http ://xysearch.biz/?wmid=3301 will not go away

RAV and HJT logs

Thanks Newt,

RAV list

Scan started at 11/23/2004 10:23:28 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\177B1H4E\connect[1]->(GZip)->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C9QV8PAR\updall1m[1].exe - TrojanDownloader:Win32/Agent.AB -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CLAZWHEB\stc[1].htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QPSNEDCL\KeyActivexTest[1].ocx - TrojanDownloader:Win32/Small.GZ -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QX1IFA5G\TRACK[1].CHM->/track.htm->(SCRIPT0001)->(EncScript) - JS/Psyme.gen* -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\U5RW9GBA\HelperInstaller[1].exe - TrojanDropper:Win32/Delf -> Infected
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W9YJ27G1\IdleUI[1].dll - TrojanSpy:Win32/Idly.C -> Infected
C:\WINDOWS\Downloaded Program Files\file1.exe - TrojanDownloader:Win32/Nex.B -> Infected
C:\WINDOWS\Downloaded Program Files\ISTactivex.dll - TrojanDownloader:Win32/IstBar.FZ -> Infected

Scanned
============================
Objects: 55883
Directories: 4376
Archives: 6894
Size(Kb): -282812
Infected files: 9

Found
============================
Viruses found: 8
Suspicious files: 0
Disinfected files: 0
Mail files: 99


HJT

Logfile of HijackThis v1.98.2
Scan saved at 11:29:20 PM, on 11/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Movielink\MovielinkManager\Movielink Manager.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\SYSTEM32\msvcmm32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Free Downloads Accelerator\fdaagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\fdahlp99.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar99.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [M3Tray] C:\Program Files\Movielink\MovielinkManager\Movielink Manager.exe /WNDSTART /Tray
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0d\aoltray.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

How am I looking?

wolfy

 

The HijackThis log looks good, except that it appears you have used msconfig to disable some startups. Not knowing what those items are, I would recommend you recheck everything and reboot, then post a new log.

There should only be a couple of items in that TIF folder, so I recommend you start deleting like 10 at a time till you find the Content.IE5 folder. The RAV scan shows it is there. Delete everything except that folder and desktop.ini, in addition to everything inside the content.IE5 folder.

Did you delete everything inside of C:\Windows\Downloaded program Files folder?

 

New log and other details...

The HijackThis log looks good, except that it appears you have used msconfig to disable some startups. Not knowing what those items are, I would recommend you recheck everything and reboot, then post a new log.

-I rebooted with normal startup so hopefully that problem was fixed, I can't tell.

There should only be a couple of items in that TIF folder, so I recommend you start deleting like 10 at a time till you find the Content.IE5 folder. The RAV scan shows it is there. Delete everything except that folder and desktop.ini, in addition to everything inside the content.IE5 folder.

-I am looking in my "Owner" TIF folder, I rearranged the files in order by name and couldn't find Content.IE5 or desktop.ini there. I do have Content.IE5 in the "Administrator" TIF but that is the only thing there. I keep deleting all the files in that (Content IE5) folder but they always come back. Why don't I have Content.IE5 in the Owner folder and what should I do about this?

Did you delete everything inside of C:\Windows\Downloaded program Files folder?

-Yes, there are two items there now, one is the ActiveX needed for RAV and the other is Shockwave Flash, should I delete them?


HJT Log:

Logfile of HijackThis v1.98.2
Scan saved at 9:04:39 PM, on 11/24/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Movielink\MovielinkManager\Movielink Manager.exe
C:\Program Files\Sonique\sqstart.exe
C:\WINDOWS\SYSTEM32\msvcmm32.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Free Downloads Accelerator\fdaagent.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\fdahlp99.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar99.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [M3Tray] C:\Program Files\Movielink\MovielinkManager\Movielink Manager.exe /WNDSTART /Tray
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0d\aoltray.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

 

Delete everything in the owner TIF folder, empty the recycle bin and do another RAV scan.

Nothing new that's bad in the HJT log. Feel free to again disable those same items in msconfig.

 

Disable which items?

Which items can I disable in msconfig?

Also - I deleted allfiles in TIF (owner) and there's already a bunch more just from browsinsing a few minutes, mainly just to this forum. Is this a problem?

I tried to use killbox on:
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\177B1H4E\connect[1]->(GZip)->(OBJECT0000) - HTML/CodeBaseExec* - Nevermind, I copied this whole thing instead of just the file name on my original effort, it didn't come up on the new RAV scan which I will post when its finished.

I rebooted and ran RAV again and it is still there. I see that there is a Content.IE5 folder for owner but I can't find it. What is going on?

wolfy

 

wolfy810 HI

The content.ie5 folder is hidden, you can still look in there if you like

go start run an copy paste this in then hit ok.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5

Or right click on the start button choose explore in the contect menu
then navigate to and look in content.ie5

Just clear IE's cach with internet options, does the same thing.
Clear Internet Explorers's cache
1. In Control Panel, open Internet Options.
2. Click the General tab, and then under Temporary Internet files, click Delete Files.
3. In the Delete Files dialog box, click to select the Delete all offline content check box.
4. wait for the hourglass to disapear
5. Click OK.

Have Hijackthis fix this item
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
reboot then delete that folder

 

Thanks all!

I think everything is OK. Here is one final (hopefully) HJT log. Let me know if this looks good.

-Question: Why does my TIF get so full and is it a problem that I should/can fix?

Logfile of HijackThis v1.98.2
Scan saved at 12:52:43 AM, on 11/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Sonique\sqstart.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Free Downloads Accelerator\fdaagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: IE 4.x-6.x BHO for Free Downloads Accelerator - {98DE779A-2364-4293-AB71-2B97C61C4640} - C:\PROGRA~1\FREEDO~1\fdahlp99.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar99.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0d\aoltray.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

 

Looks good. I assume this means you came up with a clean RAV scan? If so, re-enable system restore. I also recommend you open Spybot and check for updates. Then click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly. Then, still in Spybot, click IE tweaks and at least lock the HOSTS file.
Then download and install IESpyad.

That will give you some added layers of protection against unwanted parasites.


TIFs pile up very quickly. It will help to open Internet options, click TIFs settings button, and set the disk space used for TIFs down to about 50 MB. Then click the privacy tab, then advanced button. Check the box to over-ride cookie handling, check to allow first party, block third party and always allow session.

 

RAV Scan not clean

I just did a RAV scan and found this (again):

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QPSNEDCL\stc[1].htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected

I found that file and deleted it but I already killed it once and it came back. Is there anything I can do about that? Here is the rest of the scan:

Scan started at 11/26/2004 12:24:42 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QPSNEDCL\stc[1].htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
C:\RECYCLER\S-1-5-21-400550780-1943663836-840360825-1003\Dc20.htm->(OBJECT0000) - HTML/CodeBaseExec* -> Infected
C:\WINDOWS\Downloaded Program Files\file1.exe - TrojanDownloader:Win32/Nex.B -> Infected
C:\WINDOWS\Downloaded Program Files\ISTactivex.dll - TrojanDownloader:Win32/IstBar.FZ -> Infected

Scanned
============================
Objects: 53499
Directories: 4399
Archives: 6866
Size(Kb): -344807
Infected files: 4

Found
============================
Viruses found: 3
Suspicious files: 0
Disinfected files: 0
Mail files: 96

Thanks again,

wolfy

 

Hi wolfy810

If you uncheck autoclean at the Rav online, scan then there will be an option to have it delete what it finds, normaly always try fix or repair first though. in this case they are not windows files so there is no need to attempt a repair.
Understand ?

 

I have been doing all of my RAV scans w/ the Autoclean unchecked. I ran one again and I can't find the option to delete what it finds. Is this option available before or after the scan and where can I find it because I didn't see it at either time.

wolfy810

 

Mind trying another ?

I know they are time consumming but well worth the time

BitDefender AntiVirus Free Scan, check all box's except [ ]auto clean !!,
then have it delete the file if it cannot clean/repair/cure it,
turn off any PopupBlockers before accessing the site:
http://www.bitdefender.com/scan/licence.php

Copy there report's back here please.

 

Error message at that site

I went to that site and got this error message:

Failed to load interface -- You must have administrative rights on this computer; you also must have the Internet Explorer security settings to the Medium level.

I checked my security settings and it looks like it is set at medium. Why would I not have admin. rights? I had this same error message one time when I went to the RAV site but it was because I erased the ActiveX control needed there. Is this a possibility?

I will be more than happy to try more resources. Thanks

wolfy

 

That infected file in the content.IE5 folder is the same file, but is now in a different subfolder. It's coming from a site you are visiting. Are you still unable to see the content.IE5 folder for the owner account? Are you able to find that stc[1].htm file in TIFs? If you can, double click on it to see if it takes you anywhere, or if you'd rather, you can send it to me and I will check it out. Let me know before doing the following and I can give you my addy.

I would like you to boot to safe mode, then uncheck the /safeboot box in msconfig. Do not allow restart. Then open Killbox and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\Downloaded Program Files\file1.exe

Don't click any of the buttons though, instead click on the Action menu and choose "Delete on Reboot ". On the next screen, PendingFileRenameOperations, click File on the menu and choose "Add File ". The filename and path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot ". Click cancel on the Reboot Needed popup, then OK to the next. Leave that window open and paste this filename and path into the first window.

C:\WINDOWS\Downloaded Program Files\ISTactivex.dll

Click action, delete on reboot, add & process, this time allowing reboot.

Now delete everything in the owner TIF folder and run the RAV scan again.

 

Clean RAV scan

My RAV scan came back clean but unfortunately I had already erased the stc[1].exe file. You taught me well and I had actually done that before I got your message. All is good for now but I will keep my eyes peeled for that file to come back and I will check it out.

Also, my Owner folder is hidden but I can access it by searching for it. I am going to go back to your (Noah) last posting and do those few things that you told me to do once I got a clean RAV scan. I'm sure you will be hearing from me again soon.

Thanks,

wolfy810

 

Good to hear you're all cleaned up. Glad I could help and thanks for posting back.