Hopefully I Got Everything...

Hi guys,

I am actually a friend of psiegel81 and he was telling me about the great job you guys have been doing, so I figured I'd run a quick question by you.

I just recently had a pretty nasty trojan, everything seems to be running smoothly now, but I just wanted to make sure I got everything.

Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:08:40 PM, on 2/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programs\Plug Ins\Net Tools\AVG Anti-Spyware 7.5\guard.exe
C:\Programs\PLUGIN~1\NETTOO~1\AVG7~1.1\avgamsvr.exe
C:\Programs\PLUGIN~1\NETTOO~1\AVG7~1.1\avgupsvc.exe
C:\Programs\PLUGIN~1\NETTOO~1\AVG7~1.1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\sstray.exe
C:\Programs\PLUGIN~1\NETTOO~1\AVG7~1.1\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programs\Plug Ins\Net Tools\ZoneAlarm\zlclient.exe
C:\Programs\Plug Ins\Net Tools\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Games\Valve\Steam\Steam.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10MT1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programs\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://verizon.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programs\Plug Ins\Acrobat Reader 7.0.5\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [AVG7_CC] C:\Programs\PLUGIN~1\NETTOO~1\AVG7~1.1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programs\Plug Ins\Net Tools\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programs\Plug Ins\Net Tools\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programs\Plug Ins\Net Tools\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130714456108
O20 - Winlogon Notify: WBSrv - C:\Programs\PLUGIN~1\WINDOW~1\wbsrv.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - C:\WINDOWS\system32\higehsg.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programs\Plug Ins\Net Tools\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Programs\PLUGIN~1\NETTOO~1\AVG7~1.1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Programs\PLUGIN~1\NETTOO~1\AVG7~1.1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Programs\PLUGIN~1\NETTOO~1\AVG7~1.1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


I am currently running ZoneAlarm for a Software Firewall and AVG:AS/AV, although I am looking for a new AS since my free trial of AVG:AS has just expired.

Any help would be greatly appreciated.

Thanks,
Aaron

 

Hi ajheiks
Welcome to windowsbbs.

We need to do a couple things here.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter "; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool "; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


Please post the log here.
Geri

 

SmitFraudFix v2.144

Scan done at 20:40:51.62, Mon 02/26/2007
Run from C:\Documents and Settings\Aaron J Heiks\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Aaron J Heiks


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Aaron J Heiks\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\AARONJ~1\FAVORI~1

C:\DOCUME~1\AARONJ~1\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2016a466-91a2-43c6-97d8-2fd380f065ef} "= "eitheror "

[HKEY_CLASSES_ROOT\CLSID\{2016a466-91a2-43c6-97d8-2fd380f065ef}\InProcServer32]
@= "C:\WINDOWS\system32\higehsg.dll "

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2016a466-91a2-43c6-97d8-2fd380f065ef}\InProcServer32]
@= "C:\WINDOWS\system32\higehsg.dll "



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs "= "wbsys.dll "


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

Hi ajheiks

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter ".
• Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ? "; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter ".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Please post the report and a new HJT log.
Thanks
Geri

 

SmitFraudFix v2.144

Scan done at 21:20:16.84, Mon 02/26/2007
Run from C:\Documents and Settings\Aaron J Heiks\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2016a466-91a2-43c6-97d8-2fd380f065ef} "= "eitheror "

[HKEY_CLASSES_ROOT\CLSID\{2016a466-91a2-43c6-97d8-2fd380f065ef}\InProcServer32]
@= "C:\WINDOWS\system32\higehsg.dll "

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2016a466-91a2-43c6-97d8-2fd380f065ef}\InProcServer32]
@= "C:\WINDOWS\system32\higehsg.dll "


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\AARONJ~1\FAVORI~1\Online Security Test.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End




Logfile of HijackThis v1.99.1
Scan saved at 9:30:51 PM, on 2/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programs\PLUGIN~1\NETTOO~1\AVG7~1.1\avgamsvr.exe
C:\Programs\PLUGIN~1\NETTOO~1\AVG7~1.1\avgupsvc.exe
C:\Programs\PLUGIN~1\NETTOO~1\AVG7~1.1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\sstray.exe
C:\Programs\PLUGIN~1\NETTOO~1\AVG7~1.1\avgcc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programs\Plug Ins\Net Tools\ZoneAlarm\zlclient.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\WINDOWS\System32\svchost.exe
C:\Programs\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programs\Plug Ins\Acrobat Reader 7.0.5\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [AVG7_CC] C:\Programs\PLUGIN~1\NETTOO~1\AVG7~1.1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programs\Plug Ins\Net Tools\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programs\Plug Ins\Net Tools\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programs\Plug Ins\Net Tools\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130714456108
O20 - Winlogon Notify: WBSrv - C:\Programs\PLUGIN~1\WINDOW~1\wbsrv.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programs\Plug Ins\Net Tools\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Programs\PLUGIN~1\NETTOO~1\AVG7~1.1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Programs\PLUGIN~1\NETTOO~1\AVG7~1.1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Programs\PLUGIN~1\NETTOO~1\AVG7~1.1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Hi ajheiks

OK Good, We got rid of the smitfraud infection
You can delete that tool. There will be newer versions if ever needed again any way.

Can you tell me what trojan you got rid of and the file path, if you remember?

I think it would be a good idea to get a on-line scan to make sure everything is gone.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Also your Java is some what out of date we will fix that later.

Please post the Panda log here.

Geri

 

I wish I could remember the name of the trojan I had. I do remember that it had my anti-spyware and anti-virus going nuts. As well as an extremely annoying icon in the systray that said I was infected and that I should download their anti-spyware software to heal my pc. I thought that I had everything clean, but at this point I am less than convinced.


Here's the Panda log:


Incident Status Location

Adware:adware/surfaccuracy Not disinfected Windows Registry
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-10.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-11.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-13.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-14.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-30.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-31.txt[.azjmp.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-33.txt[.xiti.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-37.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-9.txt[.azjmp.com/]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies.txt[.ccbill.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies.txt[.go.com/]
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies.txt[.tucows.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies.txt[.xiti.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@2o7[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@adrevolver[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@advertising[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@atwola[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@ct.360i[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@doubleclick[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@go[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@go[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@go[3].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@questionmarket[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Aaron J Heiks\Desktop\CleanUp!\SmitfraudFix\Process.exe
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Aaron J Heiks\Local Settings\Temp\Cookies\aaron j heiks@atwola[1].txt
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\WindowsEx.dll.041
Virus:mIRC/Gen Disinfected C:\Programs\mIRC\hix\aliases.ini
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected C:\Programs\mIRC\hix\moo.dll
Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected C:\Programs\mIRC\hix\scripts\systeminfo\moo.dll
Adware:Adware/VideoActiveXObject Not disinfected C:\RECYCLER\S-1-5-21-329068152-1547161642-839522115-1003\Dc574.exe

 

Well, I found most of that log to be an easy fix since most were just cookies. I have deleted my cookies and cleared my temp internet files in IE and FF2.

I've since deleted Process.exe

But I don't know what it doesn't like about mIRC\hix. I suppose I could take that off my system since I no longer us it.

Running AVG now then Panda again later, will post updated log when I am done.

 

Hi ajheiks

I see you have AVG Anti-spyware.
Please run it at the settings given. Skip the download part.

1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".
6. Under "Reports "
   • Select "Automatically generate report after every scan "
   • Un-Select "Only if threats were found "

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
   IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
   Once the scan is complete do the following:
5. If you have any infections you will prompted, then select "Apply all actions "
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
8. Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Please post the AVG log.

I would also like to see a uninstall list. Here is how to do this.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager "
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Incase you are wondering I don't like these. I'm hoping AVG will get rid of them.
surfaccuracy
ISTBar

Thanks
Geri

 

Hi

You can remove it if you like, But not necessary.

Geri

 

Ok, I ran AVG Anti-Spyware in safe mode and here's the report.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:14:15 PM 2/27/2007

+ Scan result:



C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.


::Report end


==================================================

Then I ran Panda's ActiveScan again as a second check to see what was left, here's that report.


Incident Status Location

Adware:adware/surfaccuracy Not disinfected Windows Registry
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-10.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-11.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-13.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-14.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-30.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-31.txt[.azjmp.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-33.txt[.xiti.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-37.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-9.txt[.azjmp.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@advertising[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@doubleclick[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@go[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@go[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Aaron J Heiks\Local Settings\Temp\Cookies\aaron j heiks@atwola[1].txt
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\WindowsEx.dll.041


==================================================

As you can see surfaccuracy and ISTBar are still there.
And here's the HJT Uninstall List you requested.


ABBYY FineReader 5.0 Sprint Plus
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.7
Adobe Stock Photos 1.0
AIM 6.0
AOL Instant Messenger
ArcSoft Software Suite
AutoCAD 2000
AV Voice Changer Software 4.0
AVG Anti-Spyware 7.5
AVG Free Edition
BitTorrent 4.2.0
Cook'n with Betty Crocker
Descent 3
DivX
DivX Player
EPSON CardMonitor
EPSON Copy Utility
EPSON ES CX6400 Manual
EPSON Photo Print
EPSON PhotoStarter3.0
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
ESPN RunTime
Fraps
GameSpy Arcade
Google Earth
GTK+ 2.4.1 runtime environment
Half-Life(R) 2
HijackThis 1.99.1
HLSW v1.0.0.39
Hotfix for Windows XP (KB926239)
InCD (ahead software)
iTunes
J2SE Runtime Environment 5.0 Update 5
Kali II
Kquery4 (remove only)
LimeWire 4.12.6
Macromedia Shockwave Player
MAIET entertainment - Gunz
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Halo
Microsoft Office 97, Professional Edition
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIRC
Mozilla Firefox (1.5.0.8)
Mozilla Firefox (2.0.0.2)
Mozilla Thunderbird (1.5)
MSN Music Assistant
MSXML 4.0 SP2 Parser and SDK
Musicmatch® Jukebox
Need for Speed Underground 2
Nero - Burning Rom
NVIDIA Drivers
NVIDIA nForce Utilities
NVIDIA Windows 2000/XP nForce Drivers
ObjectDock
Oscar's Renamer 1.0
Panda ActiveScan
Pivot Stickfigure Animator
PokerStars
PokerStars.net
Quake 4 (TM) SDK (remove only)
Quake 4(TM)
Quake II Demo
QuickTime
RealPlayer
ResChanger XP
SaTstrat (remove only)
ScanToWeb
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB925486)
Silkroad
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
SolidWorks 2000
SoulSeek Client 156c
Speed
Steam(TM)
Surf Accuracy
System Alert Popup
TDK Digital MixMaster
TeamSpeak 2 RC2
The GIMP 2.0.2
UltraVNC v1.0.1
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Ventrilo Client
Verizon Online
Verizon Yahoo! Applications
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WildTangent Web Driver
WinAce Archiver
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Xfire (remove only)
ZoneAlarm


Thanks again for your help,
Aaron

 

Hi ajheiks

Surf Accuracy Is in your Add/Remove programs list.
Did you install it?

It can be uninstalled from there if you want it uninstalled.

Please download Spybot Search & Destroy and AdAware.

Follow all the instructions on this website to run a scan with both of these softwares.

Reboot your computer After the scans.

Then Please run and post a new Panda scan

Thanks
Geri

 

I have know idea where the Surf Accuracy came from, especially since the date on it in my Add/Remove was from 2005. Anyway, I removed it, ran SpyBot and AdAware and here's what's left:



Incident Status Location

Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-10.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-11.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-13.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-14.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-30.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-31.txt[.azjmp.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-33.txt[.xiti.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-37.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-9.txt[.azjmp.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@2o7[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@advertising[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@doubleclick[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@go[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@go[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Aaron J Heiks\Local Settings\Temp\Cookies\aaron j heiks@atwola[1].txt
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\WindowsEx.dll.041

 

Hi ajheiks

Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete this folder (if present):

C:\Program Files\Common Files\Totem Shared <<<This folder

After that, Reboot.

Then Please run and post a new Panda scan

Geri

 

Incident Status Location

Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-10.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-11.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-13.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-14.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-30.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-31.txt[.azjmp.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-33.txt[.xiti.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-37.txt[.azjmp.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Aaron J Heiks\Application Data\Mozilla\Firefox\Profiles\rkpxk3ot.default\cookies-9.txt[.azjmp.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@advertising[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@doubleclick[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@go[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Aaron J Heiks\Cookies\aaron j heiks@go[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Aaron J Heiks\Local Settings\Temp\Cookies\aaron j heiks@atwola[1].txt

 

Hi ajheiks

OK. Good, Other then cookies it was clean.
I would download ATF to delete cookies and other temp files. There is a link posted below for ATF.

If you are not having any more problems then you're good to go.
If you are then post another HJT log.

You need to update your Java, here is how...

Updating Java and Clearing Cache

1. Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
2. It will say "Java Plug-in" under the icon.
   Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
3. If you are unable to update you can manually update by going here:
   • 
     http://www.java.com/en/download/manual.jsp
4. After the reboot, go back into the Control Panel and double-click the Java Icon.
5. Under Temporary Internet Files, click the Delete Files button.
6. There are three options in the window to clear the cache - Leave ALL 3 Checked
   • 
     Downloaded Applets
     Downloaded Applications
     Other Files
7. Click OK on Delete Temporary Files Window
   Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
8. Click OK to leave the Java Control Panel.

Then delete the older version in add/remove.

We have just a few more things to do, mostly maintenance and then our recommendations:

Delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion. It is very rare that anything significant is ever found.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
   
   
2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
   
   
3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
   
   
4. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
   
   
5. IE-SpyAd - puts over 23,000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all,
   and MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.
   
   
6. Install WinPatrol to prevent unknown applications from being inserted to start up on your machine
   
   Now just because you have security apps installed, they are useless unless updated regularly.
   
   
7. Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.
   
   
8. ATF Cleaner by Atribune.
   This program is for XP and Windows 2000 only, Cleans out temporary files all the garbage you collect while surfing the web.
   
   
9. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
   
   
10. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
    
11. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Surf Safely
Geri