HI;
A year later and i'm back again! I've done everything up in the read me thread, had a problem getting esetonlinescanner to work initially, so i ended up running it last. Anyway, I've definitely got some junk in the system, here's the various logs.
TIA!

Malwarebytes' Anti-Malware 1.28
Database version: 1244
Windows 5.1.2600 Service Pack 2

10/8/2008 1:02:43 PM
mbam-log-2008-10-08 (13-00-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 71126
Time elapsed: 24 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\aldd (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> No action taken.

Files Infected:
C:\WINDOWS\SYSTEM32\cmgnfvgq.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\qgvfngmc.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\SYSTEM32\mcrh.tmp (Malware.Trace) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\syszzgi.exe (Trojan.Downloader) -> No action taken.


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3504 (20081008)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=5b1c0690855abd4b9160e7e4a825995f
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-10-08 06:21:21
# local_time=2008-10-08 02:21:21 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=168242
# found=11
# scan_time=2239
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk.vir Win32/Adware.SecToolbar application 34B586CD8A90EB7C3FEB903536273453
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application 709BD684517978153E9EE748AE59B597
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application 2D00B720E1A9DB15AA8AB7A714B4B7CA
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10065.qit.vir Win32/Adware.SecToolbar application B10D673132E1C32BA8E10F40CC8CD69E
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10066.qit.vir Win32/Adware.SecToolbar application 3E88C51A0D79BA693B179819E1A54A99
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10067.qit.vir Win32/Adware.SecToolbar application E75648BD7393EBCA36F292DBD9B5EBD2
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10335.qit.vir Win32/Adware.SecToolbar application 0F6BE2ACDA0DDEBD6D4B4EF17BA9078D
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10336.qit.vir Win32/Adware.SecToolbar application 396EFAA8CE7535CEA4301709FED8BC00
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10337.qit.vir Win32/Adware.Virtumonde application 9A7EF09167A6F4433681B94351509043
C:\WINDOWS\trest.exe probably unknown NewHeur_PE virus 00000000000000000000000000000000
C:\WINDOWS\SYSTEM32\winaux.drv probably a variant of Win32/TrojanDownloader.Agent trojan A166B3484FFD23371AD02BA0A8A0C3B5


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:26:15 PM, on 10/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\EloSrvce.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\EloDkMon.exe
C:\WINDOWS\system32\EloTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\e-Range\erange.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\TeeTime King\Desktop\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119297776359
O16 - DPF: {9F3B4DE4-AA29-11D1-A3D9-FDA4E35D1D25} (IO Control) - http://192.168.1.20/io.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDB07B57-C951-4728-B12C-1D83890FE591}: NameServer = 151.197.0.38,199.45.32.28
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5182 bytes

Recommended Answers

All 13 Replies

Hi 73firebird,

AHEM....I do not see an active antivirus program running on the machine, where is it?
Also, your Java program is woefully way out of date. Current version is version 6 update 7.

You need to first UPDATE MBA-M and then run the MBA-M scan again and have it REMOVE everything found.
Reboot the computer and run the ESET Scanner again and have it fix or remove everything found.
Reboot the computer.
Then run a new HJT scan and post back here with all three logs.
Judy

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:32 PM, on 10/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\EloSrvce.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\EloDkMon.exe
C:\WINDOWS\system32\EloTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\e-Range\erange.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\TeeTime King\Desktop\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119297776359
O16 - DPF: {9F3B4DE4-AA29-11D1-A3D9-FDA4E35D1D25} (IO Control) - http://192.168.1.20/io.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDB07B57-C951-4728-B12C-1D83890FE591}: NameServer = 151.197.0.38,199.45.32.28
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 5079 bytes

Malwarebytes' Anti-Malware 1.28
Database version: 1244
Windows 5.1.2600 Service Pack 2

10/9/2008 2:52:49 PM
mbam-log-2008-10-09 (14-52-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 72803
Time elapsed: 47 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3507 (20081009)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=5b1c0690855abd4b9160e7e4a825995f
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-10-09 07:05:46
# local_time=2008-10-09 03:05:46 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=188833
# found=11
# scan_time=3372
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10065.qit.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10066.qit.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10067.qit.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10335.qit.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10336.qit.vir Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\qoobox\Quarantine\C\Documents and Settings\TeeTime King\Application Data\AntiSpywareBot\Quarantine\11-11-2007-15-49-08\10337.qit.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\trest.exe probably unknown NewHeur_PE virus (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\SYSTEM32\winaux.drv probably a variant of Win32/TrojanDownloader.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:57 PM, on 10/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\EloSrvce.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\EloDkMon.exe
C:\WINDOWS\system32\EloTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\TeeTime King\Desktop\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119297776359
O16 - DPF: {9F3B4DE4-AA29-11D1-A3D9-FDA4E35D1D25} (IO Control) - http://192.168.1.20/io.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDB07B57-C951-4728-B12C-1D83890FE591}: NameServer = 151.197.0.38,199.45.32.28
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 4951 bytes

I STILL don't see an active anti-virus program or a firewall on the computer. Where is the ESET log?

Hi;
i am running windows firewall and antivirus (posting this from another computer) the only eset log i can post is 2 replys above, starts with "version=4". in the program files for eset, each time i run it it seems to overwrite the previous notepad log file. I can't use microsoft updates, they crash the teetime software, which is vital to me--software supplier specifically pointed out to turn off updates to avoid crashing the program. I did update the java.

Hi;
i am running windows firewall and antivirus (posting this from another computer) the only eset log i can post is 2 replys above, starts with "version=4". in the program files for eset, each time i run it it seems to overwrite the previous notepad log file. I can't use microsoft updates, they crash the teetime software, which is vital to me--software supplier specifically pointed out to turn off updates to avoid crashing the program. I did update the java.

Do you mean you are using Windows Live OneCare?
Honestly, I am a bit confused here. Turning off Windows Auto update is ok, but that doesn't mean you shouldn't update, it should be done manually which is very easy to do. Many people do this. If you are not doing ANY Microsoft Updates then this would mean that the Windows Live OneCare, if that is what you are using, is not up to date either I would think, so your antivirus protection is out of date and therefore you would not be protected against new viruses that turn up nearly every day. One key to each and every security program is keeping it updated if you don't do that then why even have it on the computer?
I have no clue was to what this TeeTime software is you are talking about but really have never heard of being told NOT to do the Microsoft Updates. In fact I have not heard of a program which prohibits Microsoft Updates. Windows is your operating system, that is what runs the computer and it is vital to all other software running on the computer. But if it is out of date then eventually other programs will probably not run correctly either because they would not be able to update either sooner or later because the old Windows files would be incompatible with possible new updates for other software.
Take a look at the infected files removed....many of them first were located in this Teetime folder to begin with, what does that tell you?
As far as the ESET scanner overwriting the previous notepad file, it WOULD overwrite it because it is a new scan so the information would be new.
The other thing, many of these were located in C:\qoobox\Quarantine
Telling me that sometime combofix was run on the machine WHEN? You have made no mention of running combofix.
Also you state that

am running windows firewall and antivirus (posting this from another computer)

I don't understand why and then it also makes me wonder, is the HJT scan actually a scan done ON the infected computer OR do you mean you are having these problems but they prohibit you from posting from the infected computer OR is the HJT scan a scan done not on the infected computer but one which was done on the computer you are posting from? If the later is the case then that HJT scan means nothing because it would only show the computer where the scan was done, not the computer where the infection is located.
You said in your original post you are back again after a year, I was not here a year ago so that wouldn't give me information plus what happened a year ago wouldn't apply, generally, to what is happening now, unless the problem was not fixed a year ago.
Can you please clarify all this for me? I really hesitate offering any possible solutions since I don't feel I have all the needed information.
Judy

Hi Judy;
sorry to confuse you. only the previous post was from home computer--like now. All the logs are from the infected one. the teetime is point of sale and online reservation software that runs off of internet exploder browser. it utilizes pop-ups. if i could, i'd use firefox on that particular machine like i do on everything else. the software will not run on updated versions of windows xp. they've never resolved this issue after three years. if I update windows, the whole kit and kaboodle goes kablooey. (Can you tell i'm not a tecchie? lolorz .) Last year, crunchie iirc helped me out when i got the security 7.1 toolbar nasty in it. that was a heck of a job to get rid of, which is why you see combofix installed. this machine only is used for the teetime, and also the erange program you see plus some limited printshop and note pad use. no one is supposed to use it for internet access, however, i have teenagers helping me out and sure enough, i look at the history and they're been on it.

no one is supposed to use it for internet access, however, i have teenagers helping me out and sure enough, i look at the history and they're been on it.

Then you should call them on it. Since this is a business machine this could very well damage your business. When you are going to other, NECESSARY sites for the business on an infected computer there is a possibility of spreading these infections to others. This would definitely damage your business because there is a chance others could trace these infections back to your machine.
One free program can offer some help to you, and I would never run a computer without it, that is SpywareBlaster. It is FREE, it DOES NOT run in the background but it DOES protect the computer against the following;
ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.
All you need to do is download it, install it and update it and then enable all the protection. Update it at least weekly and then enable the new items on the update.

You also should set you Internet Explorer security settings higher, you will have to experiment with that to be certain that your business necessities are not blocked but that shouldn't take you long to figure out the proper higher setting. Also you need to Internet Explorer to accept 1st party cookies and block all 3rd party cookies.
http://support.microsoft.com/kb/283185

One thing you can also do, you say you can tell by the history what sites these kids are surfing to...check daily and block each one they have visited each day. Sooner or later the only ones left which can be viewed will only be those you need for your business. It may be tedious but it is a way to make their surfing very difficult.
http://www.microsoft.com/windows/ie/ie6/using/howto/security/settings.mspx

Now you also said

internet exploder browser. it utilizes pop-ups.

You can also block pop-ups with IE and also set which sites will allow pop-ups and which site will block pop ups.
http://www.microsoft.com/WindowsXP/using/web/sp2_popupblocker.mspx

Also, you say you would prefer to use firefox, as do I...is the reason you cannot is because this Teetime software MUST be used with IE? Because Firefox can also be set to allow pop-ups from specific sites and block them from others.

commented: excellent and prompt assitance! +1

Hi
Thanks again, yes, i must use i.e. i actually thought i did have my security settings higher. my bad. i'll give spware blaster a go. i have spynomore, superantispyware and spyware doctor. is the blaster better than any/all of these? I do try to run them periodically. meantime, should i run hjt or eset again and post the logs? it has improved, but it's still a bit laggy on loading. (it's not a very "fast" machine to start with, it just functions primarily as a high tech cash register.)

First of all, I would remove Spynomore all together. It was, at one time, listed as a Rogue application because of excessive False Positives, among other things. It has been removed from that list but that does not mean it is a good program now and personally it is not one I would recommend. Uninstall it is my advice.

Is SpywareBlaster (Please note the spelling, it is all one word with S & B in caps, there are some rogue applications out there using similar names but the spelling is different. Be certain you get the correct one from javacool software.) better?

Honestly I would say yes. Remember SpywareBlaster does not do any scanning or removal it is a protection program. SpywareBlaster "inoculates" your Internet Explorer browser against the installation of unwanted spyware and adware from the internet. For your situation especially a MUST HAVE.
SUPERAntiSpyware and Spyware Doctor are both excellent programs, though I don't know whether you are using the FREE or Paid versions. Both versions of each are excellent, the paid versions of each just offer an "extra" but really are not required to purchase to be sufficient. Continue to update them daily and scan with them daily if you feel it is necessary. Remember, the FREE trial version of Spyware Doctor will protect and can be used for scanning but does not remove, in order to do so with it then you must purchase the Spyware Doctor license.
SUPERAntiSpyware Free Edition and will detect and remove thousands of Spyware but it does not include real-time blocking or scheduled scanning. So, if you are using the FREE edition then you don't need it running in the background all the time because it offers no protection but you should scan and remove with it. So regardless of whether you are using Free or Paid versions of each, keep them both. If you are using Free versions of both then use the Spyware Doctor real time monitoring and turn off the SuperAntispyware monitoring. If you are using Paid versions of both, only use one of them for real time monitoring. I am only saying this because you say the machine is old and generally slow. Having both doing the monitoring would definitely slow the machine and occasionally can allow something to slip by because they could "fight against" each other. If you are using Paid versions scan and remove with both, regardless because each will look for slightly different things.
I know I posted links for I.E. security settings before but here are some laid out by PhilliePhan somebody whose recommendations I swear by;

Tighten your Active X Security Settings if you are using Internet Explorer.

To do this, Open IE and Click Tools > Internet Options > Security > Internet (Globe Icon) > Click Default Level and APPLY.

NEXT, Click the Custom Level Button and adjust the settings as follows (some settings will already be properly set):

* SET Download signed ActiveX controls to Prompt

* SET Download unsigned ActiveX controls to Disable

* SET Initialize and script ActiveX controls not marked as safe to Disable

* SET Installation of desktop items to Prompt

* SET Launching programs and files in an IFRAME to Prompt

* SET Navigate sub-frames across different domains to Prompt

After changing these settings as noted, please Click OK. If you are prompted to save the settings, click YES.
Finally, click APPLY and OK to finalize these settings.

Replace Microsoft Java Virtual Machine with SUN JVM or Update your existing Java!

Uninstalling the MS Java VM

If you already have Sun Java (and you probably do) it is important that you be sure that your Java is UPDATED to the latest version! You should do that on a regular basis here ---> http://www.java.com/en/download/manual.jsp
Also note that, before updating your Sun Java, you MUST remove ALL older versions that may be on your machine or you will still be vulnerable to some exploits/weaknesses such as VUNDO which may target and force execution on older runtime environments.
-- Do this by going into Add or Remove Programs and removing any versions that differ from the current version listed at the Java site. They may look similar not necessarily exact version numbers to the following:

Java 2 Runtime Environment SE v1.4.2.06
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 9
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2

Current version number of SunJava is update 6 version 7. This is as of this writing October 13, 2008, so check often for updates. When a new one is released then first download the new version to the desktop and choose Offline install. Then UNINSTALL the old version via Add/Remove. Once that is uninstalled then install the newest version.

it just functions primarily as a high tech cash register

Because of this, in order to protect yourself and your customers you need to keep that security "beefed up".
Use an antivirus real time scanner, a firewall, ONE realtime antispy program PLUS SpywareBlaster. Keep your temp files emptied out (I recommend either ATF-Cleaner or CCleaner, scan very often with the av program and your antispy programs and keep the kids off the internet and if it is hard to do that just do all you can to make their surfing at work difficult and un-enjoyable.
Judy

I did remove--or at least attempted to--spynomore. it would not appear in my add/remove list, so i went to c drive and deleted its folder. it still shows in the start menu list, but only the uninstall icon. using that when i first tried it did nothing. cute.

in regards to the security settings, i followed your advice. however, for the active x controls, i have to keep them enabled otherwise my receipt printer will not work. I did try them set as you indicated, but then got a print communications error, so i had to put them back to enabled. i recall having the point of sale software tech specifically instruct me to set them that way a year or two ago. I've updated the java --v6 10-- now. and got rid of all the old versions and updated and run my antivirus programs, which uncovered a bunch of junk. i also ran atf cleaner, which unfortunately, wiped my cookie with my password for this site. (i'm posting from home at the moment and just reset my password so i can log in at work again. that was a "Doh!" moment )))

i've run the malware and windows malicious software removal tool a few times and both of those keep coming up clean.

When i am able, are there any logs you like to see? machine is much improved.

If you feel it is running well then I think you are ok. If you have other problems feel free to check back in.
Judy

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.