HJT log with 3 files found by trendmicro to be

NoAdware claims to be able to remove PE ADTOMI.A you can download it free from www.noadware.net.
The Trojan you have is a little more difficult, I tracked down the following method of removing TROJ BRDUPDATE.D from a site in Uruguay.
First you need to disable System Restore, otherwise every time you restart your computer XP will helpfully restore the trojan, thanks Microsoft!
Close down all running programs, make sure you are disconnected from the internet and any network you may be connected to.
Right click 'My Computer' click 'Properties' select System Restore tab, click in box marked 'Turn off System Restore on all disks' click 'Apply' and confirm action. Restart computer.
Open Windows Explorer, locate and delete the following file:
c:\windows\system32\e6f1873b.dll.
Open Recycle Bin and delete the file from there.
Now you need to erase some entries in the Registry. Click Start, Run, enter REGEDIT press Enter.I'd recommend backing-up the Registry at this point, click on File-Export and save a copy of the whole Registry to your Desktop, if you have any problems later you can Import it back, if not you can delete it later. ( not all the following will be present but delete those that you find )
In the left panel click through the following HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run when you open the Run folder look in the right panel for this entry and delete {A70FA1D-0195-4a2-934C-DAC0F7C08EB }
Do the same with the following entries:-
HKEY_CLASSES_ROOT\CLSID {E004800a-73c6-4587-b855-98d0ce0c16b1 }
HKEY_CURRENT_USER\Software {70FA1D-0195-4a2-934C-DAC0F7C08EB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID {A70FA1D-0195-4a2-934C-DAC0F7C08EB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion erase the folder 'RunWindowsUpdate'
Click File, Exit, to leave regedit.
Restart your computer, and you should be free of this trojan. Don't forget to reinstate System Restore by reversing the change you made at the start. Sorry its so long winded but doing it does'nt take as long as typing it, you may want to print this! I can't say for sure if this will work, but I've not found any other information on removing this.
By the way remember the tip about disabling System Restore whenever you find and need to remove any trojans, or they will just reappear by magic! Hope you get sorted. :wink:

Hi shewolfnm

Please disable your current AV
Click Here and run RAV online scan, Copy and paste back the log into this thread when it has finished,
Be sure and enable your AV when done with the above

OK.
This is what the website scan found:

Scan started at 1/30/2005 3:01:54 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Dawn\Local Settings\Temp\optimize.exe->(UPXW) - TrojanDownloader:Win32/Dyfuca.J -> Infected
C:\WINDOWS\Downloaded Program Files\121373.exe - Tool:PornDialer.BP -> Infected
C:\WINDOWS\Downloaded Program Files\webcamView_plugin.exe - Tool:PornDialer.BP -> Infected

Scanned
============================
Objects: 47671
Directories: 3935
Archives: 3015
Size(Kb): 2087484
Infected files: 3

Found
============================
Viruses found: 2
Suspicious files: 0
Disinfected files: 0
Mail files: 118

_______________________________________

If you now need a new hijak log here it is :
Logfile of HijackThis v1.98.2
Scan saved at 4:06:43 PM, on 1/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\McAfee\McAfee Firewall\CPDCLNT.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\explorer.exe
C:\Program Files\EarthLink TotalAccess\Accelerator\ElinkAcc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe
C:\WINDOWS\system32\rundll32.exe
C:\CHJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.able2know.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\America Online 5.0\aoltray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2717D41-700E-4FC8-A6B9-F3B9367D7D55}: NameServer = 207.69.188.185 207.69.188.186

..

..

..

Hi shewolfnmsorry it took me a bit to get back to you,
Go to Add/Remove programs search for and remove Internet Optimizer
Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the above files highlighted in BOLD

C:\Documents and Settings\Dawn\Local Settings\Temp\optimize.exe
C:\WINDOWS\Downloaded Program Files\121373.exe
C:\WINDOWS\Downloaded Program Files\webcamView_plugin.exe
Restart your computer,
Run another scan with RAV and post back what it finds please

In add/remove programs I did not find internet optimizer?
So i am just going to do the safemode step in your instructions.


( oh.. no apology necessary Don. I m just thankful for your help. ;-) )

Scan started at 2/4/2005 5:36:28 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINDOWS\Downloaded Program Files\121373.exe - Tool:PornDialer.BP -> Infected
C:\WINDOWS\Downloaded Program Files\webcamView_plugin.exe - Tool:PornDialer.BP -> Infected

Scanned
============================
Objects: 48363
Directories: 3934
Archives: 3022
Size(Kb): -2061511
Infected files: 2

Found
============================
Viruses found: 1
Suspicious files: 0
Disinfected files: 0
Mail files: 117

Let's try this again,
Download Pocket Killbox from. Here Paste the full file path (C:\WINDOWS\Downloaded Program Files\121373.exe ) in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File C:\WINDOWS\Downloaded Program Files\121373.exe will be deleted on next reboot, Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.
Let us know how you make out

Follow the same steps above and delete
C:\WINDOWS\Downloaded Program Files\webcamView_plugin.exe

After you have deleted both files with killbox,
Run another scan with RAV post back the results please

Hmmmm.... maybe this is the results you were looking for? :-)

Scan started at 2/5/2005 8:54:28 AM

Scanning memory...
Scanning boot sectors...
Scanning files...

Scanned
============================
Objects: 47779
Directories: 3936
Archives: 3023
Size(Kb): 2081179
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 0
Disinfected files: 0
Mail files: 118

Love when that happens
How is it running now ?

Run a scan with Ad-aware and have it fix anything it finds,
Just in case you don't have it,

Download Ad-Aware SE
Use the: "Check for Updates Now" option and download the latest reference files
Use the Start button, and on the next window, select: Perform Full System Scan
Press Next, and let Ad-aware scan the hard drive
When finished, right-click the window with the entries, choose: Select All from the menu, and click Next
Once AdAware has removed the entries, close the program
Restart the computer

I will run that now.
Thankyou yet again for your help. ;-)

Question about killbox-
Is this something I can use on my own with out damaging my computer?
So long as I use the RAV site, and I copy/paste the file location exactly as it is stated in RAV , can I safely delete anything that it may find in the future ?
I am trying to minimize my " oh god help me ' questions .. hehehe
by learning how to take care of this stuff on my own.

Are there any other programs I can d/l and keep on my laptop that are user friendly and may keep me bug/virus free in the future?

You want to be very careful with killbox, I would recommend deleting it,

I enjoy you "please god help me questions"

My usual speach

Download the following programs, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster and SpywareGaurd
Check for updates after you install them, And check weekly as well
Keep Ad-aware and Spybot handy, Check them for updates and run them weekly
Same with your Anti Virus,

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.

Remeber to Check Windows for updates

Probably a good time to create a new restore point See Here Name it clean or something like that,

Hmm.. i will do that.
Thanks for the tips. ;-)

I think from now on, I will start my threads with

" Hey GOD, its me shewolf--- heres my HJT log."
!!!!

thanks a bunch

Your very welcome, and you now I will answer to anything

Such an open ended comment...
you must not be familiar with my raunchy humor... or you would run scared
right



about



now.