Virus -MemScan:Trojan.Downloader.Mohbpork.A -

Hi! Its my first time here and hoping this will help. I use Freedom antivirus ( thru my internet supplier) but I also use Bit Defender. when I scan with Bit Defender it always picks up this virus, sends it to quarentine but when I scan again, it will continually pick it up. Some shortcuts have mysteriously been removed from my desktop, often links won't work on web pages and generally the computer is just not performing as expected. Extremely slow on startup, very slow when connecting to internet, lots of freeze ups and many many programs not responding. Can You help? Thanks Dana

 

Hello and welcome to WindowsBBS Forums.

Here is how we like to begin our analysis of your pc:

For starters, if you do not have them yet, please DL and run AdAware & Spybot Search & Destroy. AdAware and Spybot Search & Destroy are 2 of the most trusted apps in the security area. They are both free, compliment each other nicely, and do not use a lot of resources. They can be found here:

Spybot Search & Destroy v.1.4
AdAware SE Free v1.06r

With AdAware and Spybot: DL, follow the install instructions, check for updates, then scan, repair/remove/quarantine anything found. Reboot before next scan with whichever app is next. The reason for running these apps, is to clean up some of the other 'crapware' on your pc, which, in turn, will make deciphering your HJT log, easier.

Then we use HiJackThis v:1.99.1zip.
DL the zip file to your desktop, then create a new folder on your C drive, called 'HJT' or 'HijackThis'. Then unzip the files to the new folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

Run the program, and press Scan. You will notice the Scan button will turn into a "Save Log" button. Save the log and Post that log onto this topic. DO NOT DELETE or modify anything yet, as some of it is needed to keep your system in proper working order.

 

Hijackthis log attached hope I did everything right

Logfile of HijackThis v1.99.1
Scan saved at 4:29:43 PM, on 11/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Aliant\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Aliant\Net Assistant\bin\mpbtn.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Aliant\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe "
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Net Assistant.lnk = C:\Program Files\Aliant\Net Assistant\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142097753734
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://dinet.info/n/us14/n.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4004005C-6A51-46E6-B143-D00612DC5610}: NameServer = 85.255.115.98,85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF557216-E0A6-4C2A-A647-CCA870042E7D}: NameServer = 85.255.115.98,85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A72C86-879D-4423-B4DC-E2BB220FDFDE}: NameServer = 85.255.115.98,85.255.112.80
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

 

I'd like to see some more info off your machine before we continue.

Please download SilentRunners from here

Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop.

Please post the entire contents of this logfile created back into this thread for me to see.

 

SilentRunner Log

Please find attached the Silentrunner log as requested.

Thank you!!


"Silent Runners.vbs ", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"PowerBar" = "(empty string)" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"IntelAudioStudio" = " "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT" [ "Intel Corporation"]
"IAAnotif" = "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [ "Intel Corporation"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" [ "Ahead Software Gmbh"]
"igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" [ "Intel Corporation"]
"igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" [ "Intel Corporation"]
"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" [ "Intel Corporation"]
"SigmatelSysTrayApp" = "sttray.exe" [file not found]
"RemoteControl" = " "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" " [ "Cyberlink Corp."]
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" [ "Nero AG"]
"LGODDFU" = " "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun" [null data]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [ "Hewlett-Packard Development Company, L.P."]
"Motive SmartBridge" = "C:\PROGRA~1\Aliant\NETASS~1\SMARTB~1\MotiveSB.exe" [ "Motive Communications, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [ "Sun Microsystems, Inc."]
"TkBellExe" = " "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [ "RealNetworks, Inc."]
"Freedom" = "C:\Program Files\Zero Knowledge\Freedom\Freedom.exe" [ "Zero-Knowledge Systems Inc."]
"BDMCon" = " "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg" [ "SOFTWIN S.R.L."]
"BDAgent" = " "C:\Program Files\Softwin\BitDefender10\bdagent.exe" " [ "SOFTWIN S.R.L."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax "
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider "
\StubPath = "rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class "
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{3C060EA2-E6A9-4E49-A530-D4657B8C449A}\(Default) = "Pop-Up Blocker BHO "
-> {HKLM...CLSID} = "PopKill Class "
\InProcServer32\(Default) = "C:\Program Files\Zero Knowledge\Freedom\pkR.dll" [ "Zero-Knowledge Systems Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [ "Safer Networking Limited"]
{56071E0D-C61B-11D3-B41C-00E02927A304}\(Default) = "Form Filler BHO "
-> {HKLM...CLSID} = "ZKBho Class "
\InProcServer32\(Default) = "C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll" [ "Zero-Knowledge Systems Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" [ "Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension "
-> {HKLM...CLSID} = "Display Panning CPL Extension "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" [ "Hilgraeve, Inc."]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW "
-> {HKLM...CLSID} = "Shell Extension for CDRW "
\InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" [ "Nero AG"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes "
-> {HKLM...CLSID} = "iTunes "
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" [file not found]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player "
-> {HKLM...CLSID} = "RealOne Player Context Menu Class "
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [ "RealNetworks, Inc."]
"{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v8 "
-> {HKLM...CLSID} = "BDMenu Class "
\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender10\bdshelxt.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5} "
-> {HKLM...CLSID} = "WPDShServiceObj Class "
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "sockspy.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "System" = "csnbo.exe" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxdev.dll" [ "Intel Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B} "
-> {HKLM...CLSID} = "BDMenu Class "
\InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender10\bdshelxt.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp "


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\sspipes.scr" [MS]


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" [ "Hewlett-Packard Development Company, L.P."]
"Net Assistant" -> shortcut to: "C:\Program Files\Aliant\Net Assistant\bin\matcli.exe -boot" [ "Motive Communications, Inc."]


Enabled Scheduled Tasks:
------------------------

"Ad-Aware SE Personal" -> launches: "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" [ "Lavasoft Sweden"]
"AVG Free Control Center" -> launches: "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [file not found]
"CCleaner" -> launches: "C:\PROGRA~1\CCleaner\ccleaner.exe" [ "Piriform Ltd"]
"CleanUp!" -> launches: "C:\PROGRA~1\CleanUp!\Cleanup.exe" [ "Steven R. Gould"]
"Spybot - Search & Destroy" -> launches: "C:\PROGRA~1\SPYBOT~1\SpybotSD.exe" [ "Safer Networking Limited"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console "
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} "
-> {HKCU...CLSID} = "Java Plug-in "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" [ "Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06 "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" [ "Sun Microsystems, Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8 "
"Exec" = "%windir%\bdoscandel.exe" [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger "
"MenuText" = "Windows Messenger "
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

BitDefender Communicator, XCOMM, " "C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service" [ "Softwin"]
BitDefender Desktop Update Service, LIVESRV, " "C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service" [ "SOFTWIN S.R.L."]
BitDefender Scan Server, bdss, " "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]
BitDefender Virus Shield, VSSERV, " "C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service" [ "SOFTWIN S.R.L."]
DvpApi, dvpapi, " "C:\Program Files\Common Files\Command Software\dvpapi.exe" " [ "Command Software Systems, Inc."]
InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" [ "Nero AG"]
Intel(R) Matrix Storage Event Monitor, IAANTMon, "C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe" [ "Intel Corporation"]
SigmaTel Audio Service, STacSV, "C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe" [ "SigmaTel, Inc."]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" [ "Hewlett Packard"]
Language Monitor\Driver = "hpz3l054.dll" [ "Hewlett-Packard Company"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 69 seconds, including 17 seconds for message boxes)

 

Ok, thanks for running that tool. It showed a file which was not present in the HJT log.


Below you will find my results and recommendations from your HijackThis! log file analysis. Please read ALL instructions carefully BEFORE proceeding.

Download combofix.exe. Save it to your desktop

Do not use it yet, we will shortly.


Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It cannot be installed on the desktop.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.


1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\System32\csnbo.exe

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.


Do not reboot yet.

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.




O17 - HKLM\System\CCS\Services\Tcpip\..\{4004005C-6A51-46E6-B143-D00612DC5610}: NameServer =
85.255.115.98,85.255.112.80

O17 - HKLM\System\CCS\Services\Tcpip\..\{CF557216-E0A6-4C2A-A647-CCA870042E7D}: NameServer = 85.255.115.98,85.255.112.80

O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A72C86-879D-4423-B4DC-E2BB220FDFDE}: NameServer = 85.255.115.98,85.255.112.80

Reboot then run ComboFix:

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Once that has run, also please give me a fresh HJT log file.

 

Killbox not working

Hey - Thanks for your help so far!!!!

I have just downloaded Killbox to the desktop and when I try to run it the following message comes up.

"Componant 'MSCOMCTL.OCX' or one of its dependencies not correctly registered: A file is missing or invalid. "

I have only moved the HJT from the desktop to its own folder in "My Computer" so far and will wait for further instructions.

Thanks Again!!!

 

Some Changes

While I was out today, my son downloaded the latest windows update which included Explorer 7. Since that happened, when I log on, I am know receiving the following message:

SMARTBRIDGE ALERTS: MOTIVESM.EXE ENTRY POINT NO FOUND.
The Procedure pot GetProcessImageFileNameW could not be located in the dynamic link library PSAPI.DLL

Because of my extremely limited computer know how, I don't know what this means or if the downloads will affect anything you have done so far.

I thought I would let You know just in case.

PS. I had a peek at your website and found it very informative so far. Thanks.

 

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

See this MS support page

 

OK - Logs as requested

After the Explorer 7 version was downloaded and after using the links that you provided for me, it was still not working for me and I was unable to connect to the internet. I used system restore to a point yesterday prior to the update. Plse find a Hijackthis log which was run immediately after the System Restore.

Logfile of HijackThis v1.99.1
Scan saved at 2:37:43 PM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Aliant\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Aliant\Net Assistant\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Aliant\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe "
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Net Assistant.lnk = C:\Program Files\Aliant\Net Assistant\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142097753734
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://dinet.info/n/us14/n.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4004005C-6A51-46E6-B143-D00612DC5610}: NameServer = 85.255.115.98,85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF557216-E0A6-4C2A-A647-CCA870042E7D}: NameServer = 85.255.115.98,85.255.112.80
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A72C86-879D-4423-B4DC-E2BB220FDFDE}: NameServer = 85.255.115.98,85.255.112.80
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

 

Continued

I then followed your instructions for Killbox but at the Pending Operations Prompt the only option was "OK ". There was yes or no options. I clicked OK and continued. Please find the Hijackthis log which was run after checking the entries as instructed.

Logfile of HijackThis v1.99.1
Scan saved at 2:40:55 PM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Aliant\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Aliant\Net Assistant\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Aliant\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe "
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Net Assistant.lnk = C:\Program Files\Aliant\Net Assistant\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-seg.gc.ca/applets/entrusttruepassapplet-epf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142097753734
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB77} - http://dinet.info/n/us14/n.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


Rebooted as instructed and ran Combofix. The log follows.

Owner - 06-11-11 14:44:29.78 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Owner\Desktop "

((((((((((((((((((((((((((((((( Files Created from 2006-10-11 to 2006-11-11 ))))))))))))))))))))))))))))))))))


2006-10-29 10:02 325 --a------ C:\WINDOWS\initialize.bat
2006-10-29 07:36 33,408 --------- C:\WINDOWS\system32\drivers\freedom.sys
2006-10-22 10:26 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-11 14:46 -------- d-------- C:\Program Files\Common Files\Command Software
2006-11-11 14:43 -------- d-------- C:\Program Files\lg_fwupdate
2006-11-11 11:36 -------- d-------- C:\Program Files\Microsoft Games
2006-11-11 11:35 -------- d-------- C:\Program Files\Internet Explorer
2006-11-11 11:35 -------- d-------- C:\Program Files\Common Files\PestPatrol
2006-11-09 11:24 -------- d-------- C:\Program Files\Lavasoft
2006-11-09 11:24 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-11-08 17:34 -------- d-------- C:\Program Files\QuickTime
2006-11-08 17:33 -------- d-------- C:\Program Files\Hard Truck 18 Wheels
2006-11-07 19:32 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-06 10:58 -------- d-------- C:\Program Files\directx
2006-11-05 19:47 -------- d-------- C:\Documents and Settings\Owner\Application Data\Bitdefender
2006-11-05 19:42 -------- d-------- C:\Program Files\Softwin
2006-11-05 19:42 -------- d-------- C:\Program Files\Common Files\Softwin
2006-11-03 12:44 -------- d-------- C:\Program Files\Common Files
2006-11-03 10:27 241 --a------ C:\Program Files\setuplog.txt
2006-11-01 23:16 -------- d-------- C:\Program Files\Real
2006-10-29 11:43 -------- d-------- C:\Program Files\LimeWire
2006-10-29 09:01 -------- d-------- C:\Documents and Settings\Owner\Application Data\Image Zone Express
2006-10-29 07:38 -------- d-------- C:\Documents and Settings\Owner\Application Data\Zero Knowledge
2006-10-29 07:36 -------- d-------- C:\Program Files\Zero Knowledge
2006-10-15 07:47 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-10-14 23:52 -------- d-------- C:\Program Files\ATS2
2006-10-14 23:48 -------- d-------- C:\Documents and Settings\Owner\Application Data\Comodo
2006-10-14 22:59 -------- d-------- C:\Program Files\Trustix
2006-10-13 07:33 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-05 13:16 -------- d-------- C:\Program Files\Windows Media Player
2006-10-05 13:16 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-10-01 17:35 -------- d-------- C:\Program Files\Ahead
2006-09-30 21:20 -------- d-------- C:\Documents and Settings\Owner\Application Data\CyberLink
2006-09-29 17:39 -------- d-------- C:\Program Files\fsupport
2006-09-24 20:01 -------- d-------- C:\Documents and Settings\Owner\Application Data\Real
2006-09-24 19:57 -------- d-------- C:\Program Files\Common Files\xing shared
2006-09-24 19:57 -------- d-------- C:\Program Files\Common Files\Real
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 21:42 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2006-08-24 21:42 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2006-08-24 21:30 99840 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-08-24 21:30 990208 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-08-24 21:30 937984 --a------ C:\WINDOWS\system32\WMNetMgr.dll
2006-08-24 21:30 8337920 --a------ C:\WINDOWS\system32\wmploc.dll
2006-08-24 21:30 790016 --------- C:\WINDOWS\system32\WMVSENCD.dll
2006-08-24 21:30 757248 --a------ C:\WINDOWS\system32\WMADMOD.dll
2006-08-24 21:30 7168 --a------ C:\WINDOWS\system32\asferror.dll
2006-08-24 21:30 656896 --------- C:\WINDOWS\system32\WMVXENCD.dll
2006-08-24 21:30 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2006-08-24 21:30 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-08-24 21:30 611840 --------- C:\WINDOWS\system32\wmpmde.dll
2006-08-24 21:30 603648 --a------ C:\WINDOWS\system32\WMSPDMOD.dll
2006-08-24 21:30 537600 --a------ C:\WINDOWS\system32\blackbox.dll
2006-08-24 21:30 532992 --------- C:\WINDOWS\system32\wmdrmsdk.dll
2006-08-24 21:30 428032 --a------ C:\WINDOWS\system32\wmdrmdev.dll
2006-08-24 21:30 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\WMVADVE.DLL
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\WMVADVD.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\wdfapi.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\MPG4DMOD.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\MP4SDMOD.dll
2006-08-24 21:30 4096 --a------ C:\WINDOWS\system32\MP43DMOD.dll
2006-08-24 21:30 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-08-24 21:30 35840 --a------ C:\WINDOWS\system32\wpdconns.dll
2006-08-24 21:30 349184 --a------ C:\WINDOWS\system32\wpdsp.dll
2006-08-24 21:30 347648 --a------ C:\WINDOWS\system32\wmdrmnet.dll
2006-08-24 21:30 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-08-24 21:30 320512 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-08-24 21:30 316928 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-08-24 21:30 314368 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-08-24 21:30 305152 --------- C:\WINDOWS\system32\MSDelta.dll
2006-08-24 21:30 295424 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-08-24 21:30 284160 --a------ C:\WINDOWS\system32\portabledeviceapi.dll
2006-08-24 21:30 276480 --a------ C:\WINDOWS\system32\audiodev.dll
2006-08-24 21:30 27648 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-08-24 21:30 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-08-24 21:30 2589184 --------- C:\WINDOWS\system32\WpdShext.dll
2006-08-24 21:30 258560 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-08-24 21:30 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-08-24 21:30 242176 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-08-24 21:30 228352 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-08-24 21:30 227328 --a------ C:\WINDOWS\system32\wmerror.dll
2006-08-24 21:30 222208 --a------ C:\WINDOWS\system32\WMASF.dll
2006-08-24 21:30 211968 --------- C:\WINDOWS\system32\MFPLAT.dll
2006-08-24 21:30 210432 --a------ C:\WINDOWS\system32\qasf.dll
2006-08-24 21:30 204800 --a------ C:\WINDOWS\system32\wmpsrcwp.dll
2006-08-24 21:30 198144 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-08-24 21:30 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-08-24 21:30 175104 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-08-24 21:30 166912 --a------ C:\WINDOWS\system32\portabledevicetypes.dll
2006-08-24 21:30 1660416 --a------ C:\WINDOWS\system32\wmpencen.dll
2006-08-24 21:30 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-08-24 21:30 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll
2006-08-24 21:30 1539584 --------- C:\WINDOWS\system32\WMVDECOD.dll
2006-08-24 21:30 1532416 --------- C:\WINDOWS\system32\WMVENCOD.dll
2006-08-24 21:30 1392128 --------- C:\WINDOWS\system32\WMVSDECD.dll
2006-08-24 21:30 133120 --a------ C:\WINDOWS\system32\wpdshserviceobj.dll
2006-08-24 21:30 1327616 --a------ C:\WINDOWS\system32\WMSPDMOE.dll
2006-08-24 21:30 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-08-24 21:30 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-08-24 21:30 11264 --a------ C:\WINDOWS\system32\LAPRXY.dll
2006-08-24 21:30 1118208 --a------ C:\WINDOWS\system32\WMADMOE.dll
2006-08-24 21:30 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-08-24 19:31 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-08-24 19:27 249344 --------- C:\WINDOWS\system32\drmupgds.exe
2006-08-24 19:26 95288 --------- C:\WINDOWS\system32\WUDFCoinstaller.dll
2006-08-24 19:26 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-08-24 18:19 316416 --------- C:\WINDOWS\system32\WUDFx.dll
2006-08-24 18:19 145920 --------- C:\WINDOWS\system32\WudfHost.exe
2006-08-24 18:18 56320 --------- C:\WINDOWS\system32\WudfSvc.dll
2006-08-24 18:18 168448 --------- C:\WINDOWS\system32\WudfPlatform.dll
2006-08-22 16:08 77824 --a------ C:\WINDOWS\system32\xcomm.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-11 19:14 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-08-08 11:33 774144 --a------ C:\Program Files\RngInterstitial.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PowerBar "=" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IntelAudioStudio "= "\ "C:\\Program Files\\Intel Audio Studio\\IntelAudioStudio.exe\" BOOT "
"IAAnotif "= "C:\\Program Files\\Intel\\Intel Matrix Storage Manager\\iaanotif.exe "
"NeroFilterCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"igfxtray "= "C:\\WINDOWS\\system32\\igfxtray.exe "
"igfxhkcmd "= "C:\\WINDOWS\\system32\\hkcmd.exe "
"igfxpers "= "C:\\WINDOWS\\system32\\igfxpers.exe "
"SigmatelSysTrayApp "= "sttray.exe "
"RemoteControl "= "\ "C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\" "
"InCD "= "C:\\Program Files\\Ahead\\InCD\\InCD.exe "
"LGODDFU "= "\ "C:\\Program Files\\lg_fwupdate\\fwupdate.exe\" blrun "
"HP Software Update "= "C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe "
"Motive SmartBridge "= "C:\\PROGRA~1\\Aliant\\NETASS~1\\SMARTB~1\\MotiveSB.exe "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe "
"TkBellExe "= "\ "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot "
"Freedom "= "C:\\Program Files\\Zero Knowledge\\Freedom\\Freedom.exe "
"BDMCon "= "\ "C:\\Program Files\\Softwin\\BitDefender10\\bdmcon.exe\" /reg "
"BDAgent "= "\ "C:\\Program Files\\Softwin\\BitDefender10\\bdagent.exe\" "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,9c,00,00,00,00,00,00,00,64,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo "=hex:18,00,00,00,9c,00,00,00,00,00,00,00,64,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator "= "Narrator.exe "

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator "= "Narrator.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "
"WPDShServiceObj "= "{AAA288BA-9A4C-45B0-95D7-94D524869DB5} "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061111-143940-673
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9A72C86-879D-4423-B4DC-E2BB220FDFDE}: NameServer = 85.255.115.98,85.255.112.80
backup-20061111-143940-519
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF557216-E0A6-4C2A-A647-CCA870042E7D}: NameServer = 85.255.115.98,85.255.112.80
backup-20061111-143940-665
O17 - HKLM\System\CCS\Services\Tcpip\..\{4004005C-6A51-46E6-B143-D00612DC5610}: NameServer = 85.255.115.98,85.255.112.80

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Ad-Aware SE Personal.job
C:\WINDOWS\tasks\AVG Free Control Center.job
C:\WINDOWS\tasks\CCleaner.job
C:\WINDOWS\tasks\CleanUp!.job
C:\WINDOWS\tasks\Spybot - Search & Destroy.job

Completion time: 06-11-11 14:47:11.87
C:\ComboFix.txt ... 06-11-11 14:47

FYI - I reran Freedom antispyware prior to the above and it found 757 entries. These files also consistently show up when I run this program. These are the applications that always show up. I don't know if it is any help to you but I thought I would let you have a look anyways.

MidAddle Application 11/9/2006 7:25:01 PM
WinNuker 0.2 Application 11/9/2006 7:25:01 PM
2o7.net Tracking cookie 11/10/2006 1:19:40 PM
2o7.net Tracking cookie 11/10/2006 2:03:44 PM
2o7.net Tracking cookie 11/11/2006 12:37:02 PM
Downloader.WinAntiSpyware2006 Application 11/11/2006 1:08:34 PM
Media Pass Application 11/11/2006 1:08:34 PM (There were over 700 files of this today.

Again, Thank you for all of your help so far.

 

Microsoft Support

After posting the previous logs, I was in contact with Microsoft Support who took control of my computer and redownloaded IE 7.
The following is a list of changes made:

Action: Customer installed IE7

Result: Customer got error message" Proceedure Point Point "Get Process Image File Name W could not be located in the Dynamic Link Library psapi.dll "

Cause: Motive Smart Bridge

Resolution:Renamed psapi.dll to psapi.old and added registry values

HKCU\software\Microsoft\Internet Explorer\Main\RunOnceHasShown, RunOnceComplete

I'm unsure if any of these changes affect what you are trying to help me with, so as the changes come up, I will keep you updated.

Thank You

 

Ok, the HJT log and ComboFix logs appear to be ok.

Can you please give me the file paths the Freedom software found these infections, or are they registry points?

Cookies of any sort can be omitted from any logs\findings as they do not pose a threat. They are merely text files.

 

Trojan

I tried to find the paths with Freedom but the only information that I can find is basically what I gave to you already. Unless I just ain't looking in the right place. Plse see the last post, I found the files!

The other problem that I keep coming up against is this Trojan that keeps showing up on my system. Only BitDefender finds it but is there a way that I can format Freedom to stop this from even getting this far? I have included the Bit Defender log which shows a lot more info than the Freedom log.


My Trial version of Bit Defender expires today, although the free scan is still available and works to remove the Trojan files. Is it possible that I have a file that is creating this Trojan or does it always have to to enter through the internet?

Another problem that continues is more often than not, when I click on a link, it does nothing. So I have to right click and copy shortcut.

//-----------------------------------------------------------------
//
// Product BitDefender Antivirus Plus v10
// Product 10.0
//
// Created on: 07/11/2006 19:11:19
//
//-----------------------------------------------------------------


Virus Statistics

Scan path : C:\
Folders : 4637
Files : 174323
Memory processes scanned : 43
Archives : 1541
Runtime packers : 6225
Identified viruses : 1
Infected files : 17
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 0
Moved files : 17
I/O errors : 580
Scan time : 00:33:54
Scan speed (files/sec) : 85

Spyware Statistics

Registry keys scanned : 1601
Registry keys infected : 0
Cookies scanned : 1
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0


Virus definitions : 334933
Scan plugins : 15
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[X] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1162941079.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies


Summary:

C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0145307.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0145307.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0145307.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0145329.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0145329.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0145329.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0146329.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0146329.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0146329.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0147329.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0147329.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0147329.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0148329.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0148329.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0148329.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0148343.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0148343.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0148343.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0148354.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0148354.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0148354.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0148362.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0148362.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP183\A0148362.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0149362.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0149362.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0149362.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0150362.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0150362.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0150362.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0151362.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0151362.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0151362.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0151373.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0151373.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0151373.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0152373.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0152373.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0152373.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0152385.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0152385.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0152385.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0152394.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0152394.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0152394.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0152402.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0152402.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0152402.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0153402.exe Infected: MemScan:Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0153402.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP184\A0153402.exe Moved


Some problems that I am still having is a lot of "Not Responding" Prompts, Outlook Express is the main issue there - often Outlook cannot connect. Although, it isn't just Outlook. When I tried to run Spybot yesterday, it ran for over 2 hours and only 1100 files were scanned within that time. The mouse was extremely jumpy while spybot was open, but when I closed it, the mouse went back to normal.

Also use "CleanUp ". Normally, this will run extremely fast, but now it runs sparadically although it still gets the job done.

So, in short, my system is running much better, but it still isn't all the way there yet.

I soooo appreciate your help. Thank you.

 

More Trojans

I have just rescanned with Bit Defender. Plse find below the results again!


//-----------------------------------------------------------------
//
// Product BitDefender Antivirus Plus v10
// Product 10.0
//
// Created on: 12/11/2006 10:59:53
//
//-----------------------------------------------------------------


Virus Statistics

Scan path : C:\
Folders : 4618
Files : 155454
Memory processes scanned : 41
Archives : 1662
Runtime packers : 6068
Identified viruses : 1
Infected files : 32
Memory processes infected : 0
Suspect files : 0
Warnings : 0
Disinfected files : 0
Deleted files : 0
Moved files : 32
I/O errors : 582
Scan time : 00:29:45
Scan speed (files/sec) : 87

Spyware Statistics

Registry keys scanned : 1603
Registry keys infected : 0
Cookies scanned : 1
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 0


Virus definitions : 340320
Scan plugins : 15
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[X] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1163343593.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies


Summary:

C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP187\A0153616.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP187\A0153616.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP187\A0153616.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP187\A0154614.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP187\A0154614.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP187\A0154614.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP187\A0154687.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP187\A0154687.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP187\A0154687.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP187\A0155687.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP187\A0155687.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP187\A0155687.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155709.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155709.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155709.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155717.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155717.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155717.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155726.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155726.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155726.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155759.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155759.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155759.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155943.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155943.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155943.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155949.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155949.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155949.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155971.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155971.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155971.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155990.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155990.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP188\A0155990.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP189\A0156125.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP189\A0156125.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP189\A0156125.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP189\A0156140.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP189\A0156140.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP189\A0156140.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP189\A0156149.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP189\A0156149.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP189\A0156149.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP193\A0156328.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP193\A0156328.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP193\A0156328.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP193\A0156344.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP193\A0156344.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP193\A0156344.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP193\A0156353.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP193\A0156353.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP193\A0156353.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0156658.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0156658.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0156658.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0156671.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0156671.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0156671.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0156685.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0156685.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0156685.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0156692.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0156692.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0156692.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0157692.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0157692.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0157692.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0157711.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0157711.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0157711.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0158710.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0158710.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0158710.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0158719.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0158719.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP194\A0158719.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0159125.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0159125.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0159125.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0159138.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0159138.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0159138.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0160138.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0160138.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0160138.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0160146.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0160146.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0160146.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0160272.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0160272.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0160272.exe Moved
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0160281.exe Infected: Trojan.Downloader.Mohbpork.A
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0160281.exe Disinfection failed
C:\System Volume Information\_restore{C001A1DE-38DC-465B-9124-4D2BDAF3E31D}\RP200\A0160281.exe Moved


PLSE HELP!!!!

 

OK Found Them!!!

I found the files for the spyware infecting the computer. Again 757 files.

MidAddle
C:\Documents and Settings\Owner\Local Settings\Temp\~DF8CC8.tmp

MediaPass
C:WINDOWS\ie7\reg00002 and continues to reg01006 Although there a few missing such as reg00003.

Downloader.WinAntiSpyware2006
C:\Program Files\Red Storm Entertainment\Tom Clancy's Rainbow Six\data\character\M15\GTS1_arm.RSB

I hope this helps.

Thank You

 

Ok, every single one of those findings from the BD scan are not a threat. They are in your system restore folder. All you need to do is turn off system restore, reboot then turn system restore on again:
NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

• 1. Click Start.
  2. Right-click the My Computer icon, and then click Properties.
  3. Click the System Restore tab.
  4. Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:
  5. Click Apply.
  6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
  7. Click OK.
  8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

• 1. Click Start.
  2. Right-click My Computer, and then click Properties.
  3. Click the System Restore tab.
  4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives. "
  5. Click Apply, and then click OK

These in temp files or folders are easily deleted and in this case, more of a generic or heuristic detection. To fix:
Download Atribunes ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
• Tick the following boxes:
  • Windows Temp
  • Current User Temp
  • All User Temp
  • Cookies
  • Temporary Internet Files
  • History
  • Prefetch
  • Java Cache
• Click the Empty Selected button.

Do not empty your recyle bin unless you're 100% certain nothing is there you may want to recover.

I can't find much on this, but I doubt it's actually an infection. What app is saying these are Media Pass?

To correct it, delete the entire ie7 folder, I have no idea what it is for and Google serves up only one instance of it.

This is a false\positive. I imagine if you delete that file, your game may not work.

 

Freedom Security is showing this as Media Pass.

Further to my previous posts, can anything be done to repair the other problems that I am having?

I reset system restore as instructed. I don't know how to find the IE 7 folder that you have mentioned.

I have previously set the system restore when this trojan first showed up as instructed by the BitDefender on line chat people but it continues. It doesn't pose a problem?

Thanks Again

 

Hi TeMerc
I see the user has/had Wareout infection
I wonder if anything else may be hiding
It may be wise to run Lonny's FixWareout tool just to be on the safe side
Just my 2 cents

P.S. I see Husker01 is having redirections from Wareout also
I believe FixWareout works on 98 systems too

 

Ok, the ie7 file is located on your c drive:
C:\ie7<<<--right here

In so far as the other problems related to IE7, havn't those been adddressed?

And when you say you previously 'set system restore' during chat with BD support, do you mean you essentially did what I told you, or somethng else?

Let me know what problems still exist, exculding anything to do with anything found in system restore or IE7, which you got the solution for from MS.

Where are you seeing indications of Wareout in this log, have I overlooked something?