6 replies to this topic

[Trifith]

Apreciate your time

Logfile of HijackThis v1.99.1
Scan saved at 9:41:52 PM, on 11/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\program files\microsoft office\Office10\msoffice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Lorrie\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133603113737
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

[AndyManchesta]

Hi Trifith, Welcome to the forum

Looks Good, just a couple of entries to fix

Run Hijack This and choose Do A System Scan then place a check next to these entries

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)

Close all open browser and other windows except for Hijack This and press the Fix Checked button

To make sure there isnt any malware problems please do an online scan with Kaspersky WebScanner.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
  
• Once the files have been downloaded click on NEXT
  
  
• Now click on Scan Settings
  
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
  
• Now under select a target to scan:
  Select My Computer
• This program will start and scan your system.
  
• The scan will take a while so be patient and let it run.
  
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
  
• Copy and paste that information in your next post.

Please post back the kaspersky report if it detects any infected items

Regards

Andy

[Trifith]

My Kaspersky log

*KASPERSKY ONLINE SCANNER REPORT*
Sunday, November 19, 2006 2:42:33 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2
(Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 19/11/2006
Kaspersky Anti-Virus database records: 242919

*Scan Settings*
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
*Scan Target* My Computer
A:\
C:\
D:\
*Scan Statistics*
Total number of scanned objects 86232
Number of viruses found 2
Number of infected objects 6 / 0
Number of suspicious objects 0
Duration of the scan process 01:18:47


*Infected Object Name* *Virus Name* *Last Action*
C:\Documents and Settings\All Users\Application
Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\00e86f0cc7875c1d391bf5218003ec0f_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\097ce837bf9d40bda8ad7b1c88ea045c_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\0c54efd993ff5499b542a0c9529b9600_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\119b142944191bd10de6230fc66bd12f_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\124201170f4d2ffe3d2bf2786b550cf1_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\14cadc9a7cd13daf779f98e6bafb01db_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\17b10774f857ac9a219bc4b62c97d156_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\1f0c8d7ec4a9b6e4cfee8c6722251f4b_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\2636271fe94e3989aab61c69fd05382c_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\285ccc1b2f303ed69c73cd77914c260a_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\2e3696a6fe98a687281fd9148a238019_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\2edba57d437a2e4504fd19b8650caf56_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\312f5f6d6424959f0e6088b3f1fd6681_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\38711fdbe408a6d4ee37cfed784312e9_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\39b02b41ac4e92ebea8d090a1f6257ac_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\433a3ca65eb28fb117d79e71cd6d0385_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\43936470c4c29c8ad3ecefffaf5690be_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\4731b39d3c4cbc66e539bffd072417c9_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\4a6e2bf9e5acc387a4dc0b229dfce888_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\4d684e4dc94c90079c1bf7c2f2b9ac11_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\5436fd0c079d7465bd98fef685f46521_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\55d890f2e54cce18e291fcf8c682c6f9_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\5766958a163cc39288f58c0fe167e544_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\5e3446ff7b370dc61f1d7556a0d7b287_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\5ed7fec7265adbbfb1739d137ea79127_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\707534bc1a8881c4bd4a648ec0113d30_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\7233ccebd0c664c693924855b074e486_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\736678db6409830d4341b4ba5f004dcf_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\75757646dd9e87155c2d76d243ff447b_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\76064229c221ba0b9b4d207357a264b2_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\77acd984bf60c13ffeac7a2ae52af982_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\78ee3ad6f121995f868db8b1cfb84b29_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\7fb1a688b9a85c3b98cedebf29af8fab_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\843ae9d7a0f33ea307fee2a7538eb30b_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\849aa2790482f229e8d1ff7d2c85bed1_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\8c514990fa25b76cf17baec64e7f06a1_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\9389bd6f03acd32bcbfb24737cfcc66d_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\974061a12cd87d17f92a948e3bb3e16c_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\99d2c189505b8d8b84d6628109e3536b_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\9c796db0f82034a4f9b679c4fd3ff7d9_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\9f1c71b6a38ec6f68fc317415647a1b5_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\a18c557874a642a138a051e956015453_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\a295cf3a8c3b6d974b9ba0b2ffaf683b_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\a395a4f93af09c1a7adce6b8aa7d6b54_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\a982f046805f3200776c79a8e2db8fb0_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\abd5ee0f851571e884b6b03e475bafc3_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\acddd4f41748f3a2fec6ac301bb5107e_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\ae2e5248f2b97481dd19d987b204e870_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\ae4947043e79d50788b0a914adbb38f8_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\b42b73915a216810113324c91e7b56fd_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\b78f47737d29188059da4c77b11cb233_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\c655e66686f597df0fb7ffe5ff5170fe_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\cbf69b7cb73167444d7200d08021560f_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\cd4f6edc16a99f6b9510fa1b94cfb53b_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\cf140be45d002fb2ddd697883fd0b2f3_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\d0e6fdc44a3280a714a15470b1db6440_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\d37934f5cbc2ec08d525179c77f5fbb0_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\db29f424583ea002aae8c897a19f96f8_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\df61351b1e19ea3a032a42611bb73f04_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\df642fd9114102e990b59b915faa0934_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\e1c378b24b4a15bb341909646d9ab23d_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\e26d48d8d5179543f2a829b953354fc5_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\e83a4863d9400b92d8b9011f5b6412ae_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\eb4829256f9ee6ef3a1736e8d435ddcc_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\ee1e294b2f29f63d543129704476bcd4_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\ee9f09193df708166beff2edc9f549c0_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\f86251011c28bf26dd12b07531c3f52a_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys\fd413b2b706d2df838820302a2193d34_a90e3f67-d01f-49f8-bd03-f30a2f272395
Object is locked skipped
C:\Documents and Settings\Jean\Local Settings\Application
Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/25 Dec
2005 00:28 from eBay:eBay: security update.rtf Infected:
Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Jean\Local Settings\Application
Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/29 Dec
2005 06:23 from eBay:eBay Inc 0nline - Details Confirmati.rtf Infected:
Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Jean\Local Settings\Application
Data\Microsoft\Outlook\Outlook.pst Mail MS Mail: infected - 2 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is
locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local
Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked
skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is
locked skipped
C:\Documents and Settings\Lorrie\Application
Data\Mozilla\Firefox\Profiles\rnoa22vq.default\cert8.db Object is
locked skipped
C:\Documents and Settings\Lorrie\Application
Data\Mozilla\Firefox\Profiles\rnoa22vq.default\formhistory.dat Object
is locked skipped
C:\Documents and Settings\Lorrie\Application
Data\Mozilla\Firefox\Profiles\rnoa22vq.default\history.dat Object is
locked skipped
C:\Documents and Settings\Lorrie\Application
Data\Mozilla\Firefox\Profiles\rnoa22vq.default\key3.db Object is
locked skipped
C:\Documents and Settings\Lorrie\Application
Data\Mozilla\Firefox\Profiles\rnoa22vq.default\parent.lock Object is
locked skipped
C:\Documents and Settings\Lorrie\Application
Data\Mozilla\Profiles\default\22wffngm.slt\Mail\mail.charter-2.net\Inbox/[From
"PayPal" ][Date Mon, 05 Dec 2005 01:38:50 +0300]/UNNAMED/html Infected:
Trojan-Spy.HTML.Paylap.ev skipped
C:\Documents and Settings\Lorrie\Application
Data\Mozilla\Profiles\default\22wffngm.slt\Mail\mail.charter-2.net\Inbox/[From
"PayPal" ][Date Mon, 05 Dec 2005 01:38:50 +0300]/UNNAMED Infected:
Trojan-Spy.HTML.Paylap.ev skipped
C:\Documents and Settings\Lorrie\Application
Data\Mozilla\Profiles\default\22wffngm.slt\Mail\mail.charter-2.net\Inbox
Mail Berkeley mbox: infected - 2 skipped
C:\Documents and Settings\Lorrie\Cookies\index.dat Object is locked
skipped
C:\Documents and Settings\Lorrie\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Lorrie\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Lorrie\Local Settings\Application
Data\Mozilla\Firefox\Profiles\rnoa22vq.default\Cache\_CACHE_001_ Object
is locked skipped
C:\Documents and Settings\Lorrie\Local Settings\Application
Data\Mozilla\Firefox\Profiles\rnoa22vq.default\Cache\_CACHE_002_ Object
is locked skipped
C:\Documents and Settings\Lorrie\Local Settings\Application
Data\Mozilla\Firefox\Profiles\rnoa22vq.default\Cache\_CACHE_003_ Object
is locked skipped
C:\Documents and Settings\Lorrie\Local Settings\Application
Data\Mozilla\Firefox\Profiles\rnoa22vq.default\Cache\_CACHE_MAP_ Object
is locked skipped
C:\Documents and Settings\Lorrie\Local
Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lorrie\Local
Settings\Temp\Perflib_Perfdata_7fc.dat Object is locked skipped
C:\Documents and Settings\Lorrie\Local Settings\Temp\~DF32E3.tmp Object
is locked skipped
C:\Documents and Settings\Lorrie\Local Settings\Temporary Internet
Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lorrie\ntuser.dat Object is locked skipped
C:\Documents and Settings\Lorrie\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked
skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is
locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped
C:\System Volume
Information\_restore{CAF02A76-13D5-4A49-B120-302CFE4E229B}\RP370\change.log
Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{65BD43D7-764F-46C2-AED0-4F9048A79249}.bin
Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked
skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
*Scan process completed.*

[Trifith]

Also, I have uninstalled all yahoo and aol related software, can the lines marked with a XXXX be safely removed?


Logfile of HijackThis v1.99.1
Scan saved at 2:53:23 PM, on 11/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\program files\microsoft office\Office10\msoffice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lorrie\Desktop\Hijackthis\HijackThis.exe

XXXX R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
XXXX R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
XXXX O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
XXXX O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
XXXX O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133603113737
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

[AndyManchesta]

Hi Trifith

XXXX R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
XXXX R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

These are IE Settings and are fine to fix or leave in place depending on if you want Yahoo to be your Homepage, you can fix them if you didnt want the Default_Page and IE Start Page to be Yahoo but you could also change the homepage by going to Tools on the top bar of IE and click Internet Options, then change the Homepage and click Apply and OK

XXXX O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html

XXXX O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

This is a added Menu Item/Button in IE so if the software has been removed its fine to fix it

XXXX O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

Related to Yahoo Messenger, again can be fixed without causing any problems,


The kaspersky report looks ok, its showing infected items in mail accounts which can be removed but no active malware problems,

Mozilla Inbox:

C:\Documents and Settings\Lorrie\Application
Data\Mozilla\Profiles\default\22wffngm.slt\Mail\mail.charter-2.net\Inbox/[From
"PayPal" ][Date Mon, 05 Dec 2005 01:38:50 +0300]/UNNAMED/html Infected:
Trojan-Spy.HTML.Paylap.ev skipped


Outlook Deleted Items:

C:\Documents and Settings\Jean\Local Settings\Application
Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/25 Dec
2005 00:28 from eBay:eBay: security update.rtf Infected:
Trojan-Spy.HTML.Bayfraud.hn skipped

C:\Documents and Settings\Jean\Local Settings\Application
Data\Microsoft\Outlook\Outlook.pst/Personal Folders/Deleted Items/29 Dec
2005 06:23 from eBay:eBay Inc 0nline - Details Confirmati.rtf Infected:
Trojan-Spy.HTML.Bayfraud.hn skipped

They have been there since December last year so cannot cause you problems but should be removed if possible, I tend to use hotmail accounts for all my emails to prevent having them or attachments saved on myown system so I cannot give detailed instructions for removing them but other members here maybe able to offer suggestions if you have problems.

Apart from that the log and Kaspersky report looks fine

Cheers

Andy

[Trifith]

AndyManchesta, on Nov 19 2006, 03:21 PM, said:

They have been there since December last year so cannot cause you problems but should be removed if possible, I tend to use hotmail accounts for all my emails to prevent having them or attachments saved on myown system so I cannot give detailed instructions for removing them but other members here maybe able to offer suggestions if you have problems.

Okay, so I'll have the old emails deleted. Thanks for all the help.

[AndyManchesta]

Your Welcome,

Let us know if you have any problems

All The Best

Andy