system
41
I have opened up the log viwer and it shows
6/20/2007 01:01 System 2032 Sign of WIN32:Agent HZS[Trj] has been found in "C:\SYSTEMVOLUMEINFORMATION_RESTORE{D5341F9C-33FZ-43CF-8BD2-1AE937C9BA1B}\RP208\A0041500.EXE"file.
there are also some listed viruses for 6/19/2007 should i list those?
system
43
AVG Anti-Spyware - Scan Report
C:_OTMoveIt\MovedFiles\WINDOWS\poolsv.exe → Downloader.VB.aya : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@112.2o7[2].txt → TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@2o7[1].txt → TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ads.addynamix[1].txt → TrackingCookie.Addynamix : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@advertising[1].txt → TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@atdmt[2].txt → TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@bluestreak[1].txt → TrackingCookie.Bluestreak : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@connextra[2].txt → TrackingCookie.Connextra : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@doubleclick[1].txt → TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@fastclick[1].txt → TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ehg-myspaceinc.hitbox[2].txt → TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@hitbox[2].txt → TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@searchportal.information[1].txt → TrackingCookie.Information : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@mediaplex[2].txt → TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@www.myaffiliateprogram[1].txt → TrackingCookie.Myaffiliateprogram : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@perf.overture[1].txt → TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@ads.pointroll[1].txt → TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@questionmarket[1].txt → TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@realmedia[1].txt → TrackingCookie.Realmedia : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@toplist[1].txt → TrackingCookie.Toplist : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@trafficmp[1].txt → TrackingCookie.Trafficmp : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@tribalfusion[2].txt → TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Brenda Mayorga\Cookies\brenda mayorga@zedo[1].txt → TrackingCookie.Zedo : No action taken.
::Report end
system
44
There’s nothing to worry about in the AVG log.
Lets take a quick look at the avast! log from 6/19/07, then we’ll finish things up.
EDIT: Please look once more for C:\WINDOWS\system32\kwinlodt.exe. I’m guessing it was removed in one of the later ComboFix runs but without the full log I don’t know for sure. I want it to be gone.
This time, when you open the explorer window (not internet explorer), at the top of the window click Tools>Folder Options>View. Make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked. Then look for the file.
system
45
I have looked again for C:\WINDOWS\system32\kwinlodt.exe and have not been able to find it.
Here is what avast shows
2007-04-12 13:09 SYSTEM 2012 Sign of “Win32:Adware-gen. [Adw]” has been found in “http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab\UDC6_0001_D19M1908NetInstaller.exe” file.
2007-04-17 15:56 È�‘|x�…�Øá‹� 2020 Function setifaceUpdateFiles() has failed. Return code is 0x0000A410, dwRes is 20000000.
2007-04-17 15:56 È�‘|x�…�Øá‹� 2020 An error has occured while attempting to update. Please check the logs.
2007-04-27 12:41 SYSTEM 2020 Sign of “JS:Feebs family” has been found in “http://www.donwloadxclips.com/viewasia.php” file.
2007-04-30 13:51 SYSTEM 2008 Sign of “Win32:Spyware-gen. [Trj]” has been found in “http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall.cab\USDR6_0001_D19M2108NetInstaller.exe” file.
2007-05-18 14:35 SYSTEM 2024 Sign of “JS:Feebs family” has been found in “http://greatexplorer.net/js/js.js” file.
2007-05-29 13:02 SYSTEM 1828 Sign of “JS:Feebs family” has been found in “http://www.pornmoviesindex.com/index.php?id=4013&style=bordo&out=1” file.
2007-05-30 14:33 SYSTEM 1828 Sign of “JS:Feebs family” has been found in “http://superfastsservers.com/shc2/bg.jpg” file.
2007-05-30 14:33 SYSTEM 1828 Sign of “JS:Feebs family” has been found in “http://superfastsservers.com/shc2/” file.
2007-05-30 14:34 SYSTEM 1828 Sign of “JS:Feebs family” has been found in “C:\Documents and Settings\Antonio Escalante Jr\Local Settings\Temporary Internet Files\Content.IE5\UPAJ4TEV\shc2[1].htm” file.
2007-05-30 14:34 SYSTEM 1828 Sign of “JS:Feebs family” has been found in “C:\Documents and Settings\Antonio Escalante Jr\Local Settings\Temporary Internet Files\Content.IE5\UPAJ4TEV\shc2[1].htm” file.
2007-05-30 14:34 SYSTEM 1828 Sign of “JS:Feebs family” has been found in “http://superfastsservers.com/shc2/bg.jpg” file.
2007-05-30 14:34 SYSTEM 1828 Sign of “JS:Feebs family” has been found in “http://superfastsservers.com/shc2/bt.jpg” file.
2007-06-01 09:32 SYSTEM 1828 Sign of “Win32:Adware-gen. [Adw]” has been found in “http://drivecleaner.com/.freeware/installdrivecleanerstart.cab\UDC6_0001_D19M1908NetInstaller.exe” file.
2007-06-04 13:53 SYSTEM 1996 Sign of “JS:Feebs family” has been found in “http://fast-info.org/?qq=Bang+bros.com” file.
2007-06-04 13:54 SYSTEM 1996 Sign of “JS:Feebs family” has been found in “C:\Documents and Settings\Antonio Escalante Jr\Local Settings\Temporary Internet Files\Content.IE5\K3PZIMZT\fast-info[1].htm” file.
2007-06-04 13:54 SYSTEM 1996 Sign of “JS:Feebs family” has been found in “http://slil1.info/1.html” file.
2007-06-17 00:21 SYSTEM 2024 Sign of “Win32:Agent-HDR [Trj]” has been found in “C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\C3VJUOTD\wr-1-0000077[1].exe[UPX]” file.
2007-06-17 00:27 SYSTEM 2024 Sign of “Win32:Agent-HDR [Trj]” has been found in “C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\LBCRWB6D\wr-1-0000077[1].exe[UPX]” file.
2007-06-17 00:38 SYSTEM 2024 Sign of “Win32:Agent-HDR [Trj]” has been found in “C:\Program Files\poolsv\wr-1-0000077.exe[UPX]” file.
2007-06-17 00:39 SYSTEM 2024 Sign of “Win32:Agent-HDR [Trj]” has been found in “C:\Program Files\svhost\wr-1-0000077.exe[UPX]” file.
2007-06-17 00:45 SYSTEM 2024 Sign of “Win32:PurityScan-AF [Trj]” has been found in “C:\Program Files\Common Files\Yazzle1549OinAdmin.exe[PECompact]” file.
2007-06-17 00:45 SYSTEM 2024 Sign of “Win32:VB-TGS [Trj]” has been found in “C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\PKO7T5KT\k11u72[1].exe” file.
2007-06-17 00:46 SYSTEM 2024 Sign of “Win32:Agent-HDR [Trj]” has been found in “C:\Program Files\svhost\wr-1-0000077.exe[UPX]” file.
2007-06-17 00:46 SYSTEM 2024 Sign of “Win32:PurityScan-AF [Trj]” has been found in “C:\Program Files\Common Files\Yazzle1549OinAdmin.exe[PECompact]” file.
2007-06-17 00:46 SYSTEM 2024 Sign of “Win32:VB-TGS [Trj]” has been found in “C:\Program Files\poolsv\k11u72.exe” file.
2007-06-17 00:46 SYSTEM 2024 Sign of “Win32:VB-TGS [Trj]” has been found in “C:\Program Files\poolsv\k11u72.exe” file.
2007-06-17 00:53 SYSTEM 2024 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\udchqggj.dll” file.
2007-06-17 00:53 SYSTEM 2024 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\udchqggj.dll” file.
2007-06-17 00:53 SYSTEM 2024 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\WINDOWS\system32\udchqggj.dll” file.
2007-06-17 00:53 SYSTEM 2024 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\WINDOWS\system32\udchqggj.dll” file.
2007-06-17 00:58 SYSTEM 2024 Sign of “Win32:Agent-HZS [Trj]” has been found in “C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\qlqucbnt.exe” file.
2007-06-17 00:58 SYSTEM 2024 Sign of “Win32:Agent-HZS [Trj]” has been found in “C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\qlqucbnt.exe” file.
2007-06-17 00:58 SYSTEM 2024 Sign of “Win32:Agent-HZS [Trj]” has been found in “C:\WINDOWS\system32\qlqucbnt.exe” file.
2007-06-17 01:00 SYSTEM 2024 Sign of “Win32:Agent-HZS [Trj]” has been found in “C:\WINDOWS\system32\qlqucbnt.exe” file.
2007-06-17 02:08 Brenda Mayorga 2532 Sign of “Win32:Agent-HDR [Trj]” has been found in “C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\LBCRWB6D\wr-1-0000077[1].exe[UPX]” file.
2007-06-17 02:14 Brenda Mayorga 2532 Sign of “Win32:VB-TGS [Trj]” has been found in “C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\PKO7T5KT\k11u72[1].exe” file.
2007-06-17 02:35 Brenda Mayorga 2532 Sign of “Win32:PurityScan-AF [Trj]” has been found in “C:\Program Files\Common Files\Yazzle1549OinAdmin.exe[PECompact]” file.
2007-06-17 03:08 Brenda Mayorga 2532 Sign of “Win32:VB-TGS [Trj]” has been found in “C:\Program Files\poolsv\k11u72.exe” file.
2007-06-17 03:12 Brenda Mayorga 2532 Sign of “Win32:Agent-HDR [Trj]” has been found in “C:\Program Files\svhost\wr-1-0000077.exe[UPX]” file.
2007-06-17 05:14 Brenda Mayorga 2532 Sign of “Win32:Agent-HZS [Trj]” has been found in “C:\WINDOWS\system32\qlqucbnt.exe” file.
2007-06-17 11:17 Brenda Mayorga 2532 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\WINDOWS\system32\udchqggj.dll” file.
2007-06-18 00:18 Brenda Mayorga 2532 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\AXMHGBKX\YazzleBundle-1549[1].exe” file.
2007-06-18 00:55 SYSTEM 2024 Sign of “Win32:Agent-HZS [Trj]” has been found in “C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\fojtipub.exe” file.
2007-06-18 00:55 SYSTEM 2024 Sign of “Win32:Agent-HZS [Trj]” has been found in “C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\fojtipub.exe” file.
2007-06-18 00:55 SYSTEM 2024 Sign of “Win32:Agent-HZS [Trj]” has been found in “C:\WINDOWS\system32\fojtipub.exe” file.
2007-06-18 00:56 SYSTEM 2024 Sign of “Win32:Agent-HZS [Trj]” has been found in “C:\WINDOWS\system32\fojtipub.exe” file.
2007-06-18 00:58 SYSTEM 2024 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\dshlbhhh.dll” file.
2007-06-18 00:58 SYSTEM 2024 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\dshlbhhh.dll” file.
Any thoughts on NirCmd?
Hi Mauserme it is part of combofix
system
47
This is the second part of the avast log that i’m having trouble posting as a reply.
2007-06-18 00:58 SYSTEM 2024 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\WINDOWS\system32\dshlbhhh.dll” file.
2007-06-18 00:58 SYSTEM 2024 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\WINDOWS\system32\dshlbhhh.dll” file.
2007-06-18 02:01 SYSTEM 2024 Sign of “Win32:VB-TGS [Trj]” has been found in “C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\Y94PKDQ7\snapsnet[1].exe” file.
2007-06-18 02:03 SYSTEM 2024 Sign of “Win32:VB-TGS [Trj]” has been found in “C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\snapsnet.exe” file.
2007-06-18 02:04 SYSTEM 2024 Sign of “Win32:Agent-HDR [Trj]” has been found in “C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\V7QX137P\wr-1-2000219[1].exe[PECompact]” file.
2007-06-18 02:04 SYSTEM 2024 Sign of “Win32:Agent-HDR [Trj]” has been found in “C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\wr-1-2000219.exe[PECompact]” file.
2007-06-18 02:05 SYSTEM 2024 Sign of “Win32:VB-TGS [Trj]” has been found in “C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\snapsnet.exe” file.
2007-06-18 02:05 SYSTEM 2024 Sign of “Win32:Agent-HDR [Trj]” has been found in “C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\wr-1-2000219.exe[PECompact]” file.
2007-06-18 02:06 SYSTEM 2024 Sign of “Win32:Agent-GJD [Trj]” has been found in “C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\tni32.tmp” file.
2007-06-18 06:33 Brenda Mayorga 2532 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\Program Files\poolsv\YazzleBundle-1549.exe” file.
2007-06-18 12:21 SYSTEM 2024 Function setifaceUpdatePackages() has failed. Return code is 0x00000003, dwRes is 00000003.
2007-06-18 12:29 SYSTEM 2024 An error has occured while attempting to update. Please check the logs.
2007-06-18 13:33 SYSTEM 2020 Sign of “Win32:Agent-HDR [Trj]” has been found in “C:\Documents and Settings\Brenda Mayorga\Local Settings\Temporary Internet Files\Content.IE5\LBCRWB6D\wr-1-0000077[1].exe[UPX]” file.
2007-06-18 13:36 SYSTEM 2020 Sign of “Win32:Agent-HDR [Trj]” has been found in “C:\Program Files\svhost\wr-1-0000077.exe[UPX]” file.
2007-06-18 14:00 SYSTEM 2020 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\WINDOWS\system32\dshlbhhh.dll” file.
2007-06-19 00:55 SYSTEM 2020 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\sqxixlhn.dll” file.
2007-06-19 00:56 SYSTEM 2020 Sign of “Win32:Agent-HZS [Trj]” has been found in “C:\DOCUME~1\BRENDA~1\LOCALS~1\Temp\dqgubvpq.exe” file.
2007-06-19 01:08 Brenda Mayorga 3604 Sign of “Win32:Agent-HZS [Trj]” has been found in “C:\Documents and Settings\Brenda Mayorga\Local Settings\Temp\dqgubvpq.exe” file.
2007-06-19 02:23 Brenda Mayorga 3604 Sign of “Win32:Agent-HDR [Trj]” has been found in “C:\Documents and Settings\Brenda Mayorga\Local Settings\Temp\wr-1-2000219.exe[PECompact]” file.
2007-06-19 03:43 Brenda Mayorga 3604 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP207\A0040516.exe” file.
2007-06-19 10:48 Brenda Mayorga 3604 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\System Volume Information_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP208\A0041388.dll” file.
2007-06-19 11:02 Brenda Mayorga 3604 Sign of “Win32:Agent-HZS [Trj]” has been found in “C:\WINDOWS\system32\fojtipub.exe” file.
2007-06-20 01:01 SYSTEM 2032 Sign of “Win32:Agent-HZS [Trj]” has been found in “C:\SYSTEM VOLUME INFORMATION_RESTORE{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP208\A0041500.EXE” file.
What do you think we should do next? thanks again for all the help!
system
49
As far as I can tell your computer is clean at this point. I wanted to see the avast! log to make sure nothing was occurring significantly later than the first ComboFix run since that cleaned most of the problem files. Even though there is one file slightly after that I do not see any indication that a downloader is still at work.
Open OTMoveIt again and click the Clean Up button. This will remove the tools we downloaded and the malware backups.
Next, we will get rid of any remaining, possibly infected restore points and create a clean restore point:
Click Start > All Programs > Accessories > System Tools > System Restore. Fill the radio button to Create a Restore Point and click Next. Give the new restore point a name you will recognize if you need to find it (like Clean Point) and click Create.
Now, click Start > All Programs > Accessories > System Tools > Disk Cleanup. Now click the More Options tab, then click Clean Up in the System Restore section and OK.
After that finishes open Internet Explorer and click Tools>Internet Options>Privacy>Advanced. Make sure the option to reject third party cookies is checked (you may need to check Override Automatic Cookie Handling first). Then click OK>OK. This may help with some of the cookies you’ve been getting.
Finally, you should consider installing a third party firewall. Comodo is my favorite but Zone Alarm and PC Tools Firewall are also good (all 3 are free)
http://filehippo.com/download_comodo/
Keep SuperAntiSpyware and AVG Antispyware on your computer and scan with them from time to time. This will help keep you clean. Spyware Blaster is also a good, passive defense against malware
http://www.javacoolsoftware.com/spywareblaster.html
This is a good time to install it while the computer is clean.
system
50
Should I reboot the system before we will get rid of any remaining, possibly infected restore points and create a clean restore point? After I have clicked on cleanup it is asking I reboot the system to finish.
system
51
Yes, if its asking for a reboot then do that next.
system
52
system
53
You’re welcome.
Let me know if there are any more problems. 
