Changed Desktop and Taskbar [RESOLVED]
Started by
hourfollowshour
, Apr 07 2006 02:00 PM
-
This topic is locked
#16
Posted 20 April 2006 - 05:12 AM
hourfollowshour
- Topic Starter
-
- Member
-
- 19 posts
Member
#17
Posted 25 April 2006 - 08:37 PM
OwNt
-
- Retired Staff
-
- 7,457 posts
Malware Expert
Hello hourfollowshour,
Please post a new Hijackthis log.
Thanks,
OwNt
Please post a new Hijackthis log.
Thanks,
OwNt
#18
Posted 26 April 2006 - 07:14 AM
hourfollowshour
- Topic Starter
-
- Member
-
- 19 posts
Member
here you are:
Logfile of HijackThis v1.99.1
Scan saved at 3:13:19 PM, on 4/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Courtney Tamimie\Desktop\utorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Courtney Tamimie\Desktop\HijackThis.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\AntiVirenKit 2006 trial\AVKTray\AVKTray.exe"
O15 - Trusted Zone: http://www.kodakgallery.com
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at1_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...89/sdcregie.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...74/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatro...an/pestscan.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F64B780D-A3CB-441D-B8CA-D841D4CBAC96}: NameServer = 4.2.2.2,4.2.2.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Logfile of HijackThis v1.99.1
Scan saved at 3:13:19 PM, on 4/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Courtney Tamimie\Desktop\utorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Courtney Tamimie\Desktop\HijackThis.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\AntiVirenKit 2006 trial\AVKTray\AVKTray.exe"
O15 - Trusted Zone: http://www.kodakgallery.com
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at1_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...89/sdcregie.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...74/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatro...an/pestscan.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F64B780D-A3CB-441D-B8CA-D841D4CBAC96}: NameServer = 4.2.2.2,4.2.2.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
#19
Posted 27 April 2006 - 04:44 PM
OwNt
-
- Retired Staff
-
- 7,457 posts
Malware Expert
Hello hourfollowshour,
Please download the Killbox by Option^Explicit.
Note: In the event you already have Killbox, this is a new version that I need you to download.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
Once the computer has rebooted please post one (hopefully) final Hijackthis log.
Please download the Killbox by Option^Explicit.
Note: In the event you already have Killbox, this is a new version that I need you to download.
- Save it to your desktop.
- Please double-click Killbox.exe to run it.
- Select:
- Delete on Reboot
- then Click on the All Files button.
- Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
- Return to Killbox, go to the File menu, and choose Paste from Clipboard.
- Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
Once the computer has rebooted please post one (hopefully) final Hijackthis log.
#20
Posted 27 April 2006 - 06:21 PM
hourfollowshour
- Topic Starter
-
- Member
-
- 19 posts
Member
here is the hijackthis log, everything is still there, desktop changed and pop ups, i just checked on my task manager my processes running and the two that you instructed me to copy/paste (osaupd.exe and wupdmgr.exe) for killbox are still running as well
thanks
Logfile of HijackThis v1.99.1
Scan saved at 2:20:47 AM, on 4/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Documents and Settings\Courtney Tamimie\Desktop\hijackthis\HijackThis.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\AntiVirenKit 2006 trial\AVKTray\AVKTray.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O15 - Trusted Zone: http://www.kodakgallery.com
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at1_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...89/sdcregie.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...74/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatro...an/pestscan.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F64B780D-A3CB-441D-B8CA-D841D4CBAC96}: NameServer = 4.2.2.2,4.2.2.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
thanks
Logfile of HijackThis v1.99.1
Scan saved at 2:20:47 AM, on 4/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Documents and Settings\Courtney Tamimie\Desktop\hijackthis\HijackThis.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\AntiVirenKit 2006 trial\AVKTray\AVKTray.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O15 - Trusted Zone: http://www.kodakgallery.com
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at1_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...89/sdcregie.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...74/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatro...an/pestscan.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F64B780D-A3CB-441D-B8CA-D841D4CBAC96}: NameServer = 4.2.2.2,4.2.2.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
#21
Posted 27 April 2006 - 08:32 PM
OwNt
-
- Retired Staff
-
- 7,457 posts
Malware Expert
Let's try this again using the newer version of the fix...
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by doing the following :
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Please also post a new Hijackthis log.
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Please also post a new Hijackthis log.
Edited by OwNt, 27 April 2006 - 08:32 PM.
#22
Posted 28 April 2006 - 04:30 AM
hourfollowshour
- Topic Starter
-
- Member
-
- 19 posts
Member
The processes are still running on my Windows Task Manager, here is the Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:30:01 PM, on 4/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\COURTN~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\AntiVirenKit 2006 trial\AVKTray\AVKTray.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O15 - Trusted Zone: http://www.kodakgallery.com
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at1_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...89/sdcregie.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...74/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatro...an/pestscan.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F64B780D-A3CB-441D-B8CA-D841D4CBAC96}: NameServer = 4.2.2.2,4.2.2.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Logfile of HijackThis v1.99.1
Scan saved at 12:30:01 PM, on 4/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\COURTN~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\AntiVirenKit 2006 trial\AVKTray\AVKTray.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O15 - Trusted Zone: http://www.kodakgallery.com
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at1_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...89/sdcregie.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...74/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatro...an/pestscan.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F64B780D-A3CB-441D-B8CA-D841D4CBAC96}: NameServer = 4.2.2.2,4.2.2.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
#23
Posted 28 April 2006 - 11:20 PM
OwNt
-
- Retired Staff
-
- 7,457 posts
Malware Expert
hourfollowshour,
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
- Click Download Now to download the program.
- Install it. Once the program is installed, it will open.
- It will prompt you to update to the latest definitions, click Yes.
- Once the definitions are installed, click Options on the left side.
- Click the Sweep Options tab.
- Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
- Click Sweep Now on the left side.
- Click the Start button.
- When it's done scanning, click the Next button.
- Make sure everything has a check next to it, then click the Next button.
- It will remove all of the items found.
- Click Session Log in the upper right corner, copy everything in that window.
- Click the Summary tab and click Finish.
- Paste the contents of the session log you copied into your next reply along with a fresh Hijackthis log.
#24
Posted 29 April 2006 - 09:56 AM
hourfollowshour
- Topic Starter
-
- Member
-
- 19 posts
Member
here is the log from spy sweeper:
********
12:46 PM: | Start of Session, Saturday, April 29, 2006 |
12:46 PM: Spy Sweeper started
12:46 PM: Sweep initiated using definitions version 668
12:46 PM: Starting Memory Sweep
12:58 PM: Memory Sweep Complete, Elapsed Time: 00:11:36
12:58 PM: Starting Registry Sweep
12:59 PM: Found Adware: ezula ilookup
12:59 PM: HKCR\ezulaagent.webofferhbarobj\ (5 subtraces) (ID = 965767)
12:59 PM: HKCR\ezulaagent.webofferhbarobj.1\ (3 subtraces) (ID = 965773)
12:59 PM: HKCR\webofferbar.webofferbarobj\ (5 subtraces) (ID = 965777)
12:59 PM: HKCR\webofferbar.webofferbarobj.1\ (3 subtraces) (ID = 965783)
12:59 PM: HKCR\clsid\{9ff56d85-db4f-4267-b669-8d05b0bf9a04}\ (13 subtraces) (ID = 965787)
12:59 PM: HKCR\clsid\{f7384c48-97b6-45df-a2fa-1d7762d32f9c}\ (13 subtraces) (ID = 965801)
12:59 PM: HKLM\software\classes\ezulaagent.webofferhbarobj\ (5 subtraces) (ID = 965836)
12:59 PM: HKLM\software\classes\ezulaagent.webofferhbarobj.1\ (3 subtraces) (ID = 965842)
12:59 PM: HKLM\software\classes\webofferbar.webofferbarobj\ (5 subtraces) (ID = 965846)
12:59 PM: HKLM\software\classes\webofferbar.webofferbarobj.1\ (3 subtraces) (ID = 965852)
12:59 PM: HKLM\software\classes\clsid\{9ff56d85-db4f-4267-b669-8d05b0bf9a04}\ (13 subtraces) (ID = 965856)
12:59 PM: HKLM\software\classes\clsid\{f7384c48-97b6-45df-a2fa-1d7762d32f9c}\ (13 subtraces) (ID = 965870)
12:59 PM: Found Trojan Horse: trojan-downloader-balloon
12:59 PM: HKCR\balloon.application\ (3 subtraces) (ID = 1177065)
12:59 PM: HKCR\clsid\{1ca7dbaf-b066-4554-977e-5cebb7fa59c8}\ (7 subtraces) (ID = 1177075)
12:59 PM: HKLM\software\classes\balloon.application\ (3 subtraces) (ID = 1177159)
12:59 PM: HKLM\software\classes\clsid\{1ca7dbaf-b066-4554-977e-5cebb7fa59c8}\ (7 subtraces) (ID = 1177169)
12:59 PM: HKLM\software\classes\clsid\{1ca7dbaf-b066-4554-977e-5cebb7fa59c8}\progid\ (1 subtraces) (ID = 1177175)
12:59 PM: HKU\S-1-5-21-2494977831-1083789369-1335913398-1006\software\microsoft\internet explorer\explorer bars\{9ff56d85-db4f-4267-b669-8d05b0bf9a04}\ (1 subtraces) (ID = 965832)
12:59 PM: HKU\S-1-5-21-2494977831-1083789369-1335913398-1006\software\microsoft\internet explorer\explorer bars\{f7384c48-97b6-45df-a2fa-1d7762d32f9c}\ (1 subtraces) (ID = 965834)
12:59 PM: Registry Sweep Complete, Elapsed Time:00:01:14
12:59 PM: Starting Cookie Sweep
12:59 PM: Found Spy Cookie: 123count cookie
12:59 PM: courtney tamimie@123count[2].txt (ID = 1927)
12:59 PM: Found Spy Cookie: 2o7.net cookie
12:59 PM: courtney tamimie@2o7[1].txt (ID = 1957)
12:59 PM: Found Spy Cookie: yieldmanager cookie
12:59 PM: courtney [email protected][2].txt (ID = 3751)
12:59 PM: Found Spy Cookie: atwola cookie
12:59 PM: courtney [email protected][1].txt (ID = 2256)
12:59 PM: courtney tamimie@atwola[2].txt (ID = 2255)
12:59 PM: courtney [email protected][1].txt (ID = 1958)
12:59 PM: Found Spy Cookie: questionmarket cookie
12:59 PM: courtney tamimie@questionmarket[2].txt (ID = 3217)
12:59 PM: Found Spy Cookie: tacoda cookie
12:59 PM: courtney tamimie@tacoda[1].txt (ID = 6444)
12:59 PM: Found Spy Cookie: valuead cookie
12:59 PM: courtney [email protected][2].txt (ID = 3627)
12:59 PM: Found Spy Cookie: myaffiliateprogram.com cookie
12:59 PM: courtney [email protected][1].txt (ID = 3032)
12:59 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
12:59 PM: Starting File Sweep
1:00 PM: Found Adware: 180search assistant/zango
1:00 PM: c:\program files\search-assistant (ID = -2147480560)
1:00 PM: Found Adware: wild media - statblaster
1:00 PM: c:\program files\media\media (1 subtraces) (ID = -2147480222)
1:00 PM: Found Adware: webhancer
1:00 PM: c:\program files\whinstall (2 subtraces) (ID = -2147480064)
1:01 PM: mfex-1.dat (ID = 258280)
1:02 PM: a0107230.exe (ID = 258280)
1:08 PM: mfex-1.dat (ID = 258280)
1:12 PM: a0107292.exe (ID = 258280)
1:12 PM: a0107269.exe (ID = 258280)
1:13 PM: osaupd.exe (ID = 258280)
1:15 PM: wupdmgr.exe (ID = 258280)
2:26 PM: Found Adware: gator ewallet
2:26 PM: gator.exe (ID = 61383)
2:53 PM: Found Adware: regfreeze fakealert
2:53 PM: security.html (ID = 256093)
2:57 PM: a0107277.exe (ID = 258280)
3:01 PM: a0107285.exe (ID = 258280)
3:02 PM: a0107264.exe (ID = 258280)
3:10 PM: wupdmgr.exe (ID = 258280)
3:10 PM: osaupd.exe (ID = 258280)
3:19 PM: Found Adware: look2me
3:19 PM: p0r4la9q1d.dll (ID = 159)
3:22 PM: whagent.ini (ID = 83826)
3:23 PM: Found Adware: targetsaver
3:23 PM: vocabulary (ID = 78283)
3:23 PM: class-barrel (ID = 78229)
3:23 PM: Found Adware: command
3:23 PM: kz6ywblrtr40p3iquqydtk.vbs (ID = 185675)
3:23 PM: Found Adware: azsearch toolbar
3:23 PM: azesearch.inf (ID = 50329)
3:26 PM: Warning: Invalid file - not a PKZip file
3:26 PM: Warning: Invalid Stream
3:27 PM: File Sweep Complete, Elapsed Time: 02:27:20
3:27 PM: Full Sweep has completed. Elapsed time 02:40:19
3:27 PM: Traces Found: 162
5:48 PM: Removal process initiated
5:48 PM: Quarantining All Traces: 180search assistant/zango
5:48 PM: Quarantining All Traces: look2me
5:48 PM: Quarantining All Traces: azsearch toolbar
5:48 PM: Quarantining All Traces: trojan-downloader-balloon
5:48 PM: Quarantining All Traces: command
5:48 PM: Quarantining All Traces: ezula ilookup
5:49 PM: Quarantining All Traces: regfreeze fakealert
5:49 PM: Quarantining All Traces: targetsaver
5:49 PM: Quarantining All Traces: webhancer
5:49 PM: Quarantining All Traces: wild media - statblaster
5:49 PM: Quarantining All Traces: 123count cookie
5:49 PM: Quarantining All Traces: 2o7.net cookie
5:49 PM: Quarantining All Traces: atwola cookie
5:49 PM: Quarantining All Traces: gator ewallet
5:49 PM: Quarantining All Traces: myaffiliateprogram.com cookie
5:49 PM: Quarantining All Traces: questionmarket cookie
5:49 PM: Quarantining All Traces: tacoda cookie
5:49 PM: Quarantining All Traces: valuead cookie
5:49 PM: Quarantining All Traces: yieldmanager cookie
5:49 PM: Removal process completed. Elapsed time 00:01:21
********
12:46 PM: | Start of Session, Saturday, April 29, 2006 |
12:46 PM: Spy Sweeper started
12:46 PM: Sweep initiated using definitions version 668
12:46 PM: Starting Memory Sweep
12:46 PM: Sweep Canceled
12:46 PM: Memory Sweep Complete, Elapsed Time: 00:00:18
12:46 PM: Traces Found: 0
12:46 PM: | End of Session, Saturday, April 29, 2006 |
********
12:45 PM: | Start of Session, Saturday, April 29, 2006 |
12:45 PM: Spy Sweeper started
12:45 PM: Sweep initiated using definitions version 668
12:45 PM: Starting Memory Sweep
12:45 PM: Sweep Canceled
12:45 PM: Memory Sweep Complete, Elapsed Time: 00:00:17
12:45 PM: Traces Found: 0
12:46 PM: | End of Session, Saturday, April 29, 2006 |
********
12:43 PM: | Start of Session, Saturday, April 29, 2006 |
12:43 PM: Spy Sweeper started
12:44 PM: Your spyware definitions have been updated.
12:45 PM: | End of Session, Saturday, April 29, 2006 |
and here is the fresh HijackThis log:
[size=3]
Logfile of HijackThis v1.99.1
Scan saved at 5:54:59 PM, on 4/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Courtney Tamimie\Desktop\HijackThis.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\AntiVirenKit 2006 trial\AVKTray\AVKTray.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O15 - Trusted Zone: http://www.kodakgallery.com
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at1_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...89/sdcregie.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...74/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatro...an/pestscan.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F64B780D-A3CB-441D-B8CA-D841D4CBAC96}: NameServer = 4.2.2.2,4.2.2.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
i dont see the processes form before running on my task manager, is that good news???
********
12:46 PM: | Start of Session, Saturday, April 29, 2006 |
12:46 PM: Spy Sweeper started
12:46 PM: Sweep initiated using definitions version 668
12:46 PM: Starting Memory Sweep
12:58 PM: Memory Sweep Complete, Elapsed Time: 00:11:36
12:58 PM: Starting Registry Sweep
12:59 PM: Found Adware: ezula ilookup
12:59 PM: HKCR\ezulaagent.webofferhbarobj\ (5 subtraces) (ID = 965767)
12:59 PM: HKCR\ezulaagent.webofferhbarobj.1\ (3 subtraces) (ID = 965773)
12:59 PM: HKCR\webofferbar.webofferbarobj\ (5 subtraces) (ID = 965777)
12:59 PM: HKCR\webofferbar.webofferbarobj.1\ (3 subtraces) (ID = 965783)
12:59 PM: HKCR\clsid\{9ff56d85-db4f-4267-b669-8d05b0bf9a04}\ (13 subtraces) (ID = 965787)
12:59 PM: HKCR\clsid\{f7384c48-97b6-45df-a2fa-1d7762d32f9c}\ (13 subtraces) (ID = 965801)
12:59 PM: HKLM\software\classes\ezulaagent.webofferhbarobj\ (5 subtraces) (ID = 965836)
12:59 PM: HKLM\software\classes\ezulaagent.webofferhbarobj.1\ (3 subtraces) (ID = 965842)
12:59 PM: HKLM\software\classes\webofferbar.webofferbarobj\ (5 subtraces) (ID = 965846)
12:59 PM: HKLM\software\classes\webofferbar.webofferbarobj.1\ (3 subtraces) (ID = 965852)
12:59 PM: HKLM\software\classes\clsid\{9ff56d85-db4f-4267-b669-8d05b0bf9a04}\ (13 subtraces) (ID = 965856)
12:59 PM: HKLM\software\classes\clsid\{f7384c48-97b6-45df-a2fa-1d7762d32f9c}\ (13 subtraces) (ID = 965870)
12:59 PM: Found Trojan Horse: trojan-downloader-balloon
12:59 PM: HKCR\balloon.application\ (3 subtraces) (ID = 1177065)
12:59 PM: HKCR\clsid\{1ca7dbaf-b066-4554-977e-5cebb7fa59c8}\ (7 subtraces) (ID = 1177075)
12:59 PM: HKLM\software\classes\balloon.application\ (3 subtraces) (ID = 1177159)
12:59 PM: HKLM\software\classes\clsid\{1ca7dbaf-b066-4554-977e-5cebb7fa59c8}\ (7 subtraces) (ID = 1177169)
12:59 PM: HKLM\software\classes\clsid\{1ca7dbaf-b066-4554-977e-5cebb7fa59c8}\progid\ (1 subtraces) (ID = 1177175)
12:59 PM: HKU\S-1-5-21-2494977831-1083789369-1335913398-1006\software\microsoft\internet explorer\explorer bars\{9ff56d85-db4f-4267-b669-8d05b0bf9a04}\ (1 subtraces) (ID = 965832)
12:59 PM: HKU\S-1-5-21-2494977831-1083789369-1335913398-1006\software\microsoft\internet explorer\explorer bars\{f7384c48-97b6-45df-a2fa-1d7762d32f9c}\ (1 subtraces) (ID = 965834)
12:59 PM: Registry Sweep Complete, Elapsed Time:00:01:14
12:59 PM: Starting Cookie Sweep
12:59 PM: Found Spy Cookie: 123count cookie
12:59 PM: courtney tamimie@123count[2].txt (ID = 1927)
12:59 PM: Found Spy Cookie: 2o7.net cookie
12:59 PM: courtney tamimie@2o7[1].txt (ID = 1957)
12:59 PM: Found Spy Cookie: yieldmanager cookie
12:59 PM: courtney [email protected][2].txt (ID = 3751)
12:59 PM: Found Spy Cookie: atwola cookie
12:59 PM: courtney [email protected][1].txt (ID = 2256)
12:59 PM: courtney tamimie@atwola[2].txt (ID = 2255)
12:59 PM: courtney [email protected][1].txt (ID = 1958)
12:59 PM: Found Spy Cookie: questionmarket cookie
12:59 PM: courtney tamimie@questionmarket[2].txt (ID = 3217)
12:59 PM: Found Spy Cookie: tacoda cookie
12:59 PM: courtney tamimie@tacoda[1].txt (ID = 6444)
12:59 PM: Found Spy Cookie: valuead cookie
12:59 PM: courtney [email protected][2].txt (ID = 3627)
12:59 PM: Found Spy Cookie: myaffiliateprogram.com cookie
12:59 PM: courtney [email protected][1].txt (ID = 3032)
12:59 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
12:59 PM: Starting File Sweep
1:00 PM: Found Adware: 180search assistant/zango
1:00 PM: c:\program files\search-assistant (ID = -2147480560)
1:00 PM: Found Adware: wild media - statblaster
1:00 PM: c:\program files\media\media (1 subtraces) (ID = -2147480222)
1:00 PM: Found Adware: webhancer
1:00 PM: c:\program files\whinstall (2 subtraces) (ID = -2147480064)
1:01 PM: mfex-1.dat (ID = 258280)
1:02 PM: a0107230.exe (ID = 258280)
1:08 PM: mfex-1.dat (ID = 258280)
1:12 PM: a0107292.exe (ID = 258280)
1:12 PM: a0107269.exe (ID = 258280)
1:13 PM: osaupd.exe (ID = 258280)
1:15 PM: wupdmgr.exe (ID = 258280)
2:26 PM: Found Adware: gator ewallet
2:26 PM: gator.exe (ID = 61383)
2:53 PM: Found Adware: regfreeze fakealert
2:53 PM: security.html (ID = 256093)
2:57 PM: a0107277.exe (ID = 258280)
3:01 PM: a0107285.exe (ID = 258280)
3:02 PM: a0107264.exe (ID = 258280)
3:10 PM: wupdmgr.exe (ID = 258280)
3:10 PM: osaupd.exe (ID = 258280)
3:19 PM: Found Adware: look2me
3:19 PM: p0r4la9q1d.dll (ID = 159)
3:22 PM: whagent.ini (ID = 83826)
3:23 PM: Found Adware: targetsaver
3:23 PM: vocabulary (ID = 78283)
3:23 PM: class-barrel (ID = 78229)
3:23 PM: Found Adware: command
3:23 PM: kz6ywblrtr40p3iquqydtk.vbs (ID = 185675)
3:23 PM: Found Adware: azsearch toolbar
3:23 PM: azesearch.inf (ID = 50329)
3:26 PM: Warning: Invalid file - not a PKZip file
3:26 PM: Warning: Invalid Stream
3:27 PM: File Sweep Complete, Elapsed Time: 02:27:20
3:27 PM: Full Sweep has completed. Elapsed time 02:40:19
3:27 PM: Traces Found: 162
5:48 PM: Removal process initiated
5:48 PM: Quarantining All Traces: 180search assistant/zango
5:48 PM: Quarantining All Traces: look2me
5:48 PM: Quarantining All Traces: azsearch toolbar
5:48 PM: Quarantining All Traces: trojan-downloader-balloon
5:48 PM: Quarantining All Traces: command
5:48 PM: Quarantining All Traces: ezula ilookup
5:49 PM: Quarantining All Traces: regfreeze fakealert
5:49 PM: Quarantining All Traces: targetsaver
5:49 PM: Quarantining All Traces: webhancer
5:49 PM: Quarantining All Traces: wild media - statblaster
5:49 PM: Quarantining All Traces: 123count cookie
5:49 PM: Quarantining All Traces: 2o7.net cookie
5:49 PM: Quarantining All Traces: atwola cookie
5:49 PM: Quarantining All Traces: gator ewallet
5:49 PM: Quarantining All Traces: myaffiliateprogram.com cookie
5:49 PM: Quarantining All Traces: questionmarket cookie
5:49 PM: Quarantining All Traces: tacoda cookie
5:49 PM: Quarantining All Traces: valuead cookie
5:49 PM: Quarantining All Traces: yieldmanager cookie
5:49 PM: Removal process completed. Elapsed time 00:01:21
********
12:46 PM: | Start of Session, Saturday, April 29, 2006 |
12:46 PM: Spy Sweeper started
12:46 PM: Sweep initiated using definitions version 668
12:46 PM: Starting Memory Sweep
12:46 PM: Sweep Canceled
12:46 PM: Memory Sweep Complete, Elapsed Time: 00:00:18
12:46 PM: Traces Found: 0
12:46 PM: | End of Session, Saturday, April 29, 2006 |
********
12:45 PM: | Start of Session, Saturday, April 29, 2006 |
12:45 PM: Spy Sweeper started
12:45 PM: Sweep initiated using definitions version 668
12:45 PM: Starting Memory Sweep
12:45 PM: Sweep Canceled
12:45 PM: Memory Sweep Complete, Elapsed Time: 00:00:17
12:45 PM: Traces Found: 0
12:46 PM: | End of Session, Saturday, April 29, 2006 |
********
12:43 PM: | Start of Session, Saturday, April 29, 2006 |
12:43 PM: Spy Sweeper started
12:44 PM: Your spyware definitions have been updated.
12:45 PM: | End of Session, Saturday, April 29, 2006 |
and here is the fresh HijackThis log:
[size=3]
Logfile of HijackThis v1.99.1
Scan saved at 5:54:59 PM, on 4/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Courtney Tamimie\Desktop\HijackThis.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVKTray] "C:\Program Files\AntiVirenKit 2006 trial\AVKTray\AVKTray.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O15 - Trusted Zone: http://www.kodakgallery.com
O16 - DPF: Yahoo! Backgammon - http://download.game...nts/y/at1_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamp...89/sdcregie.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...74/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatro...an/pestscan.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F64B780D-A3CB-441D-B8CA-D841D4CBAC96}: NameServer = 4.2.2.2,4.2.2.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
i dont see the processes form before running on my task manager, is that good news???
#25
Posted 29 April 2006 - 11:55 AM
OwNt
-
- Retired Staff
-
- 7,457 posts
Malware Expert
hourfollowshour,
Your Hijackthis log now shows clean!
Are you still having any pop-ups or such?
Your Hijackthis log now shows clean!
Are you still having any pop-ups or such?
#26
Posted 29 April 2006 - 12:25 PM
hourfollowshour
- Topic Starter
-
- Member
-
- 19 posts
Member
As of now.... NO!!! No pop-ups, no changed background, no exclamation points in the taskbar... im so nervous because this has happenned before and then everything came back with a BANG but if youre saying my HijackThis log is clean then all I have to say to you is THANK YOU SO MUCh
what a wonderful service, and for free, cant find that much anymore.
Thanks again, Ill recommend Geeks to Go FOREVER!
what a wonderful service, and for free, cant find that much anymore.
Thanks again, Ill recommend Geeks to Go FOREVER!
#27
Posted 01 May 2006 - 03:23 AM
OwNt
-
- Retired Staff
-
- 7,457 posts
Malware Expert
Hello hourfollowshour,
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
here are some additional utilities that will enhance your safety
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
- Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and reenable system restore here:
Managing Windows Millenium System Restore
or
Windows XP System Restore Guide
Reenable system restore with instructions from tutorial above
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
- Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources
- Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
- Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls
- Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
- Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
- Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
- Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware
- Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
here are some additional utilities that will enhance your safety
- MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
- Google Toolbar <= Get the free google toolbar to help stop pop up windows.
#28
Posted 01 May 2006 - 03:23 AM
OwNt
-
- Retired Staff
-
- 7,457 posts
Malware Expert
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
