Help with HJT Log(Resolved)

[gln]

I had a problem getting the Kaspersky e-mail protection to work. It would just fail every time I tried to activate it. It did discover worms and trojans as I mentioned in my original post. I deleted Kaspersky. I then tried to install NOD32 but the installation did not completely go through, so it was not working properly. I had trouble deleting it using Add-Remove (Control Panel), but I was finally able to delete all the NOD32 (or at least, I think so). I have now installed AntiVir and was able to update the files. I ran SpyBot and am posting a pdf. I also ran Ad-aware and am found some tracking cookies. Also ran AVG and am attaching a log file.

I ran RegistriFix and found 53 items which I "fixed". I can not follow the link from your "tools and tips" post for Microsoft Windows Defender or Spyware Blaster.

[jholland1964]

You know this adding and removing anti-virus programs is not helping anything. I haven't a clue as to what was found, what was done, nothing. Your spybot s & d log shows nothing but cookies but you didn't apply a fix with it.

RegistriFix? What the heck is this program? Where in the world did you get it?
Who told you to do a registry fix? What registry fixes were done?
You shouldn't be doing registry fixes until we can say absolutely, for certain that they SHOULD be done. That is a last step, not something which should be done in the middle of working on a problem like this.
Messing with the registry is not going to correct the problem you are having. You are assuming this is caused by malware, your logs really show nothing....the ones I have seen. I have NOT seen that Kaspersky log that you say removed and fixed various trojans.

Your Windows Security Center is disabled. Why?
Your AVG log file is blank.
Each and every virus, trojan you say that Kaspersky removed came from opening an infected email. Some of these files should NOT have been deleted but should have been disinfected, quarantined. The computer rebooted and the program run again. After that then the quarantine should have been emptied. All of this should have been done while the computer was totally disconnected from the internet, this means the plug should have been pulled...is this what you did?
We needed to know EXACTLY where these files were located, what files they may have created and the location of those...did you get those names?
If you are not going to follow the instructions EXACTLY as given then we cannot help you and you have not done this. Restore points should not have been deleted until ALL problems were solved. That is very plain in Step 1 given here

You will need to flush your restore points AFTER the fixing process has been completed to ensure that no malware is preserved.

This thread also states if you cannot use Windows Defender then Spybot is just fine.

What you are doing is trying one step, if it doesn't work then you leap to another rather than posting that you cannot complete a step. This won't work, this won't solve your problem. You are not even giving anyone here a chance to offer a solution or offer another option, you are leaping ahead to something else and it will not solve your problem.

Have you tried flushing the browser caches?
Firefox 2.x:

1. From the "Tools menu, select "Options...".
2. Click on the "Privacy" Category and then click on "Clear now" at the bottom right.
3. Click on both "Cache" and "Browsing History". If prompted, confirm by clicking "OK" on the pop-up.
4. Click on "OK" to close the "Options" window.
Close the browser.

Internet Explorer 5-7+
1. From the "Tools" menu, select "(Internet) Options".
2. On the "General" tab in the "Temporary Internet Files" section, click on "Delete Files" and then click "Okay" on the confirmation pop-up.
3. Click "Okay" to close the "Internet Options" window.
close the browser.

Now try each again.

[gln]

I apologize for not following your instructions. It's a sign of desperation which I will control. Hensforth I will follow your instructions.

I deleted the temp internet files in IE 7 and the cache and browsing history in Firefox as you indicated. Twice.

I ran AVG and hve posted the log file. I also included the log file from RegistryFix. I now I jumped the gun. It won't happen again.

I will run Kaspersky on-line version overnight and post the log tomorrow evening.

ZoneAlarm firewall in picking up myftp.exe trying to access the internet, which I blocked. I read that this may be worm_sdbot.ayp. I did not delete it but I found it in two places. In C;\program files\disc and c:\windows\prefetch. I have a wireless network with one other computer. the one with the problem is the main computer.

I await your reply and will post Kaspersky log tomorrow.

thanks a million

gln

[jholland1964]

Ok gln,
Take a deep breath, and we can begin again. You are correct in your findings about the file that Zone Alarm blocked. BUT it also could be a legitmate legal file. Since it was found in the C:\Program Files\DISC\ it could very well be a part of that program, which as you well know is a "Drop and Play" gaming program. Not being a gamer myself I am not certain exactly what that is, but I do know this file could be part of that and NOT a worm or trojan.

But to be safe BEFORE you run the Kaspersky online scan I would like you to do the following;

1. Download SDFix and save it to your Desktop.
2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

3. Reboot into Safe Mode`:-
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back here as soon as you complete it.

Now rest assured, if no trojans are found then the program will NOT change anything. The report will read no trojans found.
IF this file IS found to be worm_sdbot.ayp then it will remove it and any repair registry entries it may have made also.

I also have gone through your list of Registry fixes and it appears to me the fixes made were to those registry entries associated with all those anti-virus programs and Spyware Doctor. Don't get rid of the backups just yet, keep them until we can be sure the computer will run without problems.
Do that SDFix and post the log for me OK?
Judy

[gln]

unable to load the web site for sdfix with IE 7 or Firefox. is there an alternate site?

[jholland1964]

There is no website, this is an actual link for the program itself a box should come up asking where you wish to save the file.

[gln]

whatever it is, when I click the link on your message I get this message after a few minutes:

"Internet Explorer cannot display the webpage

Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.

What you can try:
Check your Internet connection. Try visiting another website to make sure you are connected.

Retype the address.

Go back to the previous page.

More information

This problem can be caused by a variety of issues, including:

Internet connectivity has been lost.
The website is temporarily unavailable.
The Domain Name Server (DNS) is not reachable.
The Domain Name Server (DNS) does not have a listing for the website's domain.
If this is an HTTPS (secure) address, click tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section.

For offline users

You can still view subscribed feeds and some recently viewed webpages.
To view subscribed feeds

Click the Favorites Center button , click Feeds, and then click the feed you want to view.

To view recently visited webpages (might not work on all pages)

Click Tools , and then click Work Offline.
Click the Favorites Center button , click History, and then click the page you want to view."

When I click on your link, my browser behaves the same way it does when I try to load the web pages that gave me the problem in the first place, like microsoft.com, weather.com, etc.

[jholland1964]

Try clicking on the attached.

[gln]

I was able to install SDFix from the file you sent me. However, upon installation, my anti-virus (AntiVir) detected the following virus: heur/exploit/html, which I quaranteened. Also, when the program was running in safe mode, I received the following message:

c:\program files\symantech\s32evnt1.dll. An installable virtual device driver failed dll initialization. Choose 'close' to terminate the application. I chose 'Ignore' instead and SDFix ran as you indicated.

Here is the log from the SDFix run:


SDFix: Version 1.98

Run by HP_Administrator on Wed 08/15/2007 at 10:08 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\PROGRA~1\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.e xe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------


Files with Hidden Attributes:

C:\Program Files\Online Services\Aol\United States\AOL90\ACST4.DLL
C:\Program Files\Online Services\Aol\United States\AOL90\AOLFIREWALLMGR.DLL
C:\Program Files\Online Services\Aol\United States\AOL90\AOLINSTALLERFW.DLL
C:\Program Files\Online Services\Aol\United States\AOL90\INSTPH.DLL
C:\Program Files\Online Services\Aol\United States\AOL90E\ACST4.DLL
C:\Program Files\Online Services\Aol\United States\AOL90E\AOLFIREWALLMGR.DLL
C:\Program Files\Online Services\Aol\United States\AOL90E\AOLINSTALLERFW.DLL
C:\Program Files\Online Services\Aol\United States\AOL90E\INSTPH.DLL
C:\WINDOWS\SMINST\HPCD.sys
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Media Player\MTVN\Downloads\032722E4\BIT3BDE.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\~WRL2136.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\~WRL0634.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\~WRL1387.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\~WRL1920.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\~WRL2006.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\~WRL2158.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\~WRL2209.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\~WRL2340.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\~WRL2882.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\~WRL3368.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\~WRL3634.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\~WRL3659.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\~WRL3918.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\~WRL3998.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\Projects\~WRL3926.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\Reporting\~WRL0156.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\Reporting\~WRL1354.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\Reporting\~WRL1793.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\Reporting\~WRL1873.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\Reporting\~WRL2068.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\Reporting\~WRL2499.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\Reporting\~WRL3745.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\Reporting\Quarterly Reports\~WRL0007.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\Reporting\Quarterly Reports\~WRL0998.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\Reporting\Quarterly Reports\~WRL1742.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\GOB\Reporting\Quarterly Reports\~WRL3818.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\MDT\ICA-Florida Roads\~WRL0005.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\MDT\PALMETTO\~WRL0001.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\MDT\PALMETTO\~WRL1270.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\MDT\PALMETTO\~WRL1397.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\MDT\PALMETTO\~WRL2217.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\MDT\PALMETTO\~WRL3093.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\MDT\PALMETTO\~WRL3609.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\MDT\PALMETTO\~WRL3677.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\MDT\People's Trans Plan\~WRL0001.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\MDT\Vehicle Rehab\~WRL2587.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\MDT\Vehicle Rehab\~WRL2643.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\MDT\Vehicle Rehab\~WRL3288.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\Personnel\~WRL3341.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\Personnel\GN Position\~WRL0560.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\Personnel\GN Position\~WRL2010.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\Personnel\GN Position\~WRL2238.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\Personnel\GN Position\~WRL2501.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\Personnel\GOB Scheduling\~WRL0705.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\Personnel\GOB Scheduling\~WRL0760.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\Personnel\GOB Scheduling\~WRL1529.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\Personnel\GOB Scheduling\~WRL1767.tmp
C:\Documents and Settings\HP_Administrator\My Documents\GN Work\GN Work My Documents\TEMP\~WRL0581.tmp
C:\Documents and Settings\HP_Administrator\My Documents\Libby\Forms\~WRL0614.tmp
C:\Documents and Settings\HP_Administrator\My Documents\Libby\Forms\~WRL1066.tmp
C:\Documents and Settings\HP_Administrator\My Documents\Libby\Forms\~WRL1909.tmp
C:\Documents and Settings\HP_Administrator\My Documents\Libby\Forms\~WRL2992.tmp
C:\Documents and Settings\HP_Administrator\My Documents\Libby\Forms\~WRL3491.tmp
C:\Documents and Settings\HP_Administrator\My Documents\Libby\Forms\~WRL3591.tmp
C:\Documents and Settings\HP_Administrator\My Documents\Sofia\~WRL0139.tmp
C:\Documents and Settings\HP_Administrator\My Documents\Sofia\~WRL0382.tmp
C:\Documents and Settings\HP_Administrator\My Documents\Sofia\~WRL1045.tmp
C:\Documents and Settings\HP_Administrator\My Documents\Sofia\~WRL1284.tmp
C:\Documents and Settings\HP_Administrator\My Documents\Sofia\~WRL1956.tmp
C:\Documents and Settings\HP_Administrator\My Documents\Sofia\~WRL2466.tmp
C:\Documents and Settings\HP_Administrator\My Documents\Sofia\~WRL2704.tmp
C:\Documents and Settings\HP_Administrator\My Documents\Sofia\~WRL2953.tmp
C:\Documents and Settings\HP_Administrator\My Documents\Sofia\~WRL3698.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\3506ffed37b2861bc2600dfeb100584a\BIT13.tmp

Finished


I await your next instructions.

[jholland1964]

Now see if you can get that Kaspersky online scan