referred by GR@ph<"S"

Rawe · November 01, 2005, 04:21:18 PM

Hi.. I'm a bit stuck. Do you have any more info to provide? I asked for help with your problem, we'll see if someone knows something which helps.

irishsupplyguy · November 01, 2005, 05:29:35 PM

Good morning Rawe:
I guess you could tell from my KasperSky scan I have the following 4 virsuses:
Trojan-Down...WIN32.Agent.td
Trojan.WIN32.Agent.bi
Trojan-Down...WIN32.Agent.bc
Exploit.HTML.Mht
3 of them are on my C drive and one is on my E drive, although I don't know which is where.
I will post a new HJT log with this post. If there is anything else I can do let me know. Sorry to be such a problem. I appreciate your efforts.

Logfile of HijackThis v1.99.1
Scan saved at 11:36:29 AM, on 11/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXALPSWX.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXALJSWX.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=irishsupplyguy&login=ff7dd50d38554aacc7f54e2f02101075/irishsupplyguy:netzero.net/1128621779/30/sss.1.51174/&ts=434566d3&A=0&B=1120892400000&C=1120892400000&D=1125471600000&I=7.NH3&N=PLHS&O=I&UT=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar search - res://c:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://c:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://c:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130265368093
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A4542EE-4F48-45FF-94D0-1B433FED1E0F}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

SpyDie · November 01, 2005, 07:15:58 PM

Just to recap here, what current problems are you having?

As to the KAV scan, when you turned off (and back on again) System Restore, it purges it's folder. (Which is where KAV reported multiple viruses there).

Open HijackThis, click 'Config', then 'Misc Tools'. Hit "Open ADS Spy". Hit Scan. Once it's finished, hit Save log and save it somewhere you can easily access (like the Desktop for example).

Locate and open that saved log, post it here.

Also, click Start > Control Panel > Internet Options > click that 'Settings' button under 'Temporary Internet Files'. Post what it says for "Current location".

One more thing, do you know this file?

C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

If not, could you locate it, right-click on it and hit 'Properties'. If it has a 'Version' tab, please post all that it says on that tab. If it hasn't got that tab, don't worry. Just exit out of that window.

Rawe · November 01, 2005, 07:40:19 PM

Thanks for the help SpyDie..

I believe WRLogonNTF.dll is a part of SpySweeper: http://castlecops.com/o20list-117.html

SpyDie · November 01, 2005, 07:59:06 PM

Quote from: Rawe on November 01, 2005, 07:40:19 PM
Thanks for the help SpyDie..

I believe WRLogonNTF.dll is a part of SpySweeper: http://castlecops.com/o20list-117.html

Thanks ;)

In which case, irishsupplyguy forget what I said about WRLogonNTF.dll

irishsupplyguy · November 01, 2005, 09:01:48 PM

Hello SpyDie:
Sorry to be such a problem.

Current Location=
C:\Documents and settings\Administrator\Local Settings\Temporary Internet Files\

WRLogon.dll= File version 2.0.5.402 Description= SpySweeper SDK

These are my current problems:
When I reboot at shutdown I get an error message pop up that reads:
" USRprbda.exe DLL initialization failed " the body reads: the application failed to initalize
because a windows station is shutting down.
In the background there are 2 end task pop-ups. One says "NetZeroUpclientwnd" the second says
zcom_ad. After those close the computer shuts down.

When I log off NetZero I get and about:blank button on the bottom left of my tool bar next to the "start" button. When I click on it nothing happens. I go to end task to turn it off.

When I sent a job to the printer nothin happens. When I reboot all jobs in the print que then print.

Hope this may help solve this mystery. Thank you for your time and expertise. HJTADS log attached.

C:\WINDOWS\aolback.exe.lnk : aotqsb (35353 bytes)
C:\WINDOWS\clock.avi : btdbqx (13581 bytes)
C:\WINDOWS\control(2).ini : munoti (197756 bytes)
C:\WINDOWS\control(3).ini : munoti (197756 bytes)
C:\WINDOWS\control(4).ini : munoti (197756 bytes)
C:\WINDOWS\ftrcl.dat : kfxtx (86593 bytes)
C:\WINDOWS\ModemLog_Best Data Data Fax Modem.txt : btzsmv (11801 bytes)
C:\WINDOWS\ModemLog_Best Data Data Fax Modem.txt : jeyrgg (0 bytes)
C:\WINDOWS\SchedLgU.Txt : izyqvv (86593 bytes)
C:\WINDOWS\setupapi.old : barwpx (11801 bytes)
C:\WINDOWS\Soap Bubbles.bmp : uyuygr (35353 bytes)
C:\WINDOWS\uytnx.dat : ypeshb (11801 bytes)
C:\WINDOWS\vbaddin.ini : vpoljn (197756 bytes)
C:\WINDOWS\WindowsUpdate.log : sbjjle (86593 bytes)
C:\WINDOWS\_default.pif : ayragx (0 bytes)
C:\WINDOWS\_default.pif : bkuvyw (13581 bytes)
C:\WINDOWS\_default.pif : hykuc (0 bytes)
C:\WINDOWS\_default.pif : ixynmn (0 bytes)
C:\WINDOWS\_default.pif : lmffvq (3567 bytes)
C:\WINDOWS\_default.pif : mkymzs (197756 bytes)
C:\WINDOWS\_default.pif : pmpywo (11801 bytes)
C:\WINDOWS\_default.pif : pwgikk (0 bytes)
C:\WINDOWS\_default.pif : tlnaag (197756 bytes)
C:\WINDOWS\_default.pif : ujgzfh (13581 bytes)
C:\WINDOWS\_default.pif : xlrrcu (3567 bytes)

winchester73 · November 02, 2005, 02:06:42 AM

Wonder if this helps with the dll error?

http://www.pcbanter.net/showthread.php?t=783886

http://castlecops.com/postitle81583-0-0-.html

SpyDie · November 02, 2005, 04:43:00 PM

Also, would you be prepared to reinstall the NetZero software?

For now, try this:

Run a scan with HijackThis and check these two items:

O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"

Click 'Fix Checked' and reboot (restart) the computer.

This won't remove NetZero but will remove it from loading at bootup for now.

Now, once your back into Windows I want you to try loading NetZero again and shutting off/logging off the computer as you normally would - if the popups reappear, the NetZero software would need to be reinstalled.

Also, as to ADS Spy, run that scan again and once it is finished check all the ones that are there, and click 'Remove Selected'.

irishsupplyguy · November 02, 2005, 07:36:23 PM

Good afternoon SpyDie:

Followed your instructions and also completely uninstalled NetZero, it's be a pain every since I got it.
Did a reboot and all pop-ups are gone. My computer is behaving a little better. After I rebooted I ran a KasperSky on line scan and it still found 3 of the 4 Trojans. A log of the scan is posted with this message. Thank you for your help!!

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, November 02, 2005 12:11:35
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 2/11/2005
Kaspersky Anti-Virus database records: 148232
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: standard
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   A:\
   C:\
   D:\
   E:\

Scan Statistics:
   Total number of scanned objects: 50860
   Number of viruses found: 3
   Number of infected objects: 8
   Number of suspicious objects: 0
   Duration of the scan process: 1965 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP5\A0001511.pif:pmpywo:$DATA   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP5\A0001513.old:barwpx:$DATA   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP5\A0001517.lnk:aotqsb:$DATA   Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\apiqe32.exe   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\netpf32.exe   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\netsf.exe   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\system32\crtu32.exe   Infected: Trojan.Win32.Agent.bi
E:\WINDOWS\Temporary Internet Files\Content.IE5\H3786PB0\index[1].htm   Infected: Exploit.HTML.Mht

Scan process completed.

SpyDie · November 02, 2005, 09:42:36 PM

All the popups? That is great news.

http://www.landzdown.com/rem.bat

Download that file please, and run it. It'll remove some of the files KAV is reporting.

As to the ones in System Restore;

Again we need to disable and then re-enable System Restore. Disable it:

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".

Restart the computer.

Once back into Windows, re-enable it:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".

Once done, re-post a new fresh HijackThis log & a new KAV online scan log.

irishsupplyguy · November 03, 2005, 04:22:40 PM

Good morning SpyDie:
Followed your excellent instructions and looks like we're down to on Trojan. Attached are a fresh HJT log and KAV scan. Thank you for your help.

Logfile of HijackThis v1.99.1
Scan saved at 9:10:06 AM, on 11/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=irishsupplyguy&login=ff7dd50d38554aacc7f54e2f02101075/irishsupplyguy:netzero.net/1128621779/30/sss.1.51174/&ts=434566d3&A=0&B=1120892400000&C=1120892400000&D=1125471600000&I=7.NH3&N=PLHS&O=I&UT=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar search - res://c:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130265368093
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, November 03, 2005 09:52:22
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 3/11/2005
Kaspersky Anti-Virus database records: 148412
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: standard
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   A:\
   C:\
   D:\
   E:\

Scan Statistics:
   Total number of scanned objects: 46013
   Number of viruses found: 1
   Number of infected objects: 1
   Number of suspicious objects: 0
   Duration of the scan process: 1740 sec

Infected Object Name - Virus Name
E:\WINDOWS\Temporary Internet Files\Content.IE5\H3786PB0\index[1].htm   Infected: Exploit.HTML.Mht

Scan process completed.

SpyDie · November 03, 2005, 06:15:32 PM

Brilliant :)

That one is still there. It currently is doing no harm, it is in the temporary internet files of Internet Explorer. It is simply where Internet Explorer downloads files from the websites you visit (e.g images & text) so it will load faster next time.

I see you have downloaded CCleaner. Could you possibly please run that? When you load it up, it should be on the 'Cleaner' tab already, if not click it. Hit "Run Cleaner'. I am not totally sure if CCleaner (or Cleanup!) clears out multiple drives, but we will see.

Go & Scan again with KAV afterwards, see if it still reports the same thing.

irishsupplyguy · November 03, 2005, 07:03:44 PM

SpyDie you are the man!!
Updated CCleaner and ran it. Ran a new KAV scan (attached). My computer seems to be runing fine. If you feel we are done you can close this issue as everything seems to be O.K. I really appreciate your time and effort.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, November 03, 2005 13:06:30
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 3/11/2005
Kaspersky Anti-Virus database records: 148434
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: standard
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   A:\
   C:\
   D:\
   E:\

Scan Statistics:
   Total number of scanned objects: 46143
   Number of viruses found: 1
   Number of infected objects: 1
   Number of suspicious objects: 0
   Duration of the scan process: 1767 sec

Infected Object Name - Virus Name
E:\WINDOWS\Temporary Internet Files\Content.IE5\H3786PB0\index[1].htm   Infected: Exploit.HTML.Mht

Scan process completed.

Corrine · November 03, 2005, 08:39:46 PM

Hi! I'll let Spy Die give you the all clear. However, before you go anywhere, take a few minutes to check out "So how did I get infected in the first place?" © Tony Klein. There is a lot of helpful information there.

SpyDie · November 03, 2005, 09:16:42 PM

Please do look at that topic Corrine linked to, :)

Looks like CCleaner never did clean it out...

Download KillBox from here please;

http://www.atribune.org/downloads/KillBox.exe

Launch it, and copy/paste this filepath into the box that says "Full Path of File to Delete"

E:\WINDOWS\Temporary Internet Files\Content.IE5\H3786PB0\

The word "Directory" should appear underneath it in blue writing. This confirms that the folder is present.

Click the button with the red circle with a white cross in it. Click Yes to the prompt.

That should be the end of that & everything is clean. Go and visit that topic Corrine linked to :) It has tons of information about preventing this from ever happening again and more.

Glad to hear you got it sorted. :)