hjt log

[PhilliePhan]

Don't forget the logs from the other tools Judy mentioned!
(Smitfiles.txt, WinPFind, etc. . . )

HJT still shows remnants those tools should have removed.
It looks like portions of many baddies have been removed from your compy through all of your scanning efforts. However, we need the Logs from the specific and specialized tools Judy listed in order to see what exactly remains on your machine.

Best luck
PP

[jholland1964]

Can you tell my why you didn't have AVG remove the items found? Granted, they are tracking cookies, not awful items, by why, for heavens sake leave them on the computer? Get rid of them and then complete the steps given to you in post #37. One of the things we are trying to remove here are the remnants of Spyware Quake.
You must follow all the steps given in post #37.

Whoops PP didn't see you there!

[philentropy]

Although I have run WinPFind in both Safe Mode and Normal Mode with nothing else running it says that it is Not Responding. I know it said that it will seem like it is not respondin but I let it run for at least 7 hours in Safe Mode and it still wasnt responding. Can you please give me more specific instructions on how I should run WinPFind (i.e. should I be online while running in normal mode, should I be in Safe Mode...)?


smitRem © log file
version 3.2

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Sat 11/18/2006
The current time is: 19:03:22.37

Running from
C:\Documents and Settings\john\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"cinnamomum"="{93ac7c30-3878-4eaa-9420-7977285df5b1}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C 2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461E F-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appinitdll check ........ Thank you Grinler!

dumphive.exe (C)2000-2004 Markus Stephany
REGEDIT4

[Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

XP Firewall allowed access

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINNT\\system32\\mqsvc.exe"="C:\\WINNT\\syste m32\\mqsvc.exe:*:Enabled:Message Queuing"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*isabled:Kazaa"
"C:\\Program Files\\LimeWire\\LimeWire 4.1.5 Pro\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire 4.1.5 Pro\\LimeWire.exe:*:Enabled:LimeWire: The most advanced file sharing program on the planet."
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\ \Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Ena bled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Progra m Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Ya hoo! FT Server"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*isabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*isabled:BitTorrent"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Progra m Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:Re alPlayer"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present
AntiVermins uninstaller NOT present
VirusBursters uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

amcompat.tlb
nscompat.tlb
logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 768 'explorer.exe'
Killing PID 768 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C 2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461E F-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~



~~~ Wininet.dll ~~~

CLEAN!


ROGUESCANFIX LOGFILE


Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



Export SSODL key
----------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"


Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt[.com.com/]
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt[.kinghost.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt[.statcounter.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt[.maxserving.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\john\Cookies\john@ad.yieldmanager[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\john\Cookies\john@searchportal.informatio n[1].txt
Adware:adware/pacimedia Not disinfected C:\Documents and Settings\john\Desktop\Click to Find and Fix Errors.url
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\john\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\john\Desktop\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:application/sysprotect Not disinfected C:\Documents and Settings\john\Desktop\SysProtect.lnk
Adware:Adware/SystemDoctor Not disinfected C:\WINNT\system32\components\flx6.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINNT\system32\process.exe
Spyware:spyware/adclicker Not disinfected C:\WINNT\usta33.ini

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:24:36 AM 11/20/2006

+ Scan result:



:mozilla.102:C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.103:C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\john\Cookies\john@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.169:C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.201:C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.202:C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.209:C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.210:C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.87:C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\john\Cookies\john@e-2dj6wakoakcjmfp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\john\Cookies\john@e-2dj6wgkycgcjebo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\john\Cookies\john@e-2dj6wjk4aidzwcp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\john\Cookies\john@e-2dj6wjk4kidzobo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\john\Cookies\john@e-2dj6wjliqnajwgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\john\Cookies\john@e-2dj6wjloohazmcq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\john\Cookies\john@e-2dj6wjmienazkfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\john\Cookies\john@e-2dj6wjmiqhcpeap.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\john\Cookies\john@e-2dj6wjmyaic5ekp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.42:C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\john\Cookies\john@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.18:C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\john\Cookies\john@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.38:C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.39:C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt -> TrackingCookie.Sexcounter : Cleaned.
:mozilla.131:C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\i8s65z5h.Martin\cook ies.txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\john\Cookies\john@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

[jholland1964]

WPFind definitely shouldn't take 7 hours to run unless you have a humongous hard drive with hundreds of items on it. However, since you do use P2P programs you may very well have hundreds of items on the hard drive. Completely uninstall WPFind, do a file search and get rid of all of it. Then download it again and follow the instructions given for it in post #37.
Try to run it again in Safe Mode. If it goes longer than 30 minutes to 1 hour then stop the scan and post back here to let us know.

Can you refresh my memory, because I cannot honestly find anywhere in this thread, and I have read and re-read it numerous times today...exactly what problems were you having when we first begin this on November 4th.

[philentropy]

When I would shutdown my computer by clicking "turn off," the computer would reboot.

I had several hijacking tools according to Panda Active Scan.

I have had SurfSideKick for a long time. It showed up everytime I run SpyBot Search and Destroy.

If you notice in the original HJT scan I had at least one BHO. I used HJT to fix the BHO. I believe the BHO stopped me from viewing a few common websites such as google, yahoo, craigslist... After following your instructions, I am not able to view these sites again.

I had trojan Jv.BHO which windows defender detected.

When attempting to access Ebay or Google, and a whole bunch of other sites i would get this message:

The connection has timed out


The server at ebay.com is taking too long to respond.


* The site could be temporarily unavailable or too busy. Try again in a few
moments.

* If you are unable to load any pages, check your computer's network
connection.

* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.
Edit/Delete Message

I would like to know how I can be better guarded from infections.

[philentropy]

WinPFind seems to be extremely sensitive on my computer. It still does not complete in under an hour in SAFE MODE with no other applications running.

[jholland1964]

Forget about the WPFInd for now.
I have some questions;
You state:

When I would shutdown my computer by clicking "turn off," the computer would reboot.

Why weren't we told this before?

If you notice in the original HJT scan I had at least one BHO. I used HJT to fix the BHO. I believe the BHO stopped me from viewing a few common websites such as google, yahoo, craigslist... After following your instructions, I am not able to view these sites again

In your FIRST HJT log posted these were 4 O2 BHO entries;
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll>>>>This one was a legitimate entry
O2 - BHO: (no name) - {C4A9B596-1E0A-4FEE-AED0-E6934B24B2C9} - C:\WINNT\system32\awtqn.dll (file missing)>>>Trojan Vundo or Vx2
when coupled with this entry in the log
O20 - Winlogon Notify: awtqn - C:\WINNT\system32\awtqn.dll (file missing)

O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINNT\system32\xeymi.dll>>>QuickLinks/LinkMaker adware variant
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)>>>QuickLinks/LinkMaker adware variant
These other three above were NOT legitimate entries.

Nobody told you to remove the Yahoo BHO. But in your second HJT scan it is gone so you must have removed it.
Scan#2
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINNT\system32\xeymi.dll (file missing)>>>QuickLinks/LinkMaker adware variant
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)>>>QuickLinks/LinkMaker adware variant

I believe the BHO stopped me from viewing a few common websites such as google, yahoo, craigslist... After following your instructions, I am not able to view these sites again.

The instructions given in post #2 were the following;
go to this LINK
and follow the instructions there including running the following programs
your Norton Program
AdAwareSE + the Vx2 Removal Add-on
Spybot S & D
CCleaner
AVG Anti-Spyware
Look for and remove 5 malware programs if you could find them, you said you could not find them. I told you to post back with a new HJT log and the AVG log. Which you did, though you did not have AVG fix anything.
At that time I had NOT given you any fixes to be done to the HJT log entries.
You stated then

I used HJT to fix the BHO. I believe the BHO stopped me from viewing a few common websites such as google, yahoo, craigslist... After following your instructions, I am not able to view these sites again.

There was absolutely nothing in those fixes I gave you which would caused you to not be able to visit these websites. It IS possible their servers were having problems, because the fixes requested should not have caused that type of problem at all.
Then in post #11 I asked you to go back through and do all of the above again along with fixes to apply to a new HJT scan.
Again you did not have AVG fix anything and the fixes requested with HJT were not applied.

The thing is, if fixes are not applied then the computer cannot work properly. Just running a program will not apply the fix, each of these programs requires a scan and THEN a fix.

I have contacted PP to see if there is someway the WPFind can run and why it is NOT running.