# Can't connect to internet, virus found, can't delete



## blue shepherd (Jul 8, 2007)

hey there tech support guy (or gal),

we got a new linksys wireless router and were able to get both laptops and wireless cards up and running, connected to the internet. we also have a pc connected via ethernet through the router. some ups and downs, but all was fairly stable.

(we're using roadrunner/cable modem.)

then mine wouldn't connect anymore. linksys tech gal and i became best friends, but were unable to solve the problem.

my LAN 3 status says i'm connected, packets are being sent and received, but the linksys
gui says there's no association with access point.

i took the router out of the path and connected my laptop directly to the cable modem. it was unable to connect to the internet but i could ping with roadrunner tech guy's help.

then a mcafee vshield window popped up: "virus found in file!" tried to delete it but can't because "access to file was denied." can't clean it either. the window just stays there, 
mocking me.

it says the infected file is C:\WINNT\system32\wincab.sys

when i tried to del it in a command tool i got:
Could Not Find C:\WINNT\system32\wincab.sys

i have an IBM thinkpad A22p running windows 2000. my old workhorse has been so reliable all these years.. any help you can provide is greatly appreciated.

i poked around a little in the security section of your forum and it looked like the first step was to download HJT and do a system scan and send you the log file. here it is:

Logfile of HijackThis v1.99.1
Scan saved at 1:49:54 AM, on 7/8/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\vcd1.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\mshta.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [wosa] C:\WINNT\TEMP\woso.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\ou7viewer.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\ou7viewer.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5F3288B-6014-41B2-891D-7D4049EC1F2F}: NameServer = 24.29.103.10,24.29.103.11
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: Card Adapter (NETDown) - Unknown owner - C:\WINNT\vcd1.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


----------



## sjpritch25 (Sep 8, 2005)

Welcome to TSG 

First of all, you will need to use a Flash drive or a floppy to transfer these programs to your laptop.

Please download *ATF Cleaner* by Atribune.

*This program is for XP and Windows 2000 only*


Save it to your desktop

Double-click *ATF-Cleaner.exe* to run the program.

Under *Main* choose: *Select All*

Click the *Empty Selected* button.

If you use Firefox browser
Click *Firefox* at the top and choose: *Select All*

Click the *Empty Selected* button.

*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.

If you use Opera browser
Click *Opera* at the top and choose: *Select All*

Click the *Empty Selected* button.

*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.

Click *Exit* on the Main menu to close the program.

For *Technical Support*, double-click the e-mail address located at the bottom of each menu.

=======================================

*Download LSPFix* from *here* or *here*.
1. *Disconnect from the Internet*, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [*C:\lspfix*].
2. Open the lspfix folder and double-click on *LSPFix.exe* to start the program.
3. Check the "*I know what I am doing*" checkbox.
4. Select (*highlight*) all instances of *ou7viewer.dll* in the *left column* under "*Keep*".
5. Click the *arrow >>* so it goes over to the *right column* under "*Remove*".
6. Click "*Finish*" and LSPfix will remove references to the file and restore the chain numbers.

*LSP-Fix Tutorial*
=======================================

Download *OTMoveIt* by OldTimer and save to your Desktop.
Double-click on *OTMoveIt.exe* to launch the program.
Please copy the file(s)/folder(s) paths listed below - _highlight everything in red and press CTRL+C or right-click and choose *Copy*_.

*c:\winnt\system32\ou7viewer.dll*

Then in OTMoveIt, _right-click in the open text box labeled_ "*Paste List of Files/Folders to be Moved*" _and choose *Paste*_.
Click the red *MoveIt!* button.
The list will be processed and the results for each line will be displayed in the right-hand pane.
Highlight everything in the *Results* window, _press CTRL+C or right-click, choose *Copy*, right-click again_ and *Paste* it in your next reply.
Close the program when done.
_*Important!*_ _If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose *Yes*._

==================================

Run HijackThis, and press "Do a System Scan Only". 
1. When the scan is complete place a check mark next to the following entries:
*
O4 - HKLM\..\Run: [wosa] C:\WINNT\TEMP\woso.exe
*
2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...

==================================

Please perform a scan with *Kaspersky Webscan Online Virus Scanner*
1. Click the "*Kaspersky Online Scanner*" button (*NOT* "Kaspersky File Scanner").
2. Read the Requirements and Privacy statement, then select "*Accept*".
3. A new window will appear promting you to install an ActiveX component from Kaspersky - "*Do you want to install this software*?".
4. Click "*Yes* or select "*Install*" to download the ActiveX controls that allows ActiveScan to run.
5. When the download is complete it will say ready, click "*Next*".
6. Click "*Scan Settings*" and check the option to use the *Extended Database* if available otherwise Standard).
7. Click "*Scan Options*" and select both "*Scan Archives*" and "*Scan Mail Bases*".
8. Click "*OK*".
9. Under "*Select a target to scan*", click on "*My Computer*".
10. When the scan is complete choose to save the results as "*Save as Text*" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for _Free Online Virus Scanner_. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps *here* and reboot afterwards if your system does not reboot automatically or it will show '_Kaspersky Online Scanner license key was not found!_

*In your next reply, please include a fresh Hijackthis log, and Kaspersky log. Thanks*


----------



## blue shepherd (Jul 8, 2007)

hey sjpritch25,

many thanks for responding so quickly to my issue..

did everything up until kaspersky, and i still couldn't connect to the internet via the router, but i was able to get online with my laptop directly connected to the cable modem.. yay!

i didn't think that kapersky online virus scan was ever going to end, but was so excited to have my laptop connected to the web, the four hours flew by!

here are the latest logs, hijack this, followed by kapersky. looking forward to the next steps. thanks again, you rock!

Logfile of HijackThis v1.99.1
Scan saved at 4:45:19 AM, on 7/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\vcd1.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\system32\tp4serv.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [wosa] C:\WINNT\TEMP\woso.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5F3288B-6014-41B2-891D-7D4049EC1F2F}: NameServer = 24.29.103.10,24.29.103.11
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: Card Adapter (NETDown) - Unknown owner - C:\WINNT\vcd1.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 09, 2007 4:38:41 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/07/2007
Kaspersky Anti-Virus database records: 359870
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 59034
Number of viruses found: 2
Number of infected objects: 5 / 0
Number of suspicious objects: 0
Duration of the scan process: 04:08:49

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat	Object is locked	skipped
C:\Documents and Settings\hope1\Application Data\Aim\eixirblr\al0hah0pe\cert8.db	Object is locked	skipped
C:\Documents and Settings\hope1\Application Data\Aim\eixirblr\al0hah0pe\key3.db	Object is locked	skipped
C:\Documents and Settings\hope1\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Temp\hpodvd09.log	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Temp\~DF2077.tmp	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Temporary Internet Files\Content.IE5\OPE3S5IJ\bind[1].com&t=1	Object is locked	skipped
C:\Documents and Settings\hope1\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\hope1\ntuser.dat.LOG	Object is locked	skipped
C:\Program Files\HP\hpcoretech\data\EvntData-896940673.xml	Object is locked	skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log	Object is locked	skipped
C:\WINNT\CSC\00000001	Object is locked	skipped
C:\WINNT\Debug\ipsecpa.log	Object is locked	skipped
C:\WINNT\Debug\oakley.log	Object is locked	skipped
C:\WINNT\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINNT\SchedLgU.Txt	Object is locked	skipped
C:\WINNT\SoftwareDistribution\EventCache\{B7EF908D-73C3-41CF-9FC2-F113917B7987}.bin	Object is locked	skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINNT\Sti_Trace.log	Object is locked	skipped
C:\WINNT\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINNT\system32\config\default	Object is locked	skipped
C:\WINNT\system32\config\default.LOG	Object is locked	skipped
C:\WINNT\system32\config\SAM	Object is locked	skipped
C:\WINNT\system32\config\SAM.LOG	Object is locked	skipped
C:\WINNT\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINNT\system32\config\SECURITY	Object is locked	skipped
C:\WINNT\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINNT\system32\config\software	Object is locked	skipped
C:\WINNT\system32\config\software.LOG	Object is locked	skipped
C:\WINNT\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINNT\system32\config\system	Object is locked	skipped
C:\WINNT\system32\config\SYSTEM.ALT	Object is locked	skipped
C:\WINNT\system32\ou7viewer.dll	Infected: Packed.Win32.NSAnti.r	skipped
C:\WINNT\Temp\2.dll	Infected: Packed.Win32.NSAnti.r	skipped
C:\WINNT\Temp\ki4na7.dll	Infected: Packed.Win32.NSAnti.r	skipped
C:\WINNT\Temp\woso0.dll	Infected: Trojan-PSW.Win32.OnLineGames.qw	skipped
C:\WINNT\vcd1.exe	Infected: Packed.Win32.NSAnti.r	skipped
C:\WINNT\WindowsUpdate.log	Object is locked	skipped

Scan process completed.


----------



## sjpritch25 (Sep 8, 2005)

Double-click on *OTMoveIt.exe* to launch the program.
Please copy the file(s)/folder(s) paths listed below - _highlight everything in red and press CTRL+C or right-click and choose *Copy*_.

*C:\WINNT\system32\ou7viewer.dll 
C:\WINNT\Temp\2.dll 
C:\WINNT\Temp\ki4na7.dll
C:\WINNT\Temp\woso0.dll
C:\WINNT\vcd1.exe *

Then in OTMoveIt, _right-click in the open text box labeled_ "*Paste List of Files/Folders to be Moved*" _and choose *Paste*_.
Click the red *MoveIt!* button.
The list will be processed and the results for each line will be displayed in the right-hand pane.
Highlight everything in the *Results* window, _press CTRL+C or right-click, choose *Copy*, right-click again_ and *Paste* it in your next reply.
Close the program when done.
_*Important!*_ _If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose *Yes*._

=======================================

Run HijackThis, and press "Do a System Scan Only". 
1. When the scan is complete place a check mark next to the following entries:
*
O4 - HKLM\..\Run: [wosa] C:\WINNT\TEMP\woso.exe
*
2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...

=====================================

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._)
Under "*Configuration and Preferences*", click the *Preferences* button.
Click the *Scanning Control* tab.
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._
_Scan for tracking cookies._
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen.
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*.
On the left, make sure you check *C:\Fixed Drive*.
On the right, under "*Complete Scan*", choose *Perform Complete Scan*.
Click "*Next*" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*".
Make sure everything has a checkmark next to it and click "*Next*".
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu.
If asked if you want to reboot, click "*Yes*".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._
_Please copy and paste the Scan Log results in your next reply._

Click *Close* to exit the program.


----------



## blue shepherd (Jul 8, 2007)

Thanks again for the quick response. Here are the latest logs:

OTMoveIt Results

LoadLibrary failed for C:\WINNT\system32\ou7viewer.dll
C:\WINNT\system32\ou7viewer.dll NOT unregistered.
File move failed. C:\WINNT\system32\ou7viewer.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINNT\Temp\2.dll
C:\WINNT\Temp\2.dll NOT unregistered.
File move failed. C:\WINNT\Temp\2.dll scheduled to be moved on reboot.
LoadLibrary failed for C:\WINNT\Temp\ki4na7.dll
C:\WINNT\Temp\ki4na7.dll NOT unregistered.
File move failed. C:\WINNT\Temp\ki4na7.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINNT\Temp\woso0.dll
C:\WINNT\Temp\woso0.dll NOT unregistered.
File move failed. C:\WINNT\Temp\woso0.dll scheduled to be moved on reboot.
File move failed. C:\WINNT\vcd1.exe scheduled to be moved on reboot.

------------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:15:07 PM, on 7/10/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\vcd1.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [wosa] C:\WINNT\TEMP\woso.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5F3288B-6014-41B2-891D-7D4049EC1F2F}: NameServer = 24.29.103.10,24.29.103.11
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: Card Adapter (NETDown) - Unknown owner - C:\WINNT\vcd1.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

-------------------------------------------------------------------------------------------------------

The SUPERAntiSpyware log would not let me copy + paste, it wouldnt respond at all, no matter how many times I launched the window after I rebooted. The only way I could close the window was to end the program in task manager. I typed what I could see in the notepad of the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/19/2007 at 06:17 AM

Application Version : 3.9.1008

Core Rules Daabase Version : 3267
Trance Rulesw Database Version:	1278

Scan Type : Complete scan
Total Scan Time	: 02:48:35

Memory Items scanned	: 526
Memory Threats detected	: 1
Registry Items scanned	: 5353
Registry Threats detected	: 1
File Items scanned : 49232
File Threats detected : 9

Trojan.Net-Multispan/WO
C:\WINNT\TEMP\WOSO0.DLL
C:\WINNT\TEMP\WOSO0.DLL
[wosa] C:\WINNT\TEMP\WOSO.EXE
C:\WINNT\TEMP\WOSO.EXE

Adware.Tracking Cookie
C:\Documents and settings\hope1\cookies\[email protected][1].txt
C:\Documents and settings\hope1\cookies\[email protected][1].txt

there could be a few more lines that i can't access because the window won't let me access the cursor. wonder what's up with that? thanks again.


----------



## sjpritch25 (Sep 8, 2005)

Did you fix these item via Hijackthis??

*O4 - HKLM\..\Run: [wosa] C:\WINNT\TEMP\woso.exe*


----------



## blue shepherd (Jul 8, 2007)

yes i did, but i may have sent an older log file -- i'm sorry, the back and forth with the flash drive probably screwed me up (i can't connect to the internet at the cable modem anymore, but the linksys gui now says i'm connected at the access point, but the internet can not be found).

at any rate, here is a fresh hijack this log. looks like the offending item is gone.

Logfile of HijackThis v1.99.1
Scan saved at 12:35:15 AM, on 7/11/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINNT\vcd1.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5F3288B-6014-41B2-891D-7D4049EC1F2F}: NameServer = 24.29.103.10,24.29.103.11
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: Card Adapter (NETDown) - Unknown owner - C:\WINNT\vcd1.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


----------



## sjpritch25 (Sep 8, 2005)

Still infected

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.

 Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## blue shepherd (Jul 8, 2007)

Heres the latest  SDFix report and Hijack this log.

Also, I dont know if this is relevant or not, but Im getting a Program Error window on startup/reboot that says

webscanx.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created. The window goes away when I click OK.

Thanks again.
---------------------------------------------------------------------------------------------------

SDFix: Version 1.90

Run by hope1 on Fri 07/13/2007 at 1:28a

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
NETDown

ImagePath:
C:\WINNT\vcd1.exe

NETDown - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Remaining Files:
---------------

Files with Hidden Attributes:

C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\WINNT\SoftwareDistribution\Download\0704c23265010cec59310de3c743a84f\BITC3.tmp
C:\WINNT\SoftwareDistribution\Download\2fe4dde7e03d8584bf981ae00706abb4\BIT7.tmp
C:\WINNT\SoftwareDistribution\Download\493e638f04a6de1a494eb2be7ea3be60\BITC1.tmp
C:\WINNT\SoftwareDistribution\Download\f139320bcb75ba26729612b59ef01051\BIT6.tmp

Finished

--------------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:03:42 AM, on 7/13/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5F3288B-6014-41B2-891D-7D4049EC1F2F}: NameServer = 24.29.103.10,24.29.103.11
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


----------



## sjpritch25 (Sep 8, 2005)

That error is related to McAfee, you may need to uninstall and re-install McAfee.


How is everything running??


----------



## blue shepherd (Jul 8, 2007)

it looks like everything is running fine, but i still can't connect to the internet..
is my laptop clean? thanks again.


----------



## sjpritch25 (Sep 8, 2005)

Lets try this
Right-click on your *My Computer* icon on your Desktop
Click on *Properties*
System Information should appear and click on the *Hardware* Tab
Click on the *Device Manager* tab
Click on your *+* next to your *Network Adapter*
Right click on it and choose *Uninstall*
Reboot your PC
Windows will re-install the device. Hopefully that will work. 

I am going to ask around and see if any of our tools will work in Windows 2000.


----------



## blue shepherd (Jul 8, 2007)

whoo-hoo! i'm back online through the router! thank you SO much for all your help.

i will be DELIGHTED to make a donation to you tech guys.

is there anything else you would suggest for maintenance? i still can't believe it -- 

you are a magician!!


----------



## sjpritch25 (Sep 8, 2005)

Glad you are back online!!
You have weatherbug installed, it does cause popups, but it being adware is 50/50. There is a Desktop Weather app from the Weather Channel that is totally ad-free. Here is the link Desktop Weather, this is the one i recommend using.

You can delete this file and folder
*C:\SDFix*

From your Desktop
*SDFix.exe*

You McAfee subscription is it Internet Security or just the Anti-Virus program???


----------



## blue shepherd (Jul 8, 2007)

hey tech guy,

so thanks again for all the help. i am inspired to finally follow through with internet security, (now that i am having issues again.)

i was browsing around last week, googling (looking for marc jacobs watches to be specific), and clicked on what was advertised as a promising marc jacobs link, and then everything went wrong:

lots of pop-up windows and flashing warnings about what can harm my system and cause internet problems if i don't download what they're telling me to download.

i shut down and rebooted. clicked on internet explorer icon and blue screen of death came up right away. but not the real BSOD, it was a simulated version in an explorer window with more warnings.

i shut down internet explorer and re-launched. i got the timer for a second and then nothing. then the icon disappeared. haven't been able to launch IE since.

but netscape seems to be working on and off. i've had my laptop powered down for a week while i dealt with my frustration level, and now i'm ready to address the problem and follow through with the appropriate security measures.

my dad keeps telling me to just order the macaffee security -- what do i order? is it better to fix this internet explorer problem first?

here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:40:26 PM, on 12/10/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
O2 - BHO: (no name) - {02DFA0EF-6C7B-458B-A7E4-C5F8EBD274F3} - C:\WINNT\system32\encapik.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {F6497561-2DB5-4B29-9D8B-3121E1FC0065} - c:\winnt\system32\docpropg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ghqaycwl - C:\WINNT\SYSTEM32\docpropg.dll
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


----------



## sjpritch25 (Sep 8, 2005)

First of all, we need to get you clean again. Why are you still running Windows 2000?? If you have to keep it, please refrain from using IE because its wide open to virus. I will explain things further later.

Download * Combofix* and save it to your desktop.

* **Note: It is important that it is saved directly to your desktop***

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on *combofix.exe* & follow the prompts. 
When finished, it will produce a report for you.
Please post the *"C:\ComboFix.txt" *along with a *new HijackThis log* for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


----------



## blue shepherd (Jul 8, 2007)

many many thanks for super quick response.

i am still running windows 2000 because.. um, not really sure why. everything worked well for so long, is never occurred to me to change it. i am certainly open to advice about upgrading.

here is the combo fix report, followed by a new HJT log:

--------------------------------------------------------------------------------------------------------

ComboFix 07-12-10.1 - hope1 12/11/2007 3:09:34.1 - NTFSx86
Running from: C:\Documents and Settings\hope1\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\docpropg.dll
C:\WINNT\system32\koos.exe
C:\WINNT\system32\kprof
C:\WINNT\system32\poof
C:\WINNT\Tasks.\At25.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_POOF
-------\LEGACY_RPENTZWX
-------\nm
-------\rpentzwx

((((((((((((((((((((((((( Files Created from 2007-11-11 to 2007-12-11 )))))))))))))))))))))))))))))))
.

2007-12-11 03:19 . 07-12-11 03:19 16,384	--a----t-	C:\WINNT\system32\Perflib_Perfdata_56c.dat
2007-11-30 01:06 . 07-11-30 01:06 1,188,375	--a------	C:\WINNT\system32\libeay32.dll
2007-11-30 01:06 . 07-11-30 01:06 741,632	--a------	C:\WINNT\system32\camuoydo.dat
2007-11-30 01:06 . 07-11-30 01:06 246,545	--a------	C:\WINNT\system32\libssl32.dll
2007-11-30 01:06 . 07-12-10 15:22 119,552	--a------	C:\WINNT\system32\uyzfbwdz.dat
2007-11-30 01:06 . 07-12-10 15:22 42,240	--a------	C:\WINNT\system32\kgupcoln.dat
2007-11-30 01:06 . 07-12-01 01:15 36,096	--a------	C:\WINNT\system32\zkprjwwq.dat
2007-11-30 01:06 . 07-11-30 01:06 35,072	--a------	C:\WINNT\system32\wkirvrvp.dat
2007-11-30 00:48 . 02-12-12 00:14 83,456	--a------	C:\WINNT\system32\encapik.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 07:52	---------	d-----w	C:\Documents and Settings\hope1\Application Data\dvdcss
2007-11-23 06:33	---------	d-----w	C:\Documents and Settings\hope1\Application Data\WeatherBug
2007-01-12 02:36	14,208	-c--a-w	C:\Documents and Settings\hope1\Application Data\GDIPFONTCACHEV1.DAT
2004-06-26 20:06	271	---h--w	C:\Program Files\desktop.ini
2004-06-26 20:06	21,952	-c-h--w	C:\Program Files\folder.htt
1999-12-07 12:00	32,528	-c--a-w	C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02DFA0EF-6C7B-458B-A7E4-C5F8EBD274F3}]
02-12-12 00:14 83456	--a------	C:\WINNT\system32\encapik.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [04-12-08 12:50 ]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [04-09-09 17:35 ]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [06-08-20 17:40 ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-07-28 19:03 ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [07-06-21 14:06 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4serv.exe" [03-11-12 21:12 C:\WINNT\system32\tp4serv.exe]
"Synchronization Manager"="mobsync.exe" [03-06-19 06:05 C:\WINNT\system32\mobsync.exe]
"SoundFusion"="RunDll32 cwcprops.cpl" []
"PRPCMonitor"="PRPCUI.exe" [00-01-06 02:00 C:\WINNT\system32\prpcui.exe]
"BMMGAG"="RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" []
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" []
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [04-02-04 19:36 ]
"Promon.exe"="Promon.exe" [01-08-09 03:59 C:\WINNT\system32\PROMon.exe]
"LTWinModem1"="ltmsg.exe" [01-04-02 20:38 C:\WINNT\system32\ltmsg.exe]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04-06-27 04:03 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-10-25 18:58 ]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [05-01-12 14:54 ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-10-30 09:36 ]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [01-07-09 00:50 ]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 06:05 ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36]
Microsoft Broadband Networking.lnk - C:\WINNT\Installer\{3B7DF09E-0047-47B7-9413-971A0D33BAC3}\_18be6784.exe [2004-11-22 12:21:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 19:01:04]
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2007-05-23 14:14:33]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 04-05-18 21:21 94208 C:\WINNT\system32\QConGina.dll

.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 03:41:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-11 10:00:00 C:\WINNT\Tasks\At1.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-11-29 19:00:00 C:\WINNT\Tasks\At10.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-11-29 20:00:00 C:\WINNT\Tasks\At11.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-11-29 21:00:00 C:\WINNT\Tasks\At12.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-11-29 22:00:00 C:\WINNT\Tasks\At13.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-11-30 23:00:00 C:\WINNT\Tasks\At14.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-11-30 00:00:00 C:\WINNT\Tasks\At15.job"
"2007-12-01 01:00:00 C:\WINNT\Tasks\At16.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-12-11 02:00:00 C:\WINNT\Tasks\At17.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-12-11 03:00:00 C:\WINNT\Tasks\At18.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-12-11 04:00:00 C:\WINNT\Tasks\At19.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-12-11 11:00:00 C:\WINNT\Tasks\At2.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-12-11 05:00:00 C:\WINNT\Tasks\At20.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-12-01 06:00:00 C:\WINNT\Tasks\At21.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-12-11 07:00:01 C:\WINNT\Tasks\At22.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-12-11 08:00:00 C:\WINNT\Tasks\At23.job"
"2007-12-11 09:00:00 C:\WINNT\Tasks\At24.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-12-11 12:00:00 C:\WINNT\Tasks\At3.job"
"2007-12-11 13:00:00 C:\WINNT\Tasks\At4.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-11-29 14:00:01 C:\WINNT\Tasks\At5.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-11-29 15:00:03 C:\WINNT\Tasks\At6.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-11-29 16:00:00 C:\WINNT\Tasks\At7.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-11-29 17:00:00 C:\WINNT\Tasks\At8.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2007-11-29 18:00:00 C:\WINNT\Tasks\At9.job"
- C:\WINNT\system32\7FJ88yxQ.exe
"2004-06-26 21:04:11 C:\WINNT\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 03:20:58
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-11 3:26:06 - machine was rebooted
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 4:13:27 AM, on 12/11/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
O2 - BHO: (no name) - {02DFA0EF-6C7B-458B-A7E4-C5F8EBD274F3} - C:\WINNT\system32\encapik.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


----------



## sjpritch25 (Sep 8, 2005)

Download the attached file CFScript.txt to your *Desktop*










Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at *"C:\ComboFix.txt"*. In your next reply, please include the ComboFix log and a fresh HIjackthis log.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

*Note:*Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!

=================================

Please perform a scan with *Kaspersky Webscan Online Virus Scanner*

1. Read the Requirements and Privacy statement, then select "*Accept*". 2. A new window will appear promting you to install an ActiveX component from Kaspersky - "*Do you want to install this software*?". 3. Click "*Yes*" or select "*Install*" to download the ActiveX controls that allows ActiveScan to run. 4. When the download is complete it will say ready, click "*Next*". 5. Click "*Scan Settings*" and check the option to use the *Extended Database* if available otherwise Standard). 6. Click "*Scan Options*" and select both "*Scan Archives*" and "*Scan Mail Bases*". 7. Click "*OK*". 8. Under "*Select a target to scan*", click on "*My Computer*". 9. When the scan is complete choose to save the results as "*Save as Text*" named kaspersky.txt to your desktop and post them in your next reply.

Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for _Free Online Virus Scanner_. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps *here* and reboot afterwards if your system does not reboot automatically or it will show '_Kaspersky Online Scanner license key was not found!_


----------



## blue shepherd (Jul 8, 2007)

CFScript.txt does not appear to be attached or have a link..

am i missing something?


----------



## sjpritch25 (Sep 8, 2005)

its at the bottum under *Attached files*


----------



## blue shepherd (Jul 8, 2007)

duh. found it, thanks.

internet explorer is back -- i ran kaspersky in it because it wouldn't scan in netscape.

here are the newest logs:

----------------------------------------------------------------------------------------------------

ComboFix 07-12-10.1 - hope1 12/11/2007 16:46:52.2 - NTFSx86
Running from: C:\Documents and Settings\hope1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\hope1\Desktop\cfscript.txt

FILE
C:\WINNT\system32\7FJ88yxQ.exe
C:\WINNT\system32\camuoydo.dat
C:\WINNT\system32\encapik.dll
C:\WINNT\system32\kgupcoln.dat
C:\WINNT\system32\libeay32.dll
C:\WINNT\system32\libssl32.dll
C:\WINNT\system32\uyzfbwdz.dat
C:\WINNT\system32\wkirvrvp.dat
C:\WINNT\system32\zkprjwwq.dat
C:\WINNT\Tasks\At1.job
C:\WINNT\Tasks\At10.job
C:\WINNT\Tasks\At11.job
C:\WINNT\Tasks\At12.job
C:\WINNT\Tasks\At13.job
C:\WINNT\Tasks\At14.job
C:\WINNT\Tasks\At15.job
C:\WINNT\Tasks\At16.job
C:\WINNT\Tasks\At17.job
C:\WINNT\Tasks\At18.job
C:\WINNT\Tasks\At19.job
C:\WINNT\Tasks\At2.job
C:\WINNT\Tasks\At20.job
C:\WINNT\Tasks\At21.job
C:\WINNT\Tasks\At22.job
C:\WINNT\Tasks\At23.job
C:\WINNT\Tasks\At24.job
C:\WINNT\Tasks\At3.job
C:\WINNT\Tasks\At4.job
C:\WINNT\Tasks\At5.job
C:\WINNT\Tasks\At6.job
C:\WINNT\Tasks\At7.job
C:\WINNT\Tasks\At8.job
C:\WINNT\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\camuoydo.dat
C:\WINNT\system32\encapik.dll
C:\WINNT\system32\kgupcoln.dat
C:\WINNT\system32\libeay32.dll
C:\WINNT\system32\libssl32.dll
C:\WINNT\system32\uyzfbwdz.dat
C:\WINNT\system32\wkirvrvp.dat
C:\WINNT\system32\zkprjwwq.dat
C:\WINNT\Tasks\At1.job
C:\WINNT\Tasks\At10.job
C:\WINNT\Tasks\At11.job
C:\WINNT\Tasks\At12.job
C:\WINNT\Tasks\At13.job
C:\WINNT\Tasks\At14.job
C:\WINNT\Tasks\At15.job
C:\WINNT\Tasks\At16.job
C:\WINNT\Tasks\At17.job
C:\WINNT\Tasks\At18.job
C:\WINNT\Tasks\At19.job
C:\WINNT\Tasks\At2.job
C:\WINNT\Tasks\At20.job
C:\WINNT\Tasks\At21.job
C:\WINNT\Tasks\At22.job
C:\WINNT\Tasks\At23.job
C:\WINNT\Tasks\At24.job
C:\WINNT\Tasks\At3.job
C:\WINNT\Tasks\At4.job
C:\WINNT\Tasks\At5.job
C:\WINNT\Tasks\At6.job
C:\WINNT\Tasks\At7.job
C:\WINNT\Tasks\At8.job
C:\WINNT\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.

2007-12-11 16:47 . 12/11/07 04:47p	16,384	--a----t-	C:\WINNT\system32\Perflib_Perfdata_414.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-01 07:52	---------	d-----w	C:\Documents and Settings\hope1\Application Data\dvdcss
2007-11-23 06:33	---------	d-----w	C:\Documents and Settings\hope1\Application Data\WeatherBug
2007-01-12 02:36	14,208	-c--a-w	C:\Documents and Settings\hope1\Application Data\GDIPFONTCACHEV1.DAT
2004-06-26 20:06	271	---h--w	C:\Program Files\desktop.ini
2004-06-26 20:06	21,952	-c-h--w	C:\Program Files\folder.htt
1999-12-07 12:00	32,528	-c--a-w	C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [12/08/04 12:50p]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [09/09/04 05:35p]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [08/20/06 05:40p]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/28/07 07:03p]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/07 02:06p]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4serv.exe" [11/12/03 09:12p C:\WINNT\system32\tp4serv.exe]
"Synchronization Manager"="mobsync.exe" [06/19/03 06:05a C:\WINNT\system32\mobsync.exe]
"SoundFusion"="RunDll32 cwcprops.cpl" []
"PRPCMonitor"="PRPCUI.exe" [01/06/00 02:00a C:\WINNT\system32\prpcui.exe]
"BMMGAG"="RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" []
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" []
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [02/04/04 07:36p]
"Promon.exe"="Promon.exe" [08/09/01 03:59a C:\WINNT\system32\PROMon.exe]
"LTWinModem1"="ltmsg.exe" [04/02/01 08:38p C:\WINNT\system32\ltmsg.exe]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/27/04 04:03a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/06 06:58p]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [01/12/05 02:54p]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/06 09:36a]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [07/09/01 12:50a]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 06:05a]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36]
Microsoft Broadband Networking.lnk - C:\WINNT\Installer\{3B7DF09E-0047-47B7-9413-971A0D33BAC3}\_18be6784.exe [2004-11-22 12:21:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 19:01:04]
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2007-05-23 14:14:33]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/06 01:55p 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/07 01:41p 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 05/18/04 09:21p 94208 C:\WINNT\system32\QConGina.dll

R0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys
R1 ANC;ANC;C:\WINNT\system32\drivers\ANC.SYS
R1 IBMTPCHK;IBMTPCHK;C:\WINNT\system32\drivers\IBMBLDID.SYS
R1 TPPWR;TPPWR;C:\WINNT\system32\drivers\Tppwr.sys
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\avsynmgr.exe"
R2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
R2 NMSSvc;Intel(R) NMS;C:\WINNT\System32\NMSSvc.exe
R2 PhilDec;Philips WDM Video Decoder;C:\WINNT\system32\DRIVERS\PhilDec.sys
R2 PRPC;PRPC;C:\WINNT\system32\drivers\PRPC.sys
R3 ati2mtai;ati2mtai;C:\WINNT\system32\DRIVERS\ati2mtai.sys
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINNT\system32\CBTNDIS5.SYS
R3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINNT\system32\drivers\NMSCFG.SYS
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINNT\system32\DRIVERS\odysseyIM4.sys
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINNT\system32\DRIVERS\tp4track.sys
S3 cwcspud3;Crystal SoundFusion(tm) SPuD3 Driver;C:\WINNT\system32\drivers\cwcspud3.sys
S3 ISLNDIS5;ISLNDIS5 Protocol Driver;\??\C:\PROGRA~1\MICROS~4\ISLNDIS5.SYS
S3 MSW;Microsoft Broadband Networking Driver;C:\WINNT\system32\DRIVERS\MSWNDS50.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 03:41:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-06-26 21:04:11 C:\WINNT\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 16:52:02
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 12/11/2007 16:52:59
C:\ComboFix2.txt ... 12/11/07 03:26a
.
--- E O F ---
------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:31:13 AM, on 12/12/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

---------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 12, 2007 12:30:27 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/12/2007
Kaspersky Anti-Virus database records: 479464
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 50436
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 03:15:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Default User\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\hope1\Application Data\Aim\eixirblr\al0hah0pe\cert8.db	Object is locked	skipped
C:\Documents and Settings\hope1\Application Data\Aim\eixirblr\al0hah0pe\key3.db	Object is locked	skipped
C:\Documents and Settings\hope1\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG	Object is locked	skipped
C:\Documents and Settings\hope1\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\History\History.IE5\MSHist012007121120071212\index.dat	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Temp\hpodvd09.log	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Temp\~DF12F8.tmp	Object is locked	skipped
C:\Documents and Settings\hope1\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\hope1\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\hope1\ntuser.dat.LOG	Object is locked	skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log	Object is locked	skipped
C:\qoobox\Quarantine\C\WINNT\system32\encapik.dll.vir	Infected: Trojan-Downloader.Win32.Delf.dbo	skipped
C:\qoobox\Quarantine\catchme2007-12-11_ 32003.77.zip/kprof	Infected: Trojan-Proxy.Win32.Wopla.ag	skipped
C:\qoobox\Quarantine\catchme2007-12-11_ 32003.77.zip/koos.exe	Infected: Trojan-Proxy.Win32.Wopla.ag	skipped
C:\qoobox\Quarantine\catchme2007-12-11_ 32003.77.zip/poof	Infected: Trojan-Proxy.Win32.Wopla.ag	skipped
C:\qoobox\Quarantine\catchme2007-12-11_ 32003.77.zip	ZIP: infected - 3	skipped
C:\WINNT\CSC\00000001	Object is locked	skipped
C:\WINNT\Debug\ipsecpa.log	Object is locked	skipped
C:\WINNT\Debug\oakley.log	Object is locked	skipped
C:\WINNT\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINNT\SchedLgU.Txt	Object is locked	skipped
C:\WINNT\SoftwareDistribution\DataStore\DataStore.edb	Object is locked	skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\edb.log	Object is locked	skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\tmp.edb	Object is locked	skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINNT\Sti_Trace.log	Object is locked	skipped
C:\WINNT\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINNT\system32\config\default	Object is locked	skipped
C:\WINNT\system32\config\default.LOG	Object is locked	skipped
C:\WINNT\system32\config\SAM	Object is locked	skipped
C:\WINNT\system32\config\SAM.LOG	Object is locked	skipped
C:\WINNT\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINNT\system32\config\SECURITY	Object is locked	skipped
C:\WINNT\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINNT\system32\config\software	Object is locked	skipped
C:\WINNT\system32\config\software.LOG	Object is locked	skipped
C:\WINNT\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINNT\system32\config\system	Object is locked	skipped
C:\WINNT\system32\config\SYSTEM.ALT	Object is locked	skipped
C:\WINNT\system32\Perflib_Perfdata_414.dat	Object is locked	skipped
C:\WINNT\WindowsUpdate.log	Object is locked	skipped

Scan process completed.


----------



## sjpritch25 (Sep 8, 2005)

How is everything running???


----------



## blue shepherd (Jul 8, 2007)

everything seems to be running well. thanks again for all your help!

am i officially "clean"? 

should i move forward with internet security software?

what do you recommend?

and why is internet explorer so dangerous?

-hope.


----------



## sjpritch25 (Sep 8, 2005)

The reason why its not safe, is because Microsoft added some more security in IE 6 service pack 2. But, its only available in Windows XP. IE 6 SP 1 is full of exploits and vulnerablities, these exploits will not be patched because its such an old OS. You can keep Windows 2000, but my recommendation is to run Firefox, unless you know the site is safe.

Lets finish up.

Go to *Start*---> *Run*---> Type *ComboFix /u* and press enter. This command will uninstall Firefox and all of its components.


----------



## blue shepherd (Jul 8, 2007)

which internet security would you recommend?

here's the latest:

ComboFix 07-12-10.1 - hope1 12/13/2007 21:01:11.3 - NTFSx86
Running from: C:\Documents and Settings\hope1\Desktop\ComboFix.exe
Command switches used :: / u
.

((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 )))))))))))))))))))))))))))))))
.

2007-12-11 17:03 . 12/11/07 05:03p d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-11 16:47 . 12/11/07 04:47p	16,384	--a----t-	C:\WINNT\system32\Perflib_Perfdata_414.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-14 01:23	---------	d-----w	C:\Documents and Settings\hope1\Application Data\WeatherBug
2007-12-01 07:52	---------	d-----w	C:\Documents and Settings\hope1\Application Data\dvdcss
2007-01-12 02:36	14,208	-c--a-w	C:\Documents and Settings\hope1\Application Data\GDIPFONTCACHEV1.DAT
2004-06-26 20:06	271	---h--w	C:\Program Files\desktop.ini
2004-06-26 20:06	21,952	-c-h--w	C:\Program Files\folder.htt
1999-12-07 12:00	32,528	-c--a-w	C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((( [email protected] 2007-12-11_ 3.23.54.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-05-17 05:34:48	213,048	----a-w	C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2005-05-24 22:27:16	213,048	----a-w	C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
- 2006-03-20 23:17:24	65,536	----a-w	C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-30 01:47:20	94,208	----a-w	C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
- 2006-03-20 23:17:20	798,720	----a-w	C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-08-30 01:49:54	950,272	----a-w	C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [12/08/04 12:50p]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [09/09/04 05:35p]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [08/20/06 05:40p]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/28/07 07:03p]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/07 02:06p]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4serv.exe" [11/12/03 09:12p C:\WINNT\system32\tp4serv.exe]
"Synchronization Manager"="mobsync.exe" [06/19/03 06:05a C:\WINNT\system32\mobsync.exe]
"SoundFusion"="RunDll32 cwcprops.cpl" []
"PRPCMonitor"="PRPCUI.exe" [01/06/00 02:00a C:\WINNT\system32\prpcui.exe]
"BMMGAG"="RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" []
"BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" []
"BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [02/04/04 07:36p]
"Promon.exe"="Promon.exe" [08/09/01 03:59a C:\WINNT\system32\PROMon.exe]
"LTWinModem1"="ltmsg.exe" [04/02/01 08:38p C:\WINNT\system32\ltmsg.exe]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/27/04 04:03a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/25/06 06:58p]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [01/12/05 02:54p]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/30/06 09:36a]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [07/09/01 12:50a]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 06:05a]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36]
Microsoft Broadband Networking.lnk - C:\WINNT\Installer\{3B7DF09E-0047-47B7-9413-971A0D33BAC3}\_18be6784.exe [2004-11-22 12:21:52]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-12 19:01:04]
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2007-05-23 14:14:33]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/06 01:55p 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/07 01:41p 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 05/18/04 09:21p 94208 C:\WINNT\system32\QConGina.dll

R0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys
R1 ANC;ANC;C:\WINNT\system32\drivers\ANC.SYS
R1 IBMTPCHK;IBMTPCHK;C:\WINNT\system32\drivers\IBMBLDID.SYS
R1 TPPWR;TPPWR;C:\WINNT\system32\drivers\Tppwr.sys
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\avsynmgr.exe"
R2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
R2 NMSSvc;Intel(R) NMS;C:\WINNT\System32\NMSSvc.exe
R2 PhilDec;Philips WDM Video Decoder;C:\WINNT\system32\DRIVERS\PhilDec.sys
R2 PRPC;PRPC;C:\WINNT\system32\drivers\PRPC.sys
R3 ati2mtai;ati2mtai;C:\WINNT\system32\DRIVERS\ati2mtai.sys
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINNT\system32\CBTNDIS5.SYS
R3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINNT\system32\drivers\NMSCFG.SYS
R3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINNT\system32\DRIVERS\odysseyIM4.sys
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINNT\system32\DRIVERS\tp4track.sys
S3 cwcspud3;Crystal SoundFusion(tm) SPuD3 Driver;C:\WINNT\system32\drivers\cwcspud3.sys
S3 ISLNDIS5;ISLNDIS5 Protocol Driver;\??\C:\PROGRA~1\MICROS~4\ISLNDIS5.SYS
S3 MSW;Microsoft Broadband Networking Driver;C:\WINNT\system32\DRIVERS\MSWNDS50.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-14 03:41:00 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2004-06-26 21:04:11 C:\WINNT\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 21:05:08
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully 
hidden files: 0

**************************************************************************
.
Completion time: 12/13/2007 21:06:28
C:\ComboFix2.txt ... 12/11/07 04:53p
C:\ComboFix3.txt ... 12/11/07 03:26a
.
--- E O F ---


----------



## sjpritch25 (Sep 8, 2005)

Why did you post another combofix log??? Did you follow my instructions because i had you uninstall combofix. Please follow those instructions. 


is your McAfee subscription up to date or has it expired???


----------



## blue shepherd (Jul 8, 2007)

um...

i thought i did follow your instructions:

Go to Start---> Run---> Type ComboFix /u and press enter

that's what i did, and it ran another scan so i sent you the log.

what did i miss?

and i think i just have an anti-virus program with mcafee.
what subscription should i get?


----------



## sjpritch25 (Sep 8, 2005)

This command should not run a combofix, it should remove it. Make sure you type in this one correctly. ComboFix /u. If you type just ComboFix, it will run a scan.


----------



## blue shepherd (Jul 8, 2007)

okay! it worked this time and uninstalled. i think i had an extra space between the slash and the letter "u" last time..


----------



## sjpritch25 (Sep 8, 2005)

Everything looks good.

Now that your system is clean you should *SET A NEW RESTORE POINT* *to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection*. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To *SET A NEW RESTORE POINT*:
1. Go to *Start* > *Programs* > *Accessories* > *System Tools* and click "*System Restore*".
2. Choose the radio button marked "*Create a Restore Point*" on the first screen then click "*Next*". Give the R.P. a name then click "*Create*". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to *Start* > *Run* and type: *Cleanmgr*
4. Click "*OK*".
5. Click the "*More Options*" Tab.
6. Click "*Clean Up*" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
*How to Create a Restore Point*.
*How to use Cleanmgr*.

======================================

Here is some useful information on keeping your computer clean:
Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
Here are two great Preventive programs:
SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
IESpyads adds a long list of bad sites to your Restricted sites in *Internet Explorer* and protects against drive by downloads.

Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with *Internet Explorer* and *Mozilla Firefox*. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
Red for *Warning*
Yellow for *Use Caution*
Green for *Safe*
Grey for *Unknown*

Here are the link to install SiteAdisor in Internet Explorer and Firefox
Anti-Spyware Programs I Recommend:
Free Anti-Spyware Programs

Lavasoft's Ad-Aware SE Personal
Windows Defender

For Even More Information On Securing Your Computer read *Tony Klein's* So How Did I Get Infected In The First Place


----------



## blue shepherd (Jul 8, 2007)

hope your holidays were happy, sjpritch25..

per you last response, i tried doing this:

To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".

there is no "System Restore" on my System Tools menu -- 
my only options are:

Back Up
Character Map
Disc Cleanup
Disc Defragmenter
Getting Started
Scheduled Tasks
System Information

i can't seem to find anywhere to "Create a New Restore Point"..

and it looks like i'm infected again already. on start up i get a McAfee VShield window
that pops up with an infected file name:

C:\WINNT\msdtcsw32.exe
Virus Name: BackDOor-DLY.dldr

i delete delete delete until finally it says the file cannot be deleted.

i couldn't connect to the internet at all.

my brother and sister are home from college and nobody's laptops could
connect to the wireless router to get online, only the desktop that is wired
into the router.

is it possible for a virus on my laptop to affect other laptops accessing the same
wireless router??? my father is freaking out on me!!! yikes!!

then we reconnected the main house laptop after a week of dining room table dinners,
and all the laptops are working again. but i still have to follow through with my own issues. so here i am again.

here's a current HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:40:54 AM, on 12/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\tp4serv.exe
C:\WINNT\system32\mobsync.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\hope1\Application Data\Mozilla\Profiles\default\9xb62u08.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ViewSonic Explorer V5.3] C:\WINNT\msdtcsw32.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: QConGina - C:\WINNT\SYSTEM32\QConGina.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


----------



## sjpritch25 (Sep 8, 2005)

is McAfee still finding that file or was it deleted. How do you have your Wireless setup?? Is it encrypted?? What kind of router (name brand)??


----------



## blue shepherd (Jul 8, 2007)

my dad rebooted the main house laptop today to "investigate" and nobody has been able to 
connect to the internet via the router all day. 

the desktop pc is wired to the router and that has been working for the most part, with occasional internet crashes, particularly amazon.com.

mcafee is still finding the virus on my laptop. i can not delete it.

we have a linksys wireless-g broadband router 2.4 GHz 802.11g with speedbooster. 

model # WRT 54 GS. 

i don't want to curse the router, but i have to say, that is where my correspondence with you began, when we installed this new router. i will try and bless the router so that it will work properly again and bring us the wonderful internet connection we all love and desire.

and you are being very patient and helpful and i appreciate that greatly.

i do not think the router is encrypted, since my next door neighbors have been accessing it for their internet connection since they started construction on their basement.

like i said, the pc has a direct connection to the router.

the main house laptop and my laptop have external linksys - g wireless notebook cards, and my brother and sister who are home from college have newer laptops with built-in wireless cards, and can generally pick up any signal available. everyone is having trouble this time around.


----------

