Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Zotob Help Needed !

Started by vanrags , Mar 28 2006 07:01 AM

  • Please log in to reply

#1
vanrags
Posted 28 March 2006 - 07:01 AM

vanrags

    New Member

  • Member
  • Pip
  • 7 posts
Hello !

I need help !. I suddenly see a sign on my task bar that turns red with a cross thru it and green like a arrow. Window Defender tells me my computer has been affected by Zolob. I am unable to remove it using Windows Defender, Spybot identifies nothing.

Ad-Aware SE identified 149 threats and removed them, not Zotob. I cna still see the icon on my tray and also tyhe exe files, nvctrl.exe

Help !. how do I remove it ?.

What damage can it do ?. I have my tax papers on my PC. Should I be worried ?.

Thanks
VR
  • 0

Advertisements

#2
vanrags
Posted 28 March 2006 - 07:39 AM

vanrags

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Logfile of HijackThis v1.99.1
Scan saved at 8:38:28 AM, on 3/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\palmOne\AlarmApp.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\PROGRA~1\NORTON~1\NAVW32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
F:\My Downloads\HijackThis.exe

O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp8983.tmp
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar8.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alarm Manager.LNK = C:\Program Files\palmOne\AlarmApp.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar8.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar8.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar8.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar8.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar8.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar8.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gatew...h/weblaunch.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.f...lobal/msc37.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#3
stonangel
Posted 28 March 2006 - 07:57 AM

stonangel

    Visiting Staff

  • Visiting Consultant
  • 429 posts
Hello and welcome to GeeksToGo, vanrags.

I'm currently working on your log and post back a fix shortly.
  • 0

#4
stonangel
Posted 28 March 2006 - 08:27 AM

stonangel

    Visiting Staff

  • Visiting Consultant
  • 429 posts
Hi vanrags,

1. Please download this fix.
Save it to the desktop, extract and double click Fix_Protocol_zones_ranges.reg and allow it to merge with the registry.

2. Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

* Download smitRem.exe ©noahdfear, and save the file to your desktop.

Double-click on the smitRem.exe file to extract it to it's own folder on the desktop.

* Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

* Please read Ewido Setup Instructions
Update the definitions to the newest files. Do NOT run a scan yet.

* Download roguescanfix.exe, and save it to your desktop.
Double click roguescanfix.exe to install it.
Open the roguescanfix folder, and doubleclick run.bat.
Your desktop and icons will disappear and then reappear again, this is normal.
Wait till te message "Completed script execution" appear, then click OK.
Click "Exit" to close BFU.
Click "OK" to start the SpywareQuake/Spyfalcon uninstaller, after that click "uninstall".

* Next, boot into Safe Mode. To do this:

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

* Open the smitRem folder on your desktop

Double-click on the RunThis.bat file, as shown by the arrow in the image above, to start the tool.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

* Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Close ewido anti-malware.

* Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

* Reboot back into Windows and click the Panda ActiveScan shortcut.
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the Check Now button.
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When the download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
* Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#5
vanrags
Posted 29 March 2006 - 10:04 AM

vanrags

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks Oliver !.

I will follow the steps you suggested and get back to you with results !. I am sorry, I did not respond earlier, a bit busy.

Thanks again for your help !.

VR
  • 0

#6
vanrags
Posted 30 March 2006 - 08:23 PM

vanrags

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Oliver,

I completed the procedure that you suggested and I think my PC is now free of any bugs !!!!. I cannot see the flashing sign on my task bar.

Here are the reports:

Activescan Report:

Incident Status Location

Adware:adware/securityerror Not disinfected C:\WINDOWS\SYSTEM32\dxole32.exe
Spyware:spyware/web3000 Not disinfected C:\WINDOWS\hh.ico
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Akhil\Cookies\akhil@atwola[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Akhil\Cookies\akhil@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Akhil\Cookies\akhil@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Akhil\Cookies\[email protected][1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Akhil\Cookies\akhil@go[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Akhil\Cookies\[email protected][1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Akhil\Cookies\akhil@xiti[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Guest\Cookies\guest@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\guest@belnk[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Guest\Cookies\guest@go[1].txt
Virus:Exploit/iFrame Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\RISVZ98T\ShowLetter[1].html[~0000003.~]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\smitRem\smitRem\Process.exe
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Vandana\Cookies\vandana@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Vandana\Cookies\vandana@banner[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Vandana\Cookies\[email protected][1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Vandana\Cookies\vandana@go[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Vandana\Cookies\[email protected][1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Vandana\Cookies\vandana@xiti[1].txt
Adware:Adware/SecurityError Not disinfected C:\WINDOWS\system32\dxole32.exe
Potentially unwanted tool:Application/Processor Not disinfected F:\My Downloads\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected F:\My Downloads\smitRem\Process.exe

SmitFile Report:


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 03/29/2006
The current time is: 21:31:26.14

Running from
C:\Documents and Settings\Owner\Desktop\smitRem\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Security Toolbar


~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
mssearchnet.exe
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 892 'explorer.exe'
Killing PID 892 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :whistling:

HijakThis Report:


Logfile of HijackThis v1.99.1
Scan saved at 7:03:15 AM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SM1BG.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\palmOne\AlarmApp.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
F:\My Downloads\HijackThis.exe

O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar8.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Alarm Manager.LNK = C:\Program Files\palmOne\AlarmApp.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar8.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar8.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar8.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar8.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar8.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar8.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gatew...h/weblaunch.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Ewido Report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:31:55 AM, 3/30/2006
+ Report-Checksum: AC0936B9

+ Scan result:

HKU\S-1-5-21-2443569458-303514184-693340103-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\akhil@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\akhil@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\akhil@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\akhil@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\akhil@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Akhil\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\vandana@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\[email protected][1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\vandana@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\vandana@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\vandana@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\vandana@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\[email protected][1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\vandana@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\vandana@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\vandana@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\vandana@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\vandana@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Vandana\Cookies\vandana@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\SpywareQuake -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\SpywareQuake.exe -> Adware.SpywareQuake : Cleaned with backup
C:\Program Files\SpywareQuake\sq.ini -> Adware.SpywareQuake : Cleaned with backup


::Report End

Please let me know if there is anything else I need to do .

And, again, a very big THANKS !!!!!!

VR
  • 0

#7
stonangel
Posted 02 April 2006 - 09:06 AM

stonangel

    Visiting Staff

  • Visiting Consultant
  • 429 posts
Hi vanrags,

Your HijackThis log looks fine :whistling:

1. Please delete the smitRem folder to your desktop.

2. Next please download:

* ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

* Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\WINDOWS\SYSTEM32\dxole32.exe
    C:\WINDOWS\hh.ico
    C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\RISVZ98T\ShowLetter[1].html[~0000003.~]
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

3. Run a new Panda online scan and post back the report, please.
  • 0

#8
vanrags
Posted 08 April 2006 - 02:00 PM

vanrags

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Oliver,

Here is the report from the Panda Active scan:

Incident Status Location

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt
Adware:Adware/SecurityError Not disinfected C:\!KillBox\dxole32.exe
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Akhil\Cookies\akhil@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Akhil\Cookies\akhil@atdmt[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Akhil\Cookies\akhil@atwola[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Akhil\Cookies\akhil@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Akhil\Cookies\akhil@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Akhil\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Akhil\Cookies\akhil@doubleclick[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Akhil\Cookies\akhil@go[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Akhil\Cookies\[email protected][1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Akhil\Cookies\[email protected][2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Akhil\Cookies\[email protected][1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Akhil\Cookies\akhil@xiti[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Guest\Cookies\guest@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\guest@belnk[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Guest\Cookies\guest@go[1].txt
Virus:Exploit/iFrame Not disinfected C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\RISVZ98T\ShowLetter[1].html[~0000003.~]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Vandana\Cookies\vandana@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Vandana\Cookies\vandana@banner[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Vandana\Cookies\[email protected][1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Vandana\Cookies\vandana@go[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Vandana\Cookies\[email protected][1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Vandana\Cookies\vandana@xiti[1].txt
Potentially unwanted tool:Application/Processor Not disinfected F:\My Downloads\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected F:\My Downloads\smitRem\Process.exe


Please let me know if you want me to do somethign more. Thanks !
  • 0

#9
stonangel
Posted 09 April 2006 - 08:09 AM

stonangel

    Visiting Staff

  • Visiting Consultant
  • 429 posts
Hi vanrags,

* Boot into Safe mode by tapping F8 as your computer restarts then delete the following files or folders:

C:\!KillBox
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\RISVZ98T\ShowLetter[1].html[~0000003.~]
F:\My Downloads\smitRem.exe[Process.exe]
F:\My Downloads\smitRem

* Run ATF Cleaner again.

* Empty the recycle bin.

* Restart in normal mode and tell us how the things are running now, please.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP