Posts by clrblue

Here are my most recent AVG Scan Reports:

AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:03:41 AM 6/5/2007
+ Scan result:

C:\System Volume Information\_restore{2DBD88E4-3651-48B7-8D90-44802103146C}\RP175\A0056816.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{2DBD88E4-3651-48B7-8D90-44802103146C}\RP179\A0059271.dll -> Adware.Virtumonde : Cleaned.
C:\VundoFix Backups\xxyayax.dll.bad -> Adware.Virtumonde : Cleaned.
C:\Documents and Settings\Charisma\Cookies\charisma@3.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Charisma\Cookies\charisma@4.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Charisma\Cookies\charisma@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Charisma\Cookies\charisma@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\Charisma\Cookies\charisma@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Charisma\Cookies\charisma@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Charisma\Cookies\charisma@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Charisma\Cookies\charisma@trafic[1].txt -> TrackingCookie.Trafic : Cleaned.
C:\Documents and Settings\Charisma\Cookies\charisma@yadro[1].txt -> TrackingCookie.Yadro : Cleaned.
C:\WINDOWS\system32\dvbbctgf.exe -> Trojan.Agent.anr : Cleaned.
C:\System Volume Information\_restore{2DBD88E4-3651-48B7-8D90-44802103146C}\RP175\A0054765.exe -> Trojan.Dialer.qn : Cleaned.
C:\System Volume Information\_restore{2DBD88E4-3651-48B7-8D90-44802103146C}\RP175\A0056817.dll -> Trojan.Dialer.qn : Cleaned.
C:\System Volume Information\_restore{2DBD88E4-3651-48B7-8D90-44802103146C}\RP175\A0054769.exe -> Worm.Agent.bj : Cleaned.

::Report end

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:17:33 AM 6/5/2007
+ Scan result:

C:\Documents and Settings\Charisma\Cookies\charisma@4.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Charisma\Cookies\charisma@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Charisma\Cookies\charisma@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\System Volume Information\_restore{2DBD88E4-3651-48B7-8D90-44802103146C}\RP181\A0059484.exe -> Trojan.Agent.anr : Cleaned.

::Report end

Custom box with:

• Penitum 4 3.2 GHz
• 1 GB RAM
• Soundblaster Audigy 2 ZS Gamer
• ATI Radeon X1300 w/ 512 MB
• ASUS board
• DSL (DLink wireless router)

I caught Virtumonde a few days ago, and ran the VundoFix, but still it lingers. Also, it appears I have more infestations... one particularly keeps killing my Trend Micro PC-Cillin Internet Security and rendering it useless. I have run Spybot, AVG Anti-Spyware, VundoFix, and SmitfraudFix. I still have a New.NET variant, too, because there is a strange entry in my Winsock... but I've run the WinsockFix several times and it is not fixing it. Spybot is not finding the infection. It's all very frustrating. My system is running at half speed and I am more than a little frsutrated. Please help if you can! I have posted my latest HijackThis scan below:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:05:17 AM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\analyzev2.exe
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll

Removed the Spydawn infection; here is the log afterwards:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:25:19 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\HJT\analyze2.exe
C:\HJT\analyze3.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

Here's the HijackThis log file:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:10:51 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Video ActiveX Access\iesmn.exe
C:\Program Files\Video ActiveX Access\imsmain.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Video ActiveX Access\imsmn.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Video ActiveX Access\iesmin.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Video ActiveX Access\iesplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] …

..the very weird thing is that now you can go back in and enable that setting, and everything will still be alright. It is handy to have those enabled; why it has effects like that is beyond me, have used the switch to fix other stuff. Too weird.

Actually, that's the thing that makes me think something is still on my system causing this problem. Because when I re-enable it, I lose the File Explorer tools again... No My Computer, no My Documents, and so on. But as soon as I disable it again and restart IE, again, no problem.

So I came down with a sudden problem today on my laptop. Whenever I tried to open My Computer, My Documents, Search for Files and Folders, Control Panel, or anything requiring Windows File Explorer, the screen would flash to the wallpaper, then all the icons would come back.
That was it. Nothing else would happen. I ran a full AVG Anti-Malware, with nothing found. I ran my McAfee Virus tool... nothing there either. I tried making a new profile... same problem. I restarted repeatedly. I tried running System File Checker... found no Windows files out of whack. I tried restoring from a Restore Point... not a single restore point worked.
Finally, after tons of searching, I found the solution. I had to go into Internet Explorer > Internet Options > Advanced and disable "Enable third-party browser extensions*", then restart the browser. That was it!
So my question is this... WHY did that fix it? AND is there something in my log causing this?? I am posting my HijackThis log here:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:02:53 PM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe