Iexplore.exe & Java & IE 6 Compatibility

**actionlover** · #1 20th May 2008, 10:13

Hi,

I was wondering if someone can help me get my PC working right again?

I picked up a bunch of virii that changed settings in my PC. My Kaspersky Internet Security did not pick them up when I got them but detected them after the fact.

When they ( KIS) "fixed" my Virtumonde, Con Hook, Trojan Dialer, Trojan Downloader and other virii my System Volume Information folder was deleted. So now I can't do a sys restore in XP. The virii seem to have been deleted by KIS but I'm afraid there are residual effects left in my PC.

I have numerous IEXPLORE.EXE files along with an IEXPLORER.EXE file in my program files folder for IE 6.

I try to D/L a JAVA patch, which is not working correctly and I get a box that says my IE is running in compatability mode - I do not think it is because when I get that tab it is greyed out. That could be a spoof IE folder??

I think my registry has been modified - I think the virii lived in my now defunct system volume folder.

I also got a warning from my ISP that an e-mail I sent has "phishing" in it. I sent a letter to a tech from Kaspersky and it came back with a message from my ISP. I'm not sure I believe it! It also had a message path that did not match my ISP's.

So what is going on with this PC. What a nightmare!

So there are a few problems I'm encountering. Also, is someone still looking at my actions on this PC?

I did a sys info file for Kaspersky but they never got back to me. Are they afraid of that "phishing" e-mail - if in fact it IS real? I e-mailed my friends and they said the e-mail I sent was fine.

I could post a sys info file but it is much much larger than a hijack this file. I don't have hijack this anyway.

What can a novice like me do???

Thanks for looking at my post!
actionlover

**evilfantasy** · #2 20th May 2008, 10:16

Start here > http://www.computer-juice.com/forums...-posting-7476/

**actionlover** · #3 20th May 2008, 20:06

Hi Evil,

I was hoping you'd be the one to help me and I'm only at step six and already I see a nice change in the way things are running in my PC.

I'm going to resume in the morning and I'll let you know how it's going - with the logs and all.

I love your organized and concise way of directing us neophytes to better PC health.. You are amazing!

I was on another tech forum site and the guy told me to give up and buy another computer. Thanks to you I have hope.

I'm anxious to see if we can rid my pc of the nasties I ingested. I did something dumb and I know better or so I thought I did. I took a chance and boy am I sorry I did.

The bright side is I'm getting to learn how to do some basic troubleshooting things on a computer. Again, thanks for sharing your knowledge!

Be talking to you soon,
actionlover

**evilfantasy** · #4 20th May 2008, 20:12

No problem, glad things are looking up.

Hopefully once the logs are posted there won't be many steps left to do. We will get it one way or another though so no worries there.

**actionlover** · #5 20th May 2008, 21:07

Hi Evil,

I decided to plod on with this. I did everything you told me to do.

Previously when asking Kaspersky what to do and checking other tech forums I've done some other things a few days ago.

I did a safe mode scan - that did not turn up anything. That Malwarebytes thing you turned me on to found a bunch today. I guess you can see this stuff from the log file. I had already done a Superantispyware scan a few days ago but today it turned up another virius or two that was missed the other day (?)

I'm assuming that you can see where the virii lived by the log files. I'm not sure I can tell you where they lived. I do have an event log and module log from Kaspersky. I made those up a few days ago on my own. I just copied and pasted the stuff that was under my "events" and "modules" tabs in KIS to a notepad file. Do you need to see that?

Here they are:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 05/20/2008 at 10:52 PM
Application Version : 4.1.1046
Core Rules Database Version : 3465
Trace Rules Database Version: 1456
Scan type : Complete Scan
Total Scan Time : 01:07:25
Memory items scanned : 324
Memory threats detected : 0
Registry items scanned : 6274
Registry threats detected : 0
File items scanned : 17946
File threats detected : 11
Adware.Tracking Cookie
C:\Documents and Settings\John\Cookies\john@tribalfusion[2].txt
C:\Documents and Settings\John\Cookies\john@ads.pointroll[1].txt
C:\Documents and Settings\John\Cookies\john@atdmt[2].txt
C:\Documents and Settings\John\Cookies\john@insightexpressai[1].txt
C:\Documents and Settings\Bonnie\Cookies\bonnie@statcounter[1].txt
C:\Documents and Settings\Johnny\Cookies\johnny@adserver[1].txt
C:\Documents and Settings\Johnny\Cookies\johnny@atdmt[1].txt
C:\Documents and Settings\Johnny\Cookies\johnny@advertising[2].txt
C:\Documents and Settings\Johnny\Cookies\johnny@insightexpressai[1].txt
Trojan.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\IPWRPVYV.DLL
C:\WINDOWS\SYSTEM32\UWLEMAPO.DLL

Malwarebytes' Anti-Malware 1.12
Database version: 772
Scan type: Quick Scan
Objects scanned: 45740
Time elapsed: 22 minute(s), 16 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\beqllqxt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\txqllqeb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hiribqcx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xcqbirih.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opnmLFxY.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YxFLmnpo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YxFLmnpo.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\suyeultd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dtlueyus.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BSZIP.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Johnny\g2mdlhlpx.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:35 PM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\sniper.exe\HTJ\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: {b2a847ab-43d7-d7fa-ee84-b4b3dd576148} - {841675dd-3b4b-48ee-af7d-7d34ba748a2b} - (no file)
O2 - BHO: (no name) - {CB46BE9E-D967-4AAE-B5C2-A18DEFF0E41E} - (no file)
O2 - BHO: (no name) - {E243A8E7-6244-49E0-A361-22DBF30FD46C} - (no file)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: FLV Getter - C:\Program Files\FlvGetter\FlvGetter.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) -
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/tes...enXInstall.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolor.com/ClarkActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} (PowerLoader Class) - http://www.powerchallenge.com/applet/PowerLoader.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - https://www.auctionplayer.com/member...eUploader3.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - AppInit_DLLs: "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nnnoNddC - nnnoNddC.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GearSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.cartoonbrew.com/archives/...odernlogob.jpg
--
End of file - 6581 bytes

I have the event log from KIS that I made the other day in a notepad file. It is real big so I won't post it unless you need to see it. The history of the infection and all the events including the PID hijacks are listed but like I said it is real big.

I also made a module log file from KIS and that tells of the woes of what my PC has been enduring.

I'll let it up to you if you want to see those homemade log files.

Hope to hear from you when you have the time!

actionlover

**evilfantasy** · #6 20th May 2008, 21:21

I shouldn't need the other logs. Those scans got rid of plenty but there is still more left to deal with. Were getting there though...

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
O2 - BHO: {b2a847ab-43d7-d7fa-ee84-b4b3dd576148} - {841675dd-3b4b-48ee-af7d-7d34ba748a2b} - (no file)
O2 - BHO: (no name) - {CB46BE9E-D967-4AAE-B5C2-A18DEFF0E41E} - (no file)
O2 - BHO: (no name) - {E243A8E7-6244-49E0-A361-22DBF30FD46C} - (no file)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O20 - Winlogon Notify: nnnoNddC - nnnoNddC.dll (file missing)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
Finally add the contents of the Report.txt in your next post.

----------

Now run a new Hijackthis scan and post that log along with the SDFix log.

----------

Did you set this desktop yourself? It's OK if you did, just need to know because sometimes it is done by malware.

O24 - Desktop Component 0: (no name) - http://www.cartoonbrew.com/archives/...odernlogob.jpg

**actionlover** · #7 20th May 2008, 22:42

Hi Evil,

It's 1:16 AM E.S.T. and I'm wondering if you are still around?

Here are the latest scans:

SDFix: Version 1.184
Run by Administrator on Wed 05/21/2008 at 12:48 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting

Checking Files :
No Trojan Files Found

Removing Temp Files
ADS Check :

Final Check :
catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 01:03:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Documents and Settings\\Johnny\\Desktop\\Soulseek.exe"="C:\\Documents and Settings\\Johnny\\Desktop\\Soulseek.exe:*:Enabled:SoulSeek"
"C:\\Program Files\\Auction Submit\\AuctionSubmit3.exe"="C:\\Program Files\\Auction Submit\\AuctionSubmit3.exe:*:Enabled:AuctionSubmit3"
"C:\\Program Files\\FrostWire\\FrostWire.exe"="C:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 9 Jan 2008 48 ..SH. --- "C:\WINDOWS\SBE3E6D49.tmp"
Wed 6 Jul 2005 1,060,864 A..H. --- "C:\Program Files\FlvGetter\libeay32.dll"
Tue 16 Mar 2004 898,048 A..H. --- "C:\Program Files\FlvGetter\libiconv2.dll"
Fri 6 May 2005 103,424 A..H. --- "C:\Program Files\FlvGetter\libintl3.dll"
Wed 6 Jul 2005 200,704 A..H. --- "C:\Program Files\FlvGetter\ssleay32.dll"
Wed 22 Jun 2005 45,568 A.SHR --- "C:\Program Files\Replay Converter\cygz.dll"
Mon 19 May 2008 56 ..SHR --- "C:\WINDOWS\system32\483654BAD7.sys"
Mon 19 May 2008 2,516 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 11 May 2008 294 ..SH. --- "C:\WINDOWS\system32\mliwirhq.tmp"
Fri 30 Dec 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 16 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Mon 20 Aug 2001 65,536 ...H. --- "C:\Program Files\EA Games\Firaxis Games\Sid Meiers SimGolf\go_ez.exe"
Mon 20 Aug 2001 577,536 ...H. --- "C:\Program Files\EA Games\Firaxis Games\Sid Meiers SimGolf\Sid Meier's SimGolf_EZ.exe"
Fri 14 Dec 2007 30,633,999 A..H. --- "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\BITA5.tmp"
Tue 4 Apr 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Bonnie\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Bonnie\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Bonnie\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Bonnie\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Mon 9 Apr 2007 8 A..H. --- "C:\Documents and Settings\Gabby\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Gabby\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 12 Apr 2007 8 A..H. --- "C:\Documents and Settings\Gabby\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Wed 18 Apr 2007 8 A..H. --- "C:\Documents and Settings\Gabby\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:41 AM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\sniper.exe\HTJ\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: FLV Getter - C:\Program Files\FlvGetter\FlvGetter.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) -
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/tes...enXInstall.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolor.com/ClarkActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4BFD075D-C36E-4F28-BB0A-5D472795197A} (PowerLoader Class) - http://www.powerchallenge.com/applet/PowerLoader.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - https://www.auctionplayer.com/member...eUploader3.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O20 - AppInit_DLLs: "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GearSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.cartoonbrew.com/archives/...odernlogob.jpg
--
End of file - 6983 bytes

I'm not crazy about those bittorrent files that were found in the first scan. That is where my problems began. I'll never ever try that again!! Will they cause any more harm??

I have gotten a bunch of desktop icons over the past few days trying to run diagnostics on this PC. Normally I only have 10 icons or so running. I guess I should delete a bunch after this process is done?

I have no idea what that cartoon thing is?? I did not even notice it on there. How do I get rid of that? It must be disguised because I don't see any "cartoon" related icon on my desktop?? Maybe it's that java icon?? I D/L'd so many programs in the past few days my head is spinnin' ! Should I get rid of the diagnostic tools I D/L'd including the ones you suggested?

Is it time to ask a few more questions? I wanted to ask to about the three IE icons in my IE folder. I was told to rename the icon when I was getting that looping thing. I was getting two or three IEXPLORE.EXE processes running in my task manager. When I tried to delete them more showed up. So I was told to rename them. There are three there now. I renamed one and two popped up.

So which one do I leave there? Two are named iexplorer.exe and one is named IEXPLORE.EXE ( without the R ).

Also, Kaspersky deleted one of the virii that lived in my System Information Folder - I hear that's where the system rstore points lived. Now my folder is grayed out and is empty. Can I ever use my system restore function again?

Ok - that's about it from me.

My PC is running much smoother now. I think we may have zapped stuff that's been living in this pc for a long time. I don't ever remember it running so fast.

Oooops - one last thing - unless you are not done with me? Can a hacker still see my stuff. I don't keep anything of interest on this thing. I'm not sure they could see or get anything worthwhile off here. There are no financial items on here - really nothing to see.

Let me know what I need to do next - if you are still around that is....

Best,
actionlover

**evilfantasy** · #8 20th May 2008, 23:16

The logs are actually looking much better but with the IE icon problems and system restore not working we need to run a more thorough scan to see what is going on.

We will do some cleanup steps before we finish up and hopefully get things back to the way they were.

I like to say that torrents are the new malware...

----------

Download Combofix by sUBs from one of the below links.
(Try all three if necessary)

Important! Combofix.exe MUST be saved to and ran from the Desktop.

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
- Click this link to see a list of security programs that should be disabled and how to disable them.
- If yours is not listed and you don't know how to disable it, please ask.
Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
Double click combofix.exe & follow the prompts.
- Choose Yes to accept the Disclaimers.[
When finished, it will produce a log for you.
Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

If needed, see this Combofix tutorial with screenshots that will detail the downloading and running of combofix more thoroughly.

----------

Create An Uninstall List

Start HijackThis
Click on the Open the Misc Tools section
Click on the Open Uninstall Manager button.
Click on the Save list button and specify where you would like to save this file and click Save.
- When you press Save button a notepad will open with the contents of that file.
Copy and paste that list in your reply.

----------

Next post add
Combofix log
Uninstall list

**actionlover** · #9 20th May 2008, 23:33

Evil,

I'm not sure how to disable script blocking. I don'rt hink I have any other real time protection running. I turned off Kaspersky and tore down the firewall in Kaspersky and Windows.

How do I disable script blocking - whatever that is. I'm a newbie to the 10th power.

actionlover

**evilfantasy** · #10 20th May 2008, 23:37

As long as you have turned off what you can everything should be fine. If Kaspersky stops combofix let me know and we will try running it another way.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Java 6 Update 14	evilfantasy	Virus, Spyware & Security	3	29th May 2009 13:01
Getting rid of old Java	Bubba	General Software Chat	7	15th Jan 2009 16:51
Java or .NET	Munish426	Web Design, Hosting & SEO	7	1st Aug 2008 06:20
Java	Cew27	General Software Chat	39	23rd Jan 2008 11:26
Can anyone help me with java?	michal23	General Software Chat	2	9th Sep 2007 04:43