Solved Backdoor.SdBot.gen and WinAntispyware2008 Problems

[Resolved] Backdoor.SdBot.gen and WinAntispyware2008 Problems

I have PeoplePc dial-up service and I use their Internet Security Pack. My PC is infected with the Backdoor.SdBot.gen and WindowsAntispyware2008. The Security Pack catches the Malware and deletes it, but it comes right back after re-boot. I scanned with Malware-AntiMalware bytes and Stinger by McAfee but neither program caught the problems. My operating system is Windows XP Home Edition and I use IE6.

 

dds.text

DDS (Ver_09-03-16.01) - NTFSx86
Run by Compaq_Owner at 21:54:08.71 on Tue 04/07/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.209 [GMT -6:00]

AV: Authentium Antivirus *On-access scanning enabled* (Updated)
AV: PeoplePC Antivirus *On-access scanning enabled* (Updated)
FW: PeoplePC Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\UpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\ProtectionService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PeoplePC\ISP7230\Browser\Bartshel.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\ppc_isp2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\ADS\ADSService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\PeoplePC\ISP7230\Browser\PPShared.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\PeoplePC\ISP7230\Browser\Bartshel.exe
C:\Program Files\PeoplePC Accelerated\PeoplePC.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://msn.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uSearch Bar = hxxp://home.peoplepc.com/search
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.symantecstore.com/promo=44984
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://home.peoplepc.com/search
BHO: Accelerator Plugin: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\progra~1\people~1\PRPL_I~1.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {A8FB8EB3-183B-4598-924D-86F0E5E37085} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Bart Station] c:\program files\peoplepc\isp7230\bin\PPCOLink.exe -STATION
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [RCSystemTray] c:\program files\max registry cleaner\MaxRCSystemTray.exe
mRun: [RCAutoLiveUpdate] c:\program files\max registry cleaner\MaxLURC.exe -AUTO
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [PeoplePC Internet Security Pack] "c:\program files\peoplepc\peoplepc internet security pack\bin\ppc_isp2.exe" /tray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mExplorerRun: [JsQRNcyITJ] c:\docume~1\compaq~1\locals~1\temp\wJQs.exe
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\6750491\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Refresh Pa&ge with Full Quality - c:\program files\peoplepc accelerated\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\peoplepc accelerated\pac-image.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: {151DAF64-54CF-4C69-9B0D-B956AA7053C2} = 209.244.0.3 209.244.0.4
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: karna.dat
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 GRFILTER;CS NDIS Driver;c:\windows\system32\drivers\GRFilter.sys [2006-11-10 22584]
R2 GRTdiMon;GR TDI Mon;c:\windows\system32\drivers\GRTdiMon.sys [2006-11-10 42040]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\drivers\ADSFilter.sys [2006-11-20 56728]
R3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver);c:\windows\system32\drivers\ADSMonitor.sys [2006-11-20 35352]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver;c:\program files\peoplepc\peoplepc internet security pack\sana\driver\platform_xp\SafeConnectDriver.sys [2007-4-26 151832]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;c:\program files\peoplepc\peoplepc internet security pack\sana\driver\platform_xp\SafeConnectFilter.sys [2007-4-26 31000]
S3 EarthLinkSafeConnectShim;EarthLinkSafeConnectShim;c:\program files\peoplepc\peoplepc internet security pack\sana\driver\platform_xp\SafeConnectShim.sys [2006-10-16 38632]

=============== Created Last 30 ================

2009-04-05 01:48 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-05 01:48 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 01:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-31 03:43 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Windows Search
2009-03-31 03:33 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Windows Desktop Search
2009-03-31 03:32 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-03-31 03:32 <DIR> --d----- c:\program files\Windows Desktop Search
2009-03-31 03:30 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-03-31 03:30 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-03-31 03:30 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-03-15 13:31 <DIR> --d----- c:\program files\Spybot - Search & Destroy

==================== Find3M ====================

2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-12 03:45 73,728 a------- c:\windows\system32\RtNicProp32.dll
2008-03-17 16:01 2,045 ac------ c:\program files\Deploy.log
2007-01-21 21:28 28,672 a------- c:\documents and settings\compaq_owner\atwbxdet.dll
2004-11-03 16:25 2,238 ac------ c:\program files\common files\emini.ico

============= FINISH: 21:56:08.20 ===============

 

attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/18/2004 10:50:03 PM
System Uptime: 4/7/2009 8:15:44 PM (1 hours ago)

Motherboard: ASUSTek Computer INC. | | Govii
Processor: Intel(R) Celeron(R) CPU 2.93GHz | PGA 478 | 2933/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 64.23 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 4/7/2009 4:43:29 PM - System Checkpoint

==== Installed Programs ======================


Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.5
Agere Systems PCI Soft Modem
Authentium AntiVirus SDK - 2
Authentium FW SDK
Clean My Registry v4.6
Compaq Connections
Easy Internet Sign-up
eMini-Master Pivot Calculator & Price Projections 1.11
Enhanced Multimedia Keyboard Solution
Forexgrail
FXCM Trading Station
FXDD - MetaTrader 4.00
GoToMeeting/GoToWebinar 3.0.0.198
Help and Support Additions
High Definition Audio Driver Package - KB835221
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
HP Deskjet 3840
HP Update
HpSdpAppCoreApp
HPSSupply
Intel(R) Extreme Graphics Driver
Internet Security Pack
Internet Security Pack - Partial Install
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2_07
Java(TM) 6 Update 10
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 6
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Max Registry Cleaner
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Excel 97
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Works 7.0
Microsoft WSE 2.0 SP3 Runtime
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
PeoplePC Common Authentication
PeoplePC Internet Security Pack
PeoplePC Online
PeoplePC Simple Switch
Primate Software 1 Tech Support by rt-help.com 2006.0.1.0
Profinacci Calculator 1.0
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Shop for HP Supplies
Sonic RecordNow!
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebEx
WebFldrs XP
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Media Format Runtime
Windows Media Player 10
Windows Search 4.0
Windows XP Service Pack 3
Xerox WC470cx Printer Driver
ZeroDay
ZSoft Uninstaller 2.4.1

==== Event Viewer Messages From Past Week ========

4/4/2009 9:46:05 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments " " in order to run the server: {000C101C-0000-0000-C000-000000000046}
4/4/2009 9:46:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service dvpapi with arguments "-Service" in order to run the server: {07D393E6-BB61-4063-8B5F-9C3E734D2FEC}
4/4/2009 9:46:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Beep Fips IPSec MRxSmb NetBIOS NetBT NetworkX RasAcd Rdbss Tcpip
4/4/2009 9:46:01 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/4/2009 9:46:01 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
4/4/2009 9:46:01 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/4/2009 9:46:01 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBT service which failed to start because of the following error: A device attached to the system is not functioning.
4/4/2009 9:45:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/4/2009 9:45:08 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
4/4/2009 9:42:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
4/4/2009 9:42:51 PM, error: Service Control Manager [7022] - The dvpapi service hung on starting.
4/3/2009 4:06:03 PM, error: Service Control Manager [7023] - The dvpapi service terminated with the following error: The class is configured to run as a security id different from the caller
4/2/2009 3:56:14 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\CandleWorks\FXTS2\MFC80.DLL. Reference error message: The operation completed successfully. .
4/2/2009 3:56:14 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
4/2/2009 3:56:14 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
4/1/2009 3:46:41 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
4/6/2009 2:52:43 AM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
4/7/2009 4:30:44 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service MSIServer with arguments " " in order to run the server: {000C101C-0000-0000-C000-000000000046}
4/7/2009 4:30:49 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Installer service to connect.
4/7/2009 4:30:49 PM, error: Service Control Manager [7000] - The Windows Installer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

 

1 of 2 Activity logs from Security Software Scan

Start Scan Session: 4/4/2009 10:03:16 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 3/31/2009
Virus Engine: 4.321.35
Virus Definition: 4/2/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

End Scan Session: 4/4/2009 10:06:05 PM
=======================================================================

=======================================================================
Start Scan Session: 4/5/2009 1:08:14 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 3/31/2009
Virus Engine: 4.321.35
Virus Definition: 4/2/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: EAntispy
HKEY_LOCAL_MACHINE\software\classes\interface\{71a2702e-c7d8-11d2-bef8-525400dfb47a}

Spyware Scan Detected: EAntispy
HKEY_LOCAL_MACHINE\software\classes\interface\{71a27031-c7d8-11d2-bef8-525400dfb47a}

Spyware Scan Detected: EAntispy
HKEY_LOCAL_MACHINE\software\classes\clsid\{71a27032-c7d8-11d2-bef8-525400dfb47a}

Spyware Scan Detected: EAntispy
HKEY_LOCAL_MACHINE\software\classes\clsid\{71a27034-c7d8-11d2-bef8-525400dfb47a}

Spyware Scan Detected: EAntispy
HKEY_LOCAL_MACHINE\software\classes\interface\{71a27033-c7d8-11d2-bef8-525400dfb47a}

Spyware Scan Detected: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

Spyware Scan Detected: GlamCookie
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@glam[1].txt

Spyware Scan Detected: EAntispy
HKEY_LOCAL_MACHINE\software\classes\interface\{71a27036-c7d8-11d2-bef8-525400dfb47a}

Spyware Scan Detected: EAntispy
HKEY_LOCAL_MACHINE\software\classes\typelib\{71a2702d-c7d8-11d2-bef8-525400dfb47a}

Spyware Scan Detected: EAntispy
HKEY_CLASSES_ROOT\clsid\{71a27034-c7d8-11d2-bef8-525400dfb47a}

Spyware Scan Detected: EAntispy
HKEY_CLASSES_ROOT\interface\{71a2702e-c7d8-11d2-bef8-525400dfb47a}

Spyware Scan Detected: EAntispy
HKEY_CLASSES_ROOT\clsid\{71a2702f-c7d8-11d2-bef8-525400dfb47a}

Spyware Scan Detected: EAntispy
HKEY_CLASSES_ROOT\clsid\{71a27032-c7d8-11d2-bef8-525400dfb47a}

Spyware Scan Detected: EAntispy
HKEY_CLASSES_ROOT\interface\{71a27031-c7d8-11d2-bef8-525400dfb47a}

Spyware Scan Detected: EAntispy
HKEY_CLASSES_ROOT\typelib\{71a2702d-c7d8-11d2-bef8-525400dfb47a}

Spyware Scan Detected: EAntispy
HKEY_LOCAL_MACHINE\software\classes\clsid\{71a2702f-c7d8-11d2-bef8-525400dfb47a}

Spyware Scan Detected: EAntispy
HKEY_CLASSES_ROOT\interface\{71a27033-c7d8-11d2-bef8-525400dfb47a}

Spyware Scan Detected: EAntispy
HKEY_CLASSES_ROOT\interface\{71a27036-c7d8-11d2-bef8-525400dfb47a}

End Scan Session: 4/5/2009 1:09:42 AM
=======================================================================

Spyware Deleted: EAntispy
HKEY_LOCAL_MACHINE\software\classes\interface\{71a2702e-c7d8-11d2-bef8-525400dfb47a}

Spyware Deleted: EAntispy
HKEY_LOCAL_MACHINE\software\classes\clsid\{71a2702f-c7d8-11d2-bef8-525400dfb47a}

Spyware Deleted: EAntispy
HKEY_LOCAL_MACHINE\software\classes\clsid\{71a27032-c7d8-11d2-bef8-525400dfb47a}

Spyware Deleted: EAntispy
HKEY_LOCAL_MACHINE\software\classes\clsid\{71a27034-c7d8-11d2-bef8-525400dfb47a}

Spyware Deleted: EAntispy
HKEY_LOCAL_MACHINE\software\classes\interface\{71a27031-c7d8-11d2-bef8-525400dfb47a}

Spyware Deleted: EAntispy
HKEY_LOCAL_MACHINE\software\classes\interface\{71a27036-c7d8-11d2-bef8-525400dfb47a}

Spyware Deleted: EAntispy
HKEY_LOCAL_MACHINE\software\classes\interface\{71a27033-c7d8-11d2-bef8-525400dfb47a}

Spyware Deleted: EAntispy
HKEY_LOCAL_MACHINE\software\classes\typelib\{71a2702d-c7d8-11d2-bef8-525400dfb47a}

Spyware Quarantined: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

Spyware Quarantined: EAntispy
HKEY_CLASSES_ROOT\clsid\{71a27034-c7d8-11d2-bef8-525400dfb47a}

Spyware Quarantined: EAntispy
HKEY_CLASSES_ROOT\interface\{71a2702e-c7d8-11d2-bef8-525400dfb47a}

Spyware Quarantined: EAntispy
HKEY_CLASSES_ROOT\clsid\{71a2702f-c7d8-11d2-bef8-525400dfb47a}

Spyware Quarantined: EAntispy
HKEY_CLASSES_ROOT\clsid\{71a27032-c7d8-11d2-bef8-525400dfb47a}

Spyware Quarantined: EAntispy
HKEY_CLASSES_ROOT\interface\{71a27036-c7d8-11d2-bef8-525400dfb47a}

Spyware Quarantined: EAntispy
HKEY_CLASSES_ROOT\typelib\{71a2702d-c7d8-11d2-bef8-525400dfb47a}

Spyware Quarantined: EAntispy
HKEY_CLASSES_ROOT\interface\{71a27031-c7d8-11d2-bef8-525400dfb47a}

Spyware Quarantined: EAntispy
HKEY_CLASSES_ROOT\interface\{71a27033-c7d8-11d2-bef8-525400dfb47a}

 

2 of 2 Activity Logs from Security Software Scan

Start Scan Session: 4/7/2009 4:41:22 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/7/2009 4:42:49 PM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

Active Spyware Scan Detected: Backdoor.SdBot.gen [4/7/2009 8:46:40 PM]
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe
Action Taken: Quarantined

Active Spyware Scan Detected: WinAntiSpyware [4/7/2009 8:50:10 PM]
HKEY_LOCAL_MACHINE\software\antivirus
Action Taken: Quarantined

=======================================================================
Start Scan Session: 4/7/2009 10:20:49 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/7/2009 10:22:07 PM
=======================================================================

 

Thank you. I will check back later.

 

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html


Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.

 

Thank You

Hi, Juliet

I will follow your instructions and post the results when finished.

 

Good deal.

 

Sorry for the delay

I am able to turn off the Windows Firewall and the Anti Virus Software, but I cannot figure out how to turn off the Authentium Firewall inside Windows XP before running ComboFix. Could you advise me on how to do this?

 

ComboFix.exe Results

ComboFix 09-04-04.01 - Compaq_Owner 2009-04-09 1:48:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.182 [GMT -6:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\Combo-Fix.exe
AV: Authentium Antivirus *On-access scanning enabled* (Updated)
AV: PeoplePC Antivirus *On-access scanning enabled* (Updated)
FW: PeoplePC Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\autoran.inf
c:\recycler\sys.ini
c:\windows\IE4 Error Log.txt
c:\windows\system32\system\

.
((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.

2009-04-08 23:03 . 2009-04-09 01:47 <DIR> d-------- C:\ComboFix
2009-04-08 23:03 . 2009-04-08 23:03 389,120 --a------ c:\windows\system32\CF32201.exe
2009-04-05 01:48 . 2009-04-05 01:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 01:48 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 01:48 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-31 03:43 . 2009-03-31 03:43 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Windows Search
2009-03-31 03:33 . 2009-03-31 03:33 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Windows Desktop Search
2009-03-31 03:32 . 2009-03-31 03:32 <DIR> d-------- c:\windows\system32\GroupPolicy
2009-03-31 03:32 . 2009-03-31 03:32 <DIR> d-------- c:\program files\Windows Desktop Search
2009-03-31 03:30 . 2008-03-07 11:02 192,000 -----c--- c:\windows\system32\dllcache\offfilt.dll
2009-03-31 03:30 . 2008-03-07 11:02 98,304 -----c--- c:\windows\system32\dllcache\nlhtml.dll
2009-03-31 03:30 . 2008-03-07 11:02 29,696 -----c--- c:\windows\system32\dllcache\mimefilt.dll
2009-03-15 13:31 . 2009-03-16 04:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 10:44 --------- d-----w c:\program files\Smart PC Solutions
2009-04-05 10:44 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Smart PC Solutions
2009-03-28 07:37 --------- d-----w c:\program files\FXDD - MetaTrader 4
2009-03-16 23:50 --------- d-----w c:\program files\Max Registry Cleaner
2009-03-16 10:51 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-23 11:54 --------- d-----w c:\program files\CandleWorks
2009-02-22 08:48 --------- d-----w c:\program files\LSI SoftModem
2009-02-21 08:55 --------- d-----w c:\program files\PeoplePC
2009-02-13 12:59 --------- d-----w c:\program files\Alwil Software
2009-02-10 04:26 --------- d-----w c:\program files\Windows Live Safety Center
2008-03-17 22:01 2,045 -c--a-w c:\program files\Deploy.log
2007-01-22 03:28 28,672 ----a-w c:\documents and settings\Compaq_Owner\atwbxdet.dll
2004-11-03 22:25 2,238 -c--a-w c:\program files\Common Files\emini.ico
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv "= "c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-12-11 136600]
"HPDJ Taskbar Utility "= "c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"KBD "= "c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"Bart Station "= "c:\program files\PeoplePC\ISP7230\BIN\PPCOLink.exe" [2008-05-27 25944]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"RCSystemTray "= "c:\program files\Max Registry Cleaner\MaxRCSystemTray.exe" [2009-02-23 925568]
"RCAutoLiveUpdate "= "c:\program files\Max Registry Cleaner\MaxLURC.exe" [2009-02-23 946048]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"PeoplePC Internet Security Pack "= "c:\program files\PeoplePC\PeoplePC Internet Security Pack\bin\ppc_isp2.exe" [2007-10-26 46568]
"AGRSMMSG "= "AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-12-04 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-12-04 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Compaq Connections.lnk - c:\program files\Compaq Connections\6750491\Program\Compaq Connections.exe [2004-08-09 16423]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\WINDOWS\\SMINST\\INSTALL_APP.EXE "=
"c:\\hp\\support\\HPSysInfo.exe "=
"c:\\Program Files\\CandleWorks\\FXTS2\\FXTSpp.exe "=
"c:\\Program Files\\Microsoft Office\\Office\\EXCEL.EXE "=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\wkscal.exe "=
"c:\\Program Files\\Microsoft Works\\msworks.exe "=
"c:\\Program Files\\Microsoft Works\\wkssb.exe "=
"c:\\Program Files\\Online Services\\MSN90\\LaunchMsn.exe "=
"c:\\Program Files\\Outlook Express\\msimn.exe "=
"c:\\Program Files\\PC-Doctor for Windows\\Pcdrw32.exe "=
"c:\\Program Files\\QuickTime\\PictureViewer.exe "=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe "=
"c:\\Program Files\\QuickTime\\QuickTimeUpdater.exe "=
"c:\\Program Files\\Outlook Express\\wab.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Forexgrail\\ForexGrail.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R0 GRFILTER;CS NDIS Driver;c:\windows\system32\drivers\GRFilter.sys [2006-11-10 22584]
R2 GRTdiMon;GR TDI Mon;c:\windows\system32\drivers\GRTdiMon.sys [2006-11-10 42040]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 ADSFilter;ADSFilter - (Aluria Filter Driver);c:\windows\system32\drivers\ADSFilter.sys [2006-11-20 56728]
R3 ADSMonitor;ADSMonitor - (EarthLink Monitor Driver);c:\windows\system32\drivers\ADSMonitor.sys [2006-11-20 35352]
S3 EarthLinkSafeConnectDriver;EarthLinkSafeConnectDriver;c:\program files\PeoplePC\PeoplePC Internet Security Pack\Sana\Driver\platform_XP\SafeConnectDriver.sys [2007-04-26 151832]
S3 EarthLinkSafeConnectFilter;EarthLinkSafeConnectFilter;c:\program files\PeoplePC\PeoplePC Internet Security Pack\Sana\Driver\platform_XP\SafeConnectFilter.sys [2007-04-26 31000]
S3 EarthLinkSafeConnectShim;EarthLinkSafeConnectShim;c:\program files\PeoplePC\PeoplePC Internet Security Pack\Sana\Driver\platform_XP\SafeConnectShim.sys [2006-10-16 38632]
.
Contents of the 'Scheduled Tasks' folder

2009-04-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-JsQRNcyITJ - c:\docume~1\COMPAQ~1\LOCALS~1\Temp\wJQs.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.symantecstore.com/promo=44984
uInternet Settings,ProxyOverride = <local>
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 01:54:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\windows\system32\Crypserv.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\program files\PeoplePC\PeoplePC Internet Security Pack\bin\UpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\PeoplePC\PeoplePC Internet Security Pack\bin\ProtectionService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\searchindexer.exe
c:\program files\Common Files\ADS\ADSService.exe
c:\program files\PeoplePC\ISP7230\Browser\BartShel.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\PeoplePC\ISP7230\Browser\PPShared.exe
.
**************************************************************************
.
Completion time: 2009-04-09 1:59:19 - machine was rebooted [Compaq_Owner]
ComboFix-quarantined-files.txt 2009-04-09 07:59:13

Pre-Run: 69,246,779,392 bytes free
Post-Run: 69,171,191,808 bytes free

164 --- E O F --- 2009-03-13 10:56:42

 

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:59 AM, on 4/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\UpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\ProtectionService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\PeoplePC\ISP7230\Browser\Bartshel.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\PeoplePC\ISP7230\Browser\PPShared.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantecstore.com/promo=44984
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\PEOPLE~1\PRPL_I~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP7230\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLURC.exe -AUTO
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [PeoplePC Internet Security Pack] "C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\ppc_isp2.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\UpdateService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\ProtectionService.exe

--
End of file - 6758 bytes

 

Welcome back

That took out a few items.


Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.


How's the computer now?

 

Hi, Juliet

After running ComboFix my computer is working better. The WinAntiSpyware still shows up when I run my anti-virus software though. I will now run the next set of programs that you listed and then post the results. I imagine they will get rid of the rest of the problems.

Thanks for your help.

 

Depending on where it finds WinAntiSpyware is the question.

Post the other logs when you can.

 

Scan Results

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, April 10, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, April 10, 2009 04:54:15
Records in database: 2030107
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 59521
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:58:53

No malware has been detected. The scan area is clean.

The selected area was scanned.

 

Hijackthis 2nd Scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:28 AM, on 4/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\UpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\ProtectionService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PeoplePC\ISP7230\Browser\Bartshel.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\PROGRA~1\PeoplePC\ISP7230\Browser\PPShared.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PeoplePC\ISP7230\Browser\Bartshel.exe
C:\Program Files\PeoplePC Accelerated\PeoplePC.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Compaq_Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantecstore.com/promo=44984
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\PEOPLE~1\PRPL_I~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP7230\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLURC.exe -AUTO
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [PeoplePC Internet Security Pack] "C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\ppc_isp2.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{151DAF64-54CF-4C69-9B0D-B956AA7053C2}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{151DAF64-54CF-4C69-9B0D-B956AA7053C2}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: ADSService - Aluria Software, a division of EarthLink, Inc. - C:\Program Files\Common Files\ADS\ADSService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: EarthLinkSafeConnectAgent - Unknown owner - C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\Sana\Bin\SanaAgent.exe
O23 - Service: ELNK Update Service (ELNKUpdateService) - EarthLink, Inc. - C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\UpdateService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ProtectionService - EarthLink, Inc. - C:\Program Files\PeoplePC\PeoplePC Internet Security Pack\bin\ProtectionService.exe

--
End of file - 7517 bytes

 

Anti-Virus Scan Activity Log

My Anti-Virus Software found the Backdoor.SdBot.gen and WinAntiSpyware again after the Kscan. Here is the Activity Log.

Start Scan Session: 4/7/2009 4:41:22 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/7/2009 4:42:49 PM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

Active Spyware Scan Detected: Backdoor.SdBot.gen [4/7/2009 8:46:40 PM]
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe
Action Taken: Quarantined

Active Spyware Scan Detected: WinAntiSpyware [4/7/2009 8:50:10 PM]
HKEY_LOCAL_MACHINE\software\antivirus
Action Taken: Quarantined

=======================================================================
Start Scan Session: 4/7/2009 10:20:49 PM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/7/2009 10:22:07 PM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/8/2009 5:52:27 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/8/2009 5:54:21 AM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/9/2009 2:46:04 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/9/2009 2:48:26 AM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

=======================================================================
Start Scan Session: 4/9/2009 6:10:26 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Floppy Boot-Sector Scan

Begin Registry Scan:

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/9/2009 6:12:00 AM
=======================================================================

Active Spyware Scan Detected: WinAntiSpyware [4/9/2009 6:38:43 AM]
HKEY_LOCAL_MACHINE\software\antivirus
Action Taken: Quarantined

=======================================================================
Start Scan Session: 4/10/2009 12:55:46 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

Begin Service Scan:

Begin Master Boot-Record Scan

Begin Registry Scan:

Begin Floppy Boot-Sector Scan

Begin Cookie Scan:

Begin File Scan:

Spyware Scan Detected: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

Spyware Scan Detected: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

End Scan Session: 4/10/2009 1:14:34 AM
=======================================================================

Spyware Quarantined: WinAntiSpyware
HKEY_LOCAL_MACHINE\software\antivirus

Spyware Quarantined: Backdoor.SdBot.gen
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ctfmon.exe

=======================================================================
Start Scan Session: 4/10/2009 1:27:17 AM
ISP Version: 3.1.1.26819
Spyware Engine: 2.3.09
Spyware Definition: 4/3/2009
Virus Engine: 4.321.35
Virus Definition: 4/3/2009

Begin Memory Scan:

End Scan Session: 4/10/2009 1:27:38 AM
=======================================================================