Problem with Symantec LiveUpdate

**poof** · 05-10-2006

Hi,
I'm hoping someone can help me with this.

When I run "Liveupdate", I get a message saying:

"LU1814: LiveUpdate could not retrieve the catalog file of available Symantec product and component updates. Please verify that you are able to connect to the Internet and run LiveUpdate again."

Just before this happened, I got 3 threats:
1- "Trojan.Abwiz.F" (filename "Down_1~1.exe")
2- "Trojan.Abwiz.F" (filename "Down.exe")
3- "Downloader" (filename "X_1_~1.HTM")
Symantec said that it deleted these files successfully. Immediately after these threats I ran Liveupdate and got the above "LU1814" error.

I know Symantec has a removal tool, but since this problem, I can no longer connect to their website. I think one of these viruses has block me from connecting.

I would really appreciate if someone could help me with this problem.
I don't know what to do.

Thanks in advance.

**VopThis** · 07-10-2006

'LiveUpdate' issues can often be very difficult to resolve satisfactorily even more so when compromised by malware.

Your best option may be to try a system restore point (if available) to a date before any known problems or before you started performing any recent fixes?

Click on Start>All Programs>Accessories>System Tools>System Restore.

Check Restore my computer to an earlier date> Click Next.

Choose the date before you performed any recent fixes and click Next and Next again.

Once rebooted, please try your Internet connection and post a revised HJT log. Do not uninstall anything.

Perform the following READ FIRST Procedures found here (the absence of symptoms does not guarantee that your PC is clean):
http://www.d-a-l.com/help/showthread.php?t=32403

**poof** · 08-10-2006

Hi,

Thank you very much for responding to my post. I was beginning to think no one could help me.

Unfortunately, System Restore will only allow me to restore to yesterday Oct. 7. But, my problem occurred Oct. 4 or 5 I'm not 100% sure. So, I DID NOT Restore anything.
I hope you can still help me!

Anyhow, here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:14:57 AM, on 10/8/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Pro\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Pro\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Pro\Translate.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab46479.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames...l.cab42858.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab41227.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://209.226.48.74:81/activex/AMC.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab40641.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: pasksa - C:\WINDOWS\SYSTEM32\pasksa.dll
O20 - Winlogon Notify: xartcd5 - C:\WINDOWS\SYSTEM32\xartcd5.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PowerPCB License Server - Unknown owner - C:\padspwr\Security\License_Management\lmgrd.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks again,
Hope to here from you soon
Poof

**VopThis** · 08-10-2006

You have a very serious and resistant rootkit-based infection. It may never be completely cleanable of all issues (such as liveupdate problem) that has been left behind:

http://www.bleepingcomputer.com/star...ksa-16004.html
Only the following infection components are OBSERVABLE from the HJT log:

O20 - Winlogon Notify: pasksa - C:\WINDOWS\SYSTEM32\pasksa.dll
O20 - Winlogon Notify: xartcd5 - C:\WINDOWS\SYSTEM32\xartcd5.dll

This infection could use your PC to send mass mail using SMTP protocols. Creates multiple copies of the Malicious infection on your PC. Installs other malicious programs. Connects with 3rd party computer systems and forwards data via the internet. Hijacks other processes.

If this was my PC, I would backup all critical user files and do a clean re-install.

However, the 'Counterspy' tool may be able to remove most of this infection. Note the extensive 'File Traces' list which may or not be complete at any given point in time:

http://research.sunbelt-software.com...threatid=44159

You can download the 15 day trial version of Counterspy.

Run the tool and if it makes a log/report post it back here also. It is easily uninstalled once done if you want.

http://www.sunbelt-software.com/CounterSpy-Download.cfm

**poof** · 09-10-2006

Hi,
Thanks again for responding.

My problem sounds pretty serious.
I downloaded and ran CounterSpy as you recommended. It found 11 threats including the ones you mentioned. CounterSpy removed some threats and Quarantined some others. Should I remove the quarantined threats?

Also "liveUpdate" is still not functioning, and I still can not connect to Symantecs website.

Here is the CounterSpy log:

Spyware Scan Details
Start Date: 10/9/2006 7:12:06 AM
End Date: 10/9/2006 8:12:19 AM
Total Time: 1 hrs 13 secs

Detected spyware

Messenger Plus! Adware Bundler more information...
Details: Messenger Plus! is a add-on for MSN Messenger. Messenger Plus! installs an OPTIONAL adware called C2Media which is also known as LOP.com.
Status: Ignored

Infected files detected
c:\documents and settings\carol and robert\my documents\my chat logs\jameslovaghy@msn.com.txt

eDonkey2000 P2P Program more information...
Details: eDonkey2000 is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives.
Status: Ignored

Infected files detected
c:\documents and settings\carol and robert\my documents\edonkey2000 downloads\2_crack[1].cd-virtual_cover_creator_v2.1.zip
c:\documents and settings\carol and robert\my documents\edonkey2000 downloads\dvd region+css free 5.9.6.5 + serial-number.zip
c:\program files\edonkey2000\5.html
c:\program files\edonkey2000\78.html
c:\program files\edonkey2000\blacklist.txt
c:\program files\edonkey2000\contact.dat
c:\program files\edonkey2000\def.html
c:\program files\edonkey2000\edonkey2000.exe
c:\program files\edonkey2000\friend.met
c:\program files\edonkey2000\friend.met.bak
c:\program files\edonkey2000\keyring.dat
c:\program files\edonkey2000\keyring.dat.bak
c:\program files\edonkey2000\known.met
c:\program files\edonkey2000\known.met.bak
c:\program files\edonkey2000\layout.xml
c:\program files\edonkey2000\log.txt
c:\program files\edonkey2000\media.xml
c:\program files\edonkey2000\pref.xml
c:\program files\edonkey2000\reg.jpg
c:\program files\edonkey2000\server.met
c:\program files\edonkey2000\server.met.bak
c:\program files\edonkey2000\share.dat
c:\program files\edonkey2000\share.dat.bak
c:\program files\edonkey2000\svr-blacklist.txt
c:\program files\edonkey2000\uninstall_edonkey2000.exe
c:\program files\edonkey2000\uploadq.dat
c:\program files\edonkey2000\plugins\boost_thread-vc6-mt-1_31.dll
c:\program files\edonkey2000\plugins\btplugin.dll
c:\program files\edonkey2000\plugins\btplugin.ini
c:\program files\edonkey2000\plugins\easypreview.dll
c:\program files\edonkey2000\plugins\easypreview.txt
c:\program files\edonkey2000\plugins\ed2kie.dll
c:\program files\edonkey2000\plugins\httpprotocol.dll
c:\program files\edonkey2000\plugins\jpcplugin.ini
c:\program files\edonkey2000\plugins\jpcplugin5.dll
c:\program files\edonkey2000\plugins\launchmyapp.dll
c:\program files\edonkey2000\plugins\launchmyapp.ini
c:\program files\edonkey2000\plugins\leeme_esp.rtf
c:\program files\edonkey2000\plugins\lesemich_ger.rtf
c:\program files\edonkey2000\plugins\lma readme.txt
c:\program files\edonkey2000\plugins\readme_eng.rtf
c:\program files\edonkey2000\plugins\unrar.dll
c:\program files\edonkey2000\plugins\_libtorrent_bsd_licence. txt
c:\program files\edonkey2000\skins\default\add2keyring-dis.png
c:\program files\edonkey2000\skins\default\add2keyring-down.png
c:\program files\edonkey2000\skins\default\add2keyring-hover.png
c:\program files\edonkey2000\skins\default\add2keyring-up.png
c:\program files\edonkey2000\skins\default\arrow-down.png
c:\program files\edonkey2000\skins\default\arrow-up.png
c:\program files\edonkey2000\skins\default\background.png
c:\program files\edonkey2000\skins\default\console-big-down.png
c:\program files\edonkey2000\skins\default\console-big-hover.png
c:\program files\edonkey2000\skins\default\console-big-up.png
c:\program files\edonkey2000\skins\default\console-small-down.png
c:\program files\edonkey2000\skins\default\console-small-hover.png
c:\program files\edonkey2000\skins\default\console-small-up.png
c:\program files\edonkey2000\skins\default\download-dis.png
c:\program files\edonkey2000\skins\default\download-down.png
c:\program files\edonkey2000\skins\default\download-hover.png
c:\program files\edonkey2000\skins\default\download-up.png
c:\program files\edonkey2000\skins\default\ed2k-connect.png
c:\program files\edonkey2000\skins\default\ed2k-connected.png
c:\program files\edonkey2000\skins\default\ed2k-connecting.png
c:\program files\edonkey2000\skins\default\ed2k-disconnect.png
c:\program files\edonkey2000\skins\default\ed2k-disconnected.png
c:\program files\edonkey2000\skins\default\exclaim.png
c:\program files\edonkey2000\skins\default\folder-closed-both.png
c:\program files\edonkey2000\skins\default\folder-closed-childshared.png
c:\program files\edonkey2000\skins\default\folder-closed-shared.png
c:\program files\edonkey2000\skins\default\folder-closed-unshared.png
c:\program files\edonkey2000\skins\default\folder-go-up-level.png
c:\program files\edonkey2000\skins\default\folder-open-both.png
c:\program files\edonkey2000\skins\default\folder-open-childshared.png
c:\program files\edonkey2000\skins\default\folder-open-shared.png
c:\program files\edonkey2000\skins\default\folder-open-unshared.png
c:\program files\edonkey2000\skins\default\folder-refresh.png
c:\program files\edonkey2000\skins\default\generatecatalog-dis.png
c:\program files\edonkey2000\skins\default\generatecatalog-down.png
c:\program files\edonkey2000\skins\default\generatecatalog-hover.png
c:\program files\edonkey2000\skins\default\generatecatalog-up.png
c:\program files\edonkey2000\skins\default\launch-dis.png
c:\program files\edonkey2000\skins\default\launch-down.png
c:\program files\edonkey2000\skins\default\launch-hover.png
c:\program files\edonkey2000\skins\default\launch-up.png
c:\program files\edonkey2000\skins\default\little-back.png
c:\program files\edonkey2000\skins\default\main-help-down.png
c:\program files\edonkey2000\skins\default\main-help-hover.png
c:\program files\edonkey2000\skins\default\main-help-up.png
c:\program files\edonkey2000\skins\default\main-options-down.png
c:\program files\edonkey2000\skins\default\main-options-hover.png
c:\program files\edonkey2000\skins\default\main-options-up.png
c:\program files\edonkey2000\skins\default\main-register-down.png
c:\program files\edonkey2000\skins\default\main-register-hover.png
c:\program files\edonkey2000\skins\default\main-register-up.png
c:\program files\edonkey2000\skins\default\managekeyring-dis.png
c:\program files\edonkey2000\skins\default\managekeyring-down.png
c:\program files\edonkey2000\skins\default\managekeyring-hover.png
c:\program files\edonkey2000\skins\default\managekeyring-up.png
c:\program files\edonkey2000\skins\default\mediaplayer.png
c:\program files\edonkey2000\skins\default\moreres-dis.png
c:\program files\edonkey2000\skins\default\moreres-down.png
c:\program files\edonkey2000\skins\default\moreres-hover.png
c:\program files\edonkey2000\skins\default\moreres-up.png
c:\program files\edonkey2000\skins\default\on-connect.png
c:\program files\edonkey2000\skins\default\on-connected.png
c:\program files\edonkey2000\skins\default\on-connecting.mng
c:\program files\edonkey2000\skins\default\on-connecting.png
c:\program files\edonkey2000\skins\default\on-disconnect.png
c:\program files\edonkey2000\skins\default\on-disconnected.png
c:\program files\edonkey2000\skins\default\options-down.png
c:\program files\edonkey2000\skins\default\options-hover.png
c:\program files\edonkey2000\skins\default\options-up.png
c:\program files\edonkey2000\skins\default\preview.png
c:\program files\edonkey2000\skins\default\refresh-dis.png
c:\program files\edonkey2000\skins\default\refresh-down.png
c:\program files\edonkey2000\skins\default\refresh-hover.png
c:\program files\edonkey2000\skins\default\refresh-up.png
c:\program files\edonkey2000\skins\default\remove-dis.png
c:\program files\edonkey2000\skins\default\remove-down.png
c:\program files\edonkey2000\skins\default\remove-hover.png
c:\program files\edonkey2000\skins\default\remove-up.png
c:\program files\edonkey2000\skins\default\search-dis.png
c:\program files\edonkey2000\skins\default\search-down.png
c:\program files\edonkey2000\skins\default\search-hover.png
c:\program files\edonkey2000\skins\default\search-up.png
c:\program files\edonkey2000\skins\default\searching.mng
c:\program files\edonkey2000\skins\default\share-dis.png
c:\program files\edonkey2000\skins\default\share-down.png
c:\program files\edonkey2000\skins\default\share-hover.png
c:\program files\edonkey2000\skins\default\share-up.png
c:\program files\edonkey2000\skins\default\tab-catalogs-down.png
c:\program files\edonkey2000\skins\default\tab-catalogs-hover.png
c:\program files\edonkey2000\skins\default\tab-catalogs-up.png
c:\program files\edonkey2000\skins\default\tab-friends-down.png
c:\program files\edonkey2000\skins\default\tab-friends-hover.png
c:\program files\edonkey2000\skins\default\tab-friends-up.png
c:\program files\edonkey2000\skins\default\tab-home-down.png
c:\program files\edonkey2000\skins\default\tab-home-hover.png
c:\program files\edonkey2000\skins\default\tab-home-up.png
c:\program files\edonkey2000\skins\default\tab-media-down.png
c:\program files\edonkey2000\skins\default\tab-media-hover.png
c:\program files\edonkey2000\skins\default\tab-media-up.png
c:\program files\edonkey2000\skins\default\tab-search-down.png
c:\program files\edonkey2000\skins\default\tab-search-hover.png
c:\program files\edonkey2000\skins\default\tab-search-up.png
c:\program files\edonkey2000\skins\default\tab-servers-down.png
c:\program files\edonkey2000\skins\default\tab-servers-hover.png
c:\program files\edonkey2000\skins\default\tab-servers-up.png
c:\program files\edonkey2000\skins\default\tab-shared-down.png
c:\program files\edonkey2000\skins\default\tab-shared-hover.png
c:\program files\edonkey2000\skins\default\tab-shared-up.png
c:\program files\edonkey2000\skins\default\tab-stats-down.png
c:\program files\edonkey2000\skins\default\tab-stats-hover.png
c:\program files\edonkey2000\skins\default\tab-stats-up.png
c:\program files\edonkey2000\skins\default\tab-transfers-down.png
c:\program files\edonkey2000\skins\default\tab-transfers-hover.png
c:\program files\edonkey2000\skins\default\tab-transfers-up.png
c:\program files\edonkey2000\skins\default\ui.xml
c:\program files\edonkey2000\skins\default\unshare-dis.png
c:\program files\edonkey2000\skins\default\unshare-down.png
c:\program files\edonkey2000\skins\default\unshare-hover.png
c:\program files\edonkey2000\skins\default\unshare-up.png
c:\program files\edonkey2000\skins\default\x-down.png
c:\program files\edonkey2000\skins\default\x-hover.png
c:\program files\edonkey2000\skins\default\x-up.png
c:\program files\edonkey2000\temp\- guns n' roses - live and let die.mp3\1.part.met
c:\program files\edonkey2000\temp\- guns n' roses - live and let die.mp3\1.part.met.bak
c:\program files\edonkey2000\temp\01-everything zen.mp3\1.1.part
c:\program files\edonkey2000\temp\01-everything zen.mp3\1.part.met
c:\program files\edonkey2000\temp\01-everything zen.mp3\1.part.met.bak
c:\program files\edonkey2000\temp\bush-no sex in your violence.mp3\1.part.met
c:\program files\edonkey2000\temp\bush-no sex in your violence.mp3\1.part.met.bak
c:\program files\edonkey2000\temp\bush_everything zen.mp3\1.part.met
c:\program files\edonkey2000\temp\bush_everything zen.mp3\1.part.met.bak
c:\program files\edonkey2000\temp\don't mess with temp files!!!!!.txt
c:\program files\edonkey2000\temp\nothingface - make your own bones.mp3\1.part.met
c:\program files\edonkey2000\temp\nothingface - make your own bones.mp3\1.part.met.bak
c:\program files\edonkey2000\temp\ted nugent (as the amboy dukes) - journey to the center of the mind.mp3\1.part.met
c:\program files\edonkey2000\temp\ted nugent (as the amboy dukes) - journey to the center of the mind.mp3\1.part.met.bak
c:\program files\edonkey2000\temp\the logo creator v4.1 + all logos pack + all bonus logo + serials.zip\1.10.part
c:\program files\edonkey2000\temp\the logo creator v4.1 + all logos pack + all bonus logo + serials.zip\1.43.part
c:\program files\edonkey2000\temp\the logo creator v4.1 + all logos pack + all bonus logo + serials.zip\1.part.met
c:\program files\edonkey2000\temp\the logo creator v4.1 + all logos pack + all bonus logo + serials.zip\1.part.met.bak

Infected registry entries detected
HKEY_CLASSES_ROOT\CLSID\{320154BB-D666-48F6-990E-172B32954620}
HKEY_CLASSES_ROOT\CLSID\{320154BB-D666-48F6-990E-172B32954620}\InProcServer32 C:\Program Files\eDonkey2000\plugins\ed2kie.dll
HKEY_CLASSES_ROOT\CLSID\{320154BB-D666-48F6-990E-172B32954620}\InProcServer32 ThreadingModel Both
HKEY_CLASSES_ROOT\CLSID\{320154BB-D666-48F6-990E-172B32954620}\ProgID eD2KDownloadManager.object.1
HKEY_CLASSES_ROOT\CLSID\{320154BB-D666-48F6-990E-172B32954620}\TypeLib {379919F2-1612-45B7-B9F4-773F6D5214F5}
HKEY_CLASSES_ROOT\CLSID\{320154BB-D666-48F6-990E-172B32954620}\VersionIndependentProgID eD2KDownloadManager.object
HKEY_CLASSES_ROOT\CLSID\{320154BB-D666-48F6-990E-172B32954620} eD2K downloadManager object
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\eDonkey2000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\eDonkey2000 DisplayName eDonkey2000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\eDonkey2000 UninstallString "C:\Program Files\eDonkey2000\uninstall_eDonkey2000.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\eDonkey2000 DisplayIcon "C:\Program Files\eDonkey2000\eDonkey2000.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\eDonkey2000 NoModify 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\eDonkey2000 NoRepair 1

DesktopScam Trojan Downloader more information...
Details: DesktopScam is a trojan that is downloaded with rogue security applicatons in order to frighten the affected user into purchasing the rogue program.
Status: Quarantined

Infected files detected
c:\documents and settings\all users\start menu\security troubleshooting.url
c:\documents and settings\all users\start menu\online security guide.url

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objecta\{686a161d-5bd1-4999-8832-6393f41e564c}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objecta\{686a161d-5bd1-4999-8832-6393f41e564c}

Haxdoor.Fam Backdoor more information...
Details: Haxdoor.Fam is a group of backdoor trojans that allow a remote attacker to gain access and control the computer. Haxdoor is also used to download additional malware.
Status: Quarantined

Infected files detected
c:\windows\system32\pasksa.dll
c:\windows\system32\p79bsksb.sys

Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pasksa
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pasksa DllName pasksa.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pasksa Startup pasksaope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pasksa Impersonate 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pasksa Asynchronous 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pasksa MaxWait 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pasksa 2sksid D4B15D6451C7769164D4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\p79bsksb
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\p79bsksb\Security Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\p79bsksb\Enum 0 Root\LEGACY_P79BSKSB\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\p79bsksb\Enum Count 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\p79bsksb\Enum NextInstance 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\p79bsksb Type 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\p79bsksb Start 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\p79bsksb ErrorControl 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\p79bsksb ImagePath \??\C:\WINDOWS\System32\p79bsksb.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\p79bsksb DisplayName USB p79bsksb

Overnet Adware Bundler more information...
Details: Overnet/eDonkey is a file sharing application that bundles third party adware and spyware with the free version.
Status: Ignored

Infected files detected
C:\Program Files\eDonkey2000\Plugins\ed2kie.dll

Trojan-Downloader.BAT.Ftp.ab Trojan Downloader more information...
Status: Quarantined

Infected files detected
C:\Smitfraudfix\SmitfraudFix\Reboot.exe

SpywareQuake Rogue Security Program more information...
Details: SpywareQuake is a purported anti-spyware application to scan for and remove spyware from users' computers.
Status: Quarantined

Infected registry entries detected
HKEY_CLASSES_ROOT\TypeLib\{5CB9686D-CC21-4927-B904-D91D4479F4BD}
HKEY_CLASSES_ROOT\TypeLib\{5CB9686D-CC21-4927-B904-D91D4479F4BD}\1.0\0\win32 C:\Program Files\SpywareQuake.com\Spyware-Quake.exe
HKEY_CLASSES_ROOT\TypeLib\{5CB9686D-CC21-4927-B904-D91D4479F4BD}\1.0\FLAGS 0
HKEY_CLASSES_ROOT\TypeLib\{5CB9686D-CC21-4927-B904-D91D4479F4BD}\1.0\HELPDIR C:\Program Files\SpywareQuake.com\
HKEY_CLASSES_ROOT\TypeLib\{5CB9686D-CC21-4927-B904-D91D4479F4BD}\1.0 AVG 1.0 Type Library

Cookie: ATDMT.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\documents and settings\carol and robert\cookies\carol and robert@atdmt[2].txt

Cookie: DoubleClick Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\documents and settings\carol and robert\cookies\carol and robert@doubleclick[1].txt

Cookie: TribalFusion.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\documents and settings\carol and robert\cookies\carol and robert@tribalfusion[1].txt

Cookie: Adserver.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count
Status: Deleted

Infected cookies detected
c:\documents and settings\carol and robert\cookies\carol and robert@z1.adserver[1].txt

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:54:42 AM, on 10/9/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.e xe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunServer.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\CounterSpy.exe
C:\hijackthis\June 17 2006\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Pro\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Pro\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Pro\Translate.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab46479.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames...l.cab42858.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab41227.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://209.226.48.74:81/activex/AMC.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab40641.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: xartcd5 - C:\WINDOWS\SYSTEM32\xartcd5.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PowerPCB License Server - Unknown owner - C:\padspwr\Security\License_Management\lmgrd.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks again for your help,
Poof

**VopThis** · 09-10-2006

Should I remove the quarantined threats?

Like any quarantine area, it is best to leave them for a few days and if you don't miss any of those items, clean them them out then.

Also "liveUpdate" is still not functioning, and I still can not connect to Symantecs website.

It is quite possible that the 'liveupdate' will never be the same again. I, myself, and some of my clients have had to manually update the definitions in the interim until we moved on to some other AV product (I chose NOD32 - www.eset.com). An uninstall and reinstall often does not help since the interference may be coming from potentially remaining separate entries not directly related to Symantec.

I note that you were using eDonkey. The use of such P2P download sites can often result in the mess that got created (particularly by attempting to use 'cracks'). A clean re-install may still be your best option to consider.

You may want to print out the following instructions or copy to a file on your desktop.

Download and install AVG Anti-Spyware 7.5 (formally known as Ewido anti-spyware 4.0 - uninstall any previous version first).

Click the Download BUTTON. On the next page click the Download now BUTTON.
Save and then install (Run) from the save location.
Open/Run ewido anti-spyware
Wait a few moments and Ewido should Auto update itself (note date of last update). If it doesn't update, click the update ICON at top of screen:
Click on the Update now LINK at the top of the window
- Click on the Start update button
- Wait for the update to download and install

**poof** · 12-10-2006

Hi,

Sorry it took so long to reply, I've been very busy lately.

I downloaded, installed and updated AVG Anti-Spyware (Ewido) as you requested.
Immediately after updating, a window popped up saying:

Malware found
Name: Logger.Goldun.lv
Location: C:\WINDOWS\System32\xartcd5.dll
Risk: High

Then it asked me, “How would you like to proceed?”
I chose, “Clean and move to quarantine (recommended)”

I clicked “OK” but the window came back immediately. I tried several times but the window kept coming back. I could not close this pop up window.

Then I scanned with HijackThis.
The item that read:
O20 - Winlogon Notify: xartcd5 - C:\WINDOWS\SYSTEM32\xartcd5.dll

now read:
O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)

I put a check next to it anyways and clicked “Fix Checked”.
I hope I did right.

I followed all the remaining instructions and everything seems to be back to normal.
I can now connect to all the websites that I couldn't connect to before (including Symantec).
And Symantec LiveUpdate is working again.
I hope my computer is finally clean.

Anyhow, here are the reports you requested:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:41:43 AM 10/12/2006

+ Scan result:

C:\System Volume Information\_restore{B0D58583-74E7-492E-9B34-93CC645309A7}\RP335\A0036586.sys -> Backdoor.Haxdoor.kx : Cleaned with backup (quarantined).
C:\Documents and Settings\321Studios\uninstall.exe -> Dropper.Agent.aea : Cleaned with backup (quarantined).
C:\Documents and Settings\Carol and Robert\My Documents\dvdx\dvdxc4038.zip/setup.exe -> Dropper.Agent.aea : Cleaned with backup (quarantined).
C:\Documents and Settings\Carol and Robert\My Documents\dvdx\dvdxc4038\setup.exe -> Dropper.Agent.aea : Cleaned with backup (quarantined).
C:\Exe\Platinum 4\setup.exe -> Dropper.Agent.aea : Cleaned with backup (quarantined).
C:\Program Files\321Studios\uninstall.exe -> Dropper.Agent.aea : Cleaned with backup (quarantined).
C:\Program Files\DVDXCOPY\uninstall.exe -> Dropper.Agent.aea : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-854245398-1580818891-1343024091-1003\Dc1\DVDXCopy Platinum 4.0.3.8\platinum4038crack.zip/setup.exe -> Dropper.Agent.aea : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0D58583-74E7-492E-9B34-93CC645309A7}\RP336\A0036605.dll -> Logger.Goldun.lv : Cleaned with backup (quarantined).
C:\WINDOWS\system32\xartcd7.sys -> Logger.Goldun.lv : Cleaned with backup (quarantined).
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@dowjones.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\system32\adir.dll -> Worm.Banwarum.f : Cleaned with backup (quarantined).

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 3:24:42 PM, on 10/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.e xe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\June 17 2006\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Pro\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Pro\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Pro\Translate.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab46479.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames...l.cab42858.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab41227.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://209.226.48.74:81/activex/AMC.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab40641.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PowerPCB License Server - Unknown owner - C:\padspwr\Security\License_Management\lmgrd.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Note that item:
O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)
is still there. Is this a problem?

Also, how can I remove all these threats from quarantine, in CounterSpy and AVG?
I would also like to unistall CounterSpy seeing that it's only a trial version. Is this ok?
And one last thing,. Can I keep AVG and Symantec installed and running at the same time or should I unistall AVG?

Thank you very much for helping me.
I hope to hear from you soon.
Poof

**VopThis** · 13-10-2006

Can I keep AVG and Symantec installed and running at the same time or should I unistall AVG?

No - that will likely create problems and conflicts. Only keep one real-time AV tool running to avoid performance and other problems.

I would also like to unistall CounterSpy seeing that it's only a trial version. Is this ok?

You might want to keep it for the remainder of the trial period. Your choice.

Also, how can I remove all these threats from quarantine, in CounterSpy and AVG?

Navigate your way thru each package where you should find a quarantine area for each that can be cleared. Otherwise, they should be gone when you uninstall (Add/Remove) those applications.

Suggest your re-run AVG Anti-Spyware and HijackThis in SAFE MODE (tapping F8 key while rebooting) in case something has eluded removal and then perhaps another more successful attempt to remove the final elusive HJT entry (probably more clutter than a current issue).

**poof** · 14-10-2006

Hi,

Here are the new reports as you requested.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:29:58 PM 10/14/2006

+ Scan result:

C:\System Volume Information\_restore{B0D58583-74E7-492E-9B34-93CC645309A7}\RP336\A0036623.sys -> Logger.Goldun.lv : Cleaned with backup (quarantined).
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@dowjones.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@ads.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@adservices6.enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@ehg-craniuminc.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Carol and Robert\Cookies\carol and robert@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{B0D58583-74E7-492E-9B34-93CC645309A7}\RP336\A0036624.dll -> Worm.Banwarum.f : Cleaned with backup (quarantined).

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 6:31:43 PM, on 10/14/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.e xe
C:\hijackthis\June 17 2006\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Pro\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Pro\Copernic.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Pro\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Pro\Translate.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab46479.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab32846.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames...l.cab42858.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab41227.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://209.226.48.74:81/activex/AMC.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames...n.cab40641.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PowerPCB License Server - Unknown owner - C:\padspwr\Security\License_Management\lmgrd.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Looks like I may still have some problems.
I am especially concerned about Logger.Goldun.lv and Worm.Banwarum.f in the AVG report. When I scanned with CounterSpy on Oct. 8th, it created a system restore. I think these threats are in that restore.
Is there some way to delete that System restore?
Can those threats still hurt my computer?
Is it safe to use the internet? For example, can I do my banking on the internet?
Or, should I not use the internet at all and disconnect my modem?

Sorry for all the questions, I would just like to be very sure that everything is ok before I enter any passwords on the internet.

Thanks again for all your help.
Poof

**VopThis** · 15-10-2006

It is not always possible to get 100% clean with complete certainty. Your current concerns could be well worthy of some caution.

You still have a remnant that refuses to go which may suggest unknown potential reinfection components still present:

O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)

Infected restore points are often not an immediate problem unless something causes them them to be triggered. Suggest you re-run AVG AS for the next several days to monitor if those items are still showing up in your restore points:

C:\System Volume Information\_restore{B0D58583-74E7-492E-9B34-93CC645309A7}\RP336\A0036623.sys -> Logger.Goldun.lv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B0D58583-74E7-492E-9B34-93CC645309A7}\RP336\A0036624.dll -> Worm.Banwarum.f : Cleaned with backup (quarantined).

To help avoid serious infection again, please look carefully at this post for some excellent preventative measures. Prevention must be made the first line of defense to improve upon.

ONLY ONCE you are as clean as possible from any needed cleanup steps - As a final cleanup step (after serious infection), it may be advisable to Reset and Re-enable your System Restore to remove any bad files that MAY have been backed up by Windows . The files in System Restore are protected to prevent any programs changing them. And, this is the only complete way to clean these files: (You will lose all previous restore points which could likely be infected, anyway.)

PLEASE NOTE: you will need to log into your computer with an account that has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. Accordingly and of further note; it can be very unsafe to run with admin rights on any PC that you browse the Internet with.

(Windows XP)

FOLDER LOCATION: c:\System Volume Information\_restore….

To Turn OFF System Restore.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.
Click Apply.

REBOOT.

To Turn ON System Restore.

Follow the steps in the previous section, but in step 3, uncheck Turn off System Restore or Turn off System Restore on all drives. Then click OK.
Create new System Restore points.

(Windows ME)

FOLDER LOCATION: c:\_RESTORE\TEMP\….

See the following link for instructions:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

To reduce the re-infection potential for malware and protect your PC against spyware, here are a few helpful suggestions:

Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft . This will patch many of the security holes through which attackers can gain access to your computer . You CANNOT complete this update using an alternate browser – you must use Internet Explorer.
http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
http://www.microsoft.com/windows/ie/default.asp
- http://www.securityfocus.com/news/11273
  If you surf to questionable (blockable) parts of the Web, you could encounter sites that compromise your PC without any user interaction. In experiments [reported Aug 2005], Microsoft identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system. Also, be aware that the WinXP Service Pack 2 was an update that focused almost exclusively on security. Also reported was that a fully patched Windows XP SP2 system cannot be compromised by any such discovered rogue Web sites.
Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching (using a real-time AV tool only one at a time), there are some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1
Avast: http://www.avast.com/eng/avast_4_home.html
In addition to using Ad-aware, consider using another free malware scanning/removal program :
Adaware SE: http://www.download.com/Ad-Aware-SE-Person...ubj=dl&tag=top5
Spybot S&D: http://www.download.com/Spybot-Search-Dest...tml?tag=lst-0-1
Microsoft Windows Defender beta 2 : http://www.download.com/Microsoft-Wi...ml?tag=lst-0-1
Consider using a free firewall if you are not already using one (use only one firewall at a time – normally you will need to disable the MS firewall). Some good free ones (for incoming and added outgoing traffic protection) are:
Kerio Personal Firewall: http://www.sunbelt-software.com/Kerio.cfm
*** After 30 days, Kerio shuts down selected features, but will continue to run in 'free' mode.
Zone Alarm: http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za

It is not a bad idea to also consider using a Router/Hardware firewall device where you have a High-Speed Internet access connection. A software firewall may occasionally need to be disabled or it gets/remains disabled by someone or something. Such an added layer of security consistency has a lot of merit to it.
Consider using an alternate free browser for general web surfing but you must use IE for windows updates. The use of Firefox (or similar alternate) mitigates the many types of malware that are now possible when using IE ActiveX based components.
Mozilla Firefox: http://www.mozilla.org/products/firefox/
Consider increasing your browser security by using these programs:
SpywareGuard will help protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster will increase browser protection by blocking access to thousands of known malware sites by adding them to IE's restricted sites zone. It essentially blocks known- bad ActiveX program items from being installed or running on your computer. Download it here: http://www.javacoolsoftware.com/spywareblaster.html
- If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
- IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
  http://www.spywarewarrior.com/uiuc/resource.htm
A HOSTS file can block Internet access to thousands of known-bad sites by not allowing you any easy browser access to such sites knowingly or unknowingly. Use HJT to determine if a current HOSTS file exists and any contents therein:
- Run the HiJackThis tool and select ‘Open the Misc Tools section’.
- Next select ‘Open host file manager’ button.
- Use the ‘Open in Notepad’ button in XP/W2K or use WORDPAD if necessary [type wordpad.exe in the RUN box (Start>Run)] and load the FILE PATH identified in HJT.
- Go to http://www.mvps.org/winhelp2002/hosts.txt . # Read the initial instructions #. Copy and paste (append or replace) the RELEVANT host address entry contents of that file into Notepad or Wordpad and save the updated file contents.
  
  EXCERPT:
  
  #start of lines added by WinHelp2002
  # [Misc A - Z]
  127.0.0.1 phpadsnew.abac.com
  127.0.0.1 a.abnad.net
  127.0.0.1 e.abnad.net
  127.0.0.1 www.accoona.com #[Adware-Accoona][Adware.Atoolb][Panda.Accoona]
  .
  .
  .
  #end of lines added by WinHelp2002

*Remember just like your primary anti-virus software, it is important to:
Keep all of these programs up-to-date (using auto-updates where possible), and

Use them on a regular (minimum weekly) basis.

REALITY CHECK:

Who else uses your PC? What are the potential risks created by multiple (potentially loose cannon) users and why?
What about bad luck, simple mistakes, and bad browsing choices (SEE: www.siteadvisor.com and their BLOG)?
SEE: The Dangers of Popularity (for Popular SEARCH TERMS):
http://blog.siteadvisor.com/2006/08/...pularity.shtml

The correlation of search term popularity and search term riskiness illustrates how malicious activity tends to follow and exploit consumer behavior. Users demand "free," and bad actors flock to fill corresponding search results with their deceptive offerings. All too often, users don't realize the detrimental consequences of these sites until their systems crash from spyware or their inboxes become choked with spam.

ABOVE ALL, it is most imperative that users exercise "safe surfing" habits such as banning or at least verifying email attachments (with scanning tools) before opening, and by not executing programs unless obtained from a trusted (or researched) source, etc.

In general, always research any unfamiliar links or products that you might want to access or download. In particular, the SiteAdvisor site and other links listed in my signature have continued to make a significant difference to my clients’ PC health due to better-informed browsing habits and choices. Peer-to-Peer and FREE download sites add a level of risk that many should seriously take into account and adjust their behavior accordingly.

Additionally, TEMPORARY files are both a significant source of clutter and potential hiding places for MALWARE content. Clean out those areas periodically - at least weekly.

Problem with Symantec LiveUpdate

Problem with Symantec LiveUpdate

Similar Threads

Symantec; reformat?

Symantec Con Job

liveupdate can't connect to symantecliveupdate.com

SP2 ... Symantec

XP problem with up date of Symantec AV