpl.dll
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

_________________

Download CCleaner If you don't want the Yahoo toolbar, be sure to UNcheck that option when installing the software or update.

Instructions for using CCleaner:

1. Launch CCleaner and under Options > Advanced > UNcheck "Only delete files in Windows Temp folder older than 48 hours".
2. A pop up box will appear advising this process will permanently delete files from your system.
3. To protect logon cookies that you wish to retain, under Options > Cookies. Select and using the arrow move those cookies to the "Cookies to keep" column.
4. Then select the items you wish to clean up.
   1. In the Windows Tab:
      • Clean all entries in the "Internet Explorer" section.
      • Clean all the entries in the "Windows Explorer" section.
      • Clean all entries in the "System" section.
      • Clean all entries in the "Advanced" section.
      • Clean any others that you choose.
   2. In the Applications Tab:
      • Clean all in the Firefox/Mozilla section if you use it.
      • Clean all in the Opera section if you use it.
      • Clean Sun Java in the Internet Section.
      • Please UNcheck "Utilities" (i.e., Ad-Aware, ewido and other security program logs.)
5. Click the "Run Cleaner" button and it will scan and clean your system.
6. Click exit.
7. Shutdown/restart the computer.

_________________

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  
  o Scan using the following Anti-Virus database:
  
  + Extended (If available otherwise Standard)
  
  o Scan Options:
  
  + Scan Archives
  + Scan Mail Bases
  
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button
• Save the file to your desktop.
• Copy and paste that information in your next post.

Byron172

G'day Rahina,
Hope you had a nice weekend.
I think my previous post didn't come through so I apologise if you have already recieved the following info.
Moveit did not find the dll file and search for sysie and systemp dll's revealed no results.
I cannot attached the Kaspersky log for your perusal because there is too much text in the file to paste into the thread and the file is too large to attach (1.2mb) any suggestions how to get it to you?:

Note: I am performing these scans in a new user profile to the original one set up on this computer, because I was having trouble connecting to the internet in the original profile . If you need HJT logs or active scan performed on other user profile let me know. (The new profile does have administrator privileges).

I have posted the parts of the scan that seem most relevant:

C:\Documents and Settings\Tiffins\My Documents\Virus Removal Files\hijackthis.log Suspicious: Exploit.HTML.Mht skipped

C:\Documents and Settings\Tiffins\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Tiffins\ntuser.dat.LOG Object is locked skipped

C:\Program Files\HijackThis\backups\backup-20070324-110727-656 Suspicious: Exploit.HTML.Mht skipped

C:\Program Files\HijackThis\hijackthis.log Suspicious: Exploit.HTML.Mht skipped

C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{1891C9F7-45EB-4827-9703-E977BEB3A3C7}\RP683\A0063141.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{1891C9F7-45EB-4827-9703-E977BEB3A3C7}\RP683\A0063142.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{1891C9F7-45EB-4827-9703-E977BEB3A3C7}\RP683\A0063155.mfl Object is locked skipped

C:\System Volume Information\_restore{1891C9F7-45EB-4827-9703-E977BEB3A3C7}\RP684\A0066152.wa_ Object is locked skipped

C:\System Volume Information\_restore{1891C9F7-45EB-4827-9703-E977BEB3A3C7}\RP685\A0071436.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{1891C9F7-45EB-4827-9703-E977BEB3A3C7}\RP685\A0071437.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

C:\System Volume Information\_restore{1891C9F7-45EB-4827-9703-E977BEB3A3C7}\RP695\A0076104.DLL Infected: not-a-virus:Downloader.Win32.FunWeb skipped

C:\System Volume Information\_restore{1891C9F7-45EB-4827-9703-E977BEB3A3C7}\RP701\change.log Object is locked skipped

C:\System Volume Information\_restore{B0881A6C-55C7-4E3A-94DD-F12CEA79EEF3}\RP309\A0323592.reg Infected: Trojan.WinREG.StartPage skipped

C:\System Volume Information\_restore{B0881A6C-55C7-4E3A-94DD-F12CEA79EEF3}\RP309\A0323593.hta Infected: Trojan.Win32.Lolaweb.c skipped

C:\System Volume Information\_restore{B0881A6C-55C7-4E3A-94DD-F12CEA79EEF3}\RP309\A0323604.ini Infected: Trojan.JS.Zapchast.a skipped

C:\WINDOWS\Debug\PASSWD.LOG

Rahina-Rescue

Hello There

Please upload your kaspersky Report to Here http://www.mediafire.com/ if it's too large to paste into your reply.

When you are done with uploading let me know

Byron172

Thanks Rahina here is the link for the Kaspersky Scan Log:

http://www.mediafire.com/?bcqtw22dqc3

Rahina-Rescue

Good Work! Please do the following:

• Click on Open the Misc Tools section.
• Next click on Open uninstall manager.
• Press the Save list button.
• Save the file to your desktop, with the default name of uninstall_list
• Copy & Paste the entire contents of that file in your in your next post along with a Fresh HJT logfile.

Byron172

Hi again,

Here is the uninstall list and the HJT log file as requested, thanks again for your time so far

Access ThinkPad
Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 8
Adobe Shockwave Player
Agere Systems AC'97 Modem
ATI Display Driver
AVG 7.5
Cashflow Manager 4
CCleaner (remove only)
Google Updater
HijackThis 1.99.1
Hotfix for Windows XP (KB915865)
IBM Access Connections
IBM DLA
IBM RecordNow
IBM RecordNow Update Manager
IBM ThinkPad Access Support
IBM ThinkPad Power Management Driver
IBM TrackPoint Accessibility Features
IBM TrackPoint Support
IBM Update Connector
Intel(R) PRO Ethernet Adapter and Software
Kaspersky Online Scanner
Macromedia Flash Player 8
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Mozilla Firefox (1.5.0.7)
MSN Messenger 5.0
MSXML 4.0 SP2 (KB927978)
MYOB Accounting Plus v14
Nikon View 4
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Skype 2.0
ThinkPad Configuration
ThinkPad FullScreen Magnifier
ThinkPad Software Installer
Uninstall PC-Doctor
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
WindowBlinds
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Yahoo! Install Manager
Yahoo! Widgets

HIJACK THIS LOG FILE:

Logfile of HijackThis v1.99.1
Scan saved at 7:57:25 PM, on 29/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiffinsonthepark.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

Rahina-Rescue

Please Go Ahead and remove this folder:

C:\Program Files\MyWebSearch


Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

__________________

Please run Panda's ActiveScan You will need to use Internet Explorer to run it.

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button

o If it wants to install an ActiveX component allow it
o It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
o When download is complete, click on My Computer to start the scan
o When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


Post the contents of the ActiveScan report

Byron172

Hi mate,
Here's the panda scan report for your perusal:


Incident Status Location

Dialer:Dialer.CGL Not disinfected C:\PROGRA~1\ThinkPad\CONNEC~1\QCON.dll
Dialer:dialer.b Not disinfected c:\windows\system32\ia.dll
Adware:adware/exact.bargainbuddy Not disinfected c:\windows\launcher.exe
Adware:adware/windowenhancer Not disinfected c:\windows\system32\SBUtils
Potentially unwanted tool:application/funweb Not disinfected hkey_local_machine\software\FunWebProducts
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_local_machine\software\MyWebSearch
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\John Horlin-Smith\Application Data\Mozilla\Firefox\Profiles\pvht05m1.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\John Horlin-Smith\Cookies\john_horlin-smith@2o7[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\John Horlin-Smith\Cookies\john_horlin-smith@atdmt[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\John Horlin-Smith\Cookies\john_horlin-smith@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\John Horlin-Smith\Cookies\john_horlin-smith@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\John Horlin-Smith\Cookies\john_horlin-smith@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\John Horlin-Smith\Cookies\john_horlin-smith@overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\John Horlin-Smith\Cookies\john_horlin-smith@questionmarket[2].txt
Adware:Adware/FlashTrack Not disinfected C:\Documents and Settings\John Horlin-Smith\Local Settings\Temp\Temporary Internet Files\Content.IE5\R663PAL0\channels_02[1].gif
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tiffins\Cookies\tiffins@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Tiffins\Cookies\tiffins@adrevolver[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tiffins\Cookies\tiffins@atdmt[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Tiffins\Cookies\tiffins@casalemedia[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Tiffins\Cookies\tiffins@fastclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Tiffins\Cookies\tiffins@hitbox[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Tiffins\Cookies\tiffins@media.adrevolver[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Tiffins\Cookies\tiffins@media.fastclick[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Tiffins\Cookies\tiffins@questionmarket[2].txt
Dialer:Dialer.CGL Not disinfected C:\IBMTOOLS\DRIVERS\CONWIZ\DATA1.CAB[QCON.DLL]
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\HijackThis\backups\backup-20070324-110728-360.inf
Dialer:Dialer.CGL Not disinfected C:\Program Files\ThinkPad\ConnectUtilities\Qcon.dll
Adware:Adware/Startpage.GM Not disinfected C:\System Volume Information\_restore{B0881A6C-55C7-4E3A-94DD-F12CEA79EEF3}\RP309\A0323592.reg
Virus:Trj/Lolaweb.A Disinfected C:\System Volume Information\_restore{B0881A6C-55C7-4E3A-94DD-F12CEA79EEF3}\RP309\A0323593.hta
Virus:Bck/Zapchast.B Disinfected C:\System Volume Information\_restore{B0881A6C-55C7-4E3A-94DD-F12CEA79EEF3}\RP309\A0323604.ini

Rahina-Rescue

Hello There, we still have few things to do

Download CCleaner If you don't want the Yahoo toolbar, be sure to UNcheck that option when installing the software or update.

Instructions for using CCleaner:

1. Launch CCleaner and under Options > Advanced > UNcheck "Only delete files in Windows Temp folder older than 48 hours".
2. A pop up box will appear advising this process will permanently delete files from your system.
3. To protect logon cookies that you wish to retain, under Options > Cookies. Select and using the arrow move those cookies to the "Cookies to keep" column.
4. Then select the items you wish to clean up.
   1. In the Windows Tab:
      • Clean all entries in the "Internet Explorer" section.
      • Clean all the entries in the "Windows Explorer" section.
      • Clean all entries in the "System" section.
      • Clean all entries in the "Advanced" section.
      • Clean any others that you choose.
   2. In the Applications Tab:
      • Clean all in the Firefox/Mozilla section if you use it.
      • Clean all in the Opera section if you use it.
      • Clean Sun Java in the Internet Section.
      • Please UNcheck "Utilities" (i.e., Ad-Aware, ewido and other security program logs.)
5. Click the "Run Cleaner" button and it will scan and clean your system.
6. Click exit.
7. Shutdown/restart the computer.

_______________________________

• Please double-click OTMoveIt.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\SYSTEM32\ia.dll
  C:\WINDOWS\SYSTEM32\SBUtils
  C:\Program Files\Yahoo!
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

_______________________________

Please open HiJackThis and scan. Check the boxes next to all the entries listed below

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis

_______________________________

Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Then go to Start > Run and type: Cleanmgr
• Click "OK".
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

_______________________________

Go to www.virustotal.com

Copy the following to the box next to "Browse" button:

C:\Windows\launcher.exe

Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)

• Scan Options:

Scan Archives
Scan Mail Bases

[*]Click OK
[*]Now under select a target to scan:

Select

My Computer

[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.

• Now click on the Save as Text button:

[*]Save the file to your desktop.
[*]Copy and paste that information in your next post.

Byron172

Hi Again,
I have finally had a chance to get back onto this, thanks for your patience.

The log files are as follows:

Move it:

C:\WINDOWS\SYSTEM32\ia.dll unregistered successfully.
C:\WINDOWS\SYSTEM32\ia.dll moved successfully.
C:\WINDOWS\SYSTEM32\SBUtils moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\zh_TW moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\zh_CN moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\UI\Window moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\UI\GroupBox\Shadow Light moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\UI\GroupBox moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\UI moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\sv moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\SearchHUD moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\ru moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\pt moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\OOBE moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\no moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\nl moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\ko moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\ja moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\it moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\fr moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\fi moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\es moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\en moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\Dock\Vertical\Right moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\Dock\Vertical\Left moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\Dock\Vertical moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\Dock\Sounds moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\Dock\Overlays moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\Dock\Horizontal\Top moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\Dock\Horizontal\Bottom moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\Dock\Horizontal moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\Dock\General moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\Dock moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\de moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources\da moved successfully.
C:\Program Files\Yahoo!\Widgets\Resources moved successfully.
C:\Program Files\Yahoo!\Widgets moved successfully.
C:\Program Files\Yahoo!\Common moved successfully.
C:\Program Files\Yahoo! moved successfully.

Created on 04/04/2007 17:33:30

Virus total:

STATUS: FINISHEDComplete scanning result of "launcher.exe", received in VirusTotal at 04.04.2007, 10:20:31 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.4.0 04.03.2007 no virus found
AntiVir 7.3.1.48 04.04.2007 no virus found
Authentium 4.93.8 04.03.2007 no virus found
Avast 4.7.936.0 04.03.2007 no virus found
AVG 7.5.0.447 04.03.2007 no virus found
BitDefender 7.2 04.04.2007 no virus found
CAT-QuickHeal 9.00 04.03.2007 no virus found
ClamAV devel-20070312 04.04.2007 no virus found
DrWeb 4.33 04.04.2007 no virus found
eSafe 7.0.15.0 04.03.2007 no virus found
eTrust-Vet 30.7.3540 04.04.2007 no virus found
Ewido 4.0 04.03.2007 no virus found
FileAdvisor 1 04.04.2007 no virus found
Fortinet 2.85.0.0 04.04.2007 no virus found
F-Prot 4.3.1.45 04.03.2007 no virus found
F-Secure 6.70.13030.0 04.04.2007 no virus found
Ikarus T3.1.1.3 04.04.2007 no virus found
Kaspersky 4.0.2.24 04.04.2007 no virus found
McAfee 4999 04.03.2007 no virus found
Microsoft 1.2306 04.03.2007 no virus found
NOD32v2 2167 04.03.2007 no virus found
Norman 5.80.02 04.03.2007 no virus found
Panda 9.0.0.4 04.03.2007 no virus found
Prevx1 V2 04.04.2007 no virus found
Sophos 4.16.0 03.30.2007 no virus found
Sunbelt 2.2.907.0 04.03.2007 no virus found
Symantec 10 04.04.2007 no virus found
TheHacker 6.1.6.085 04.04.2007 no virus found
VBA32 3.11.3 04.03.2007 no virus found
VirusBuster 4.3.7:9 04.03.2007 no virus found
Webwasher-Gateway 6.0.1 04.04.2007

and the Kaspersky scan log is located at the following link:

http://www.mediafire.com/?enfrzj2mygn

I look forward to hearing back from you when you get time....Thanks again.

Rahina-Rescue

Kaspersky Log Is Clean.

Please Post A Fresh Hijackthis Logfile.

Byron172

Hello,
Thanks for your time, here is the HJTL file as of this morning:

Logfile of HijackThis v1.99.1
Scan saved at 8:24:10 AM, on 6/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\_OTMoveIt\MovedFiles\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\_OTMoveIt\MovedFiles\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\_OTMoveIt\MovedFiles\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\_OTMoveIt\MovedFiles\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

Rahina-Rescue

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

• Disable and Enable System Restore.

If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

Windows XP System Restore Guide

Reenable system restore with instructions from tutorial above

[*]Make your Internet Explorer more secure - This can be done by following these simple instructions:
[*]From within Internet Explorer click on the Tools menu and then click on Options.
[*]Click once on the Security tab
[*]Click once on the Internet icon so it becomes highlighted.
[*]Click once on the Custom Level button.

1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialize and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.

[*]Next press the Apply button and then the OK to exit the Internet Properties page.

• Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online & their stand-alone antivirus programs:
  
  Virus, Spyware, and Malware Protection and Removal Resources
  
• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
  
  For a tutorial on Firewalls and a listing of some available ones see the link below:
  
  Understanding and Using Firewalls
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
  
  A tutorial on installing & using this product can be found here:
  
  Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  
• Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
  
  A tutorial on installing & using this product can be found here:
  
  Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Let me know if you still receive problems

Byron172

Thanks again for all your help on this, it has been very informative.
Cheers,
Byron.

Rahina-Rescue

Glad I could be of assistance! The help you received here was free. Please read through some of these Prevention Tips that Short-Media offers.

This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.

If you are not the user who started this thread, you must start a new Thread instead