Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

MWSBAR.DLL

Started by Caco , Jul 15 2006 06:37 PM

  • Please log in to reply

#1
Caco
Posted 15 July 2006 - 06:37 PM

Caco

    New Member

  • Member
  • Pip
  • 7 posts
Hi there

I am new to this site, and was just recently introduced to it by a friend of mine who is currently at my house. He always yells at me for not taking care of my computer and insists that i have spyware and maybe more. He is VAGUELY familiar with hijackthis and took a look and told me that i deffinately should have the log looked at here.



For a while i was having a window pop up from Mcafee telling me that i had a virus, but i couldnt delete it. It was put into a quarenteen folder, and it just randomly stopped. Also, my cousin who is at my house a lot constantly goes to adult websites and i get a lot of pop-ups from it.

A long time ago my IE stopped working so i just got Firefox....


Oh, and my friend is relatively sure that i have the MyWebSearch spyware or something....


Could someone please take a look at this and tell me what i need to do to get my computer clean?




here is my HJT log, thanks in advance!


Logfile of HijackThis v1.99.1
Scan saved at 8:36:24 PM, on 7/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\keyhook.exe
C:\WINNT\System32\RunDll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Network Associates\VirusScan\SCAN32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Scotty\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINNT\System32\nsk4F7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINNT\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NI.UERS] "C:\WINNT\Downloaded Program Files\CONFLICT.2\UERSNetInstaller.exe"/BEFOREINSTALL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [*Microsoft Update] wstcl.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [alter service] hub132.exe
O4 - HKCU\..\Run: [System32 TCP Manager] systerm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [irssyncd] C:\WINNT\System32\irssyncd.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = ?
O4 - Startup: Z_Start.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk595BMUS
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125393029312
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/...5/aolcdt175.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C237A9-D4E1-4E29-8192-6F6077BF82C8}: NameServer = 151.203.0.84 151.197.0.38
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: sqlsrvd (sqlsrvdaemon) - Unknown owner - C:\WINNT\_sqlexec.exe (file missing)
  • 0

Advertisements

#2
Flrman1
Posted 15 July 2006 - 08:55 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Hi Caco

Welcome to GTG! :whistling:

* Click here to download ATF Cleaner by Atribune and save it to your desktop.


* Click Here and download Killbox and save it to your desktop.


* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


** Before you proceed with the removal directions below you need to turn off MS Anti-Spyware's realtime protection as it will interfere with the changes we are trying to make.
  • Open MS Anti-Spyware and click on Options > Settings.
  • Click on "Realtime Protection" in the left pane.
  • Remove the check by these:
    • Enable the Microsoft Security Agents on startup (recommended)
    • Enable real-time spyware threat protection (recommended)
  • Click "Save"
  • Now right click the MS Anti-spyware icon in your system tray and choose "Shutdown Microsoft Anti-Spyware"
  • Leave it disabled until we are finished here.
* Note: You really should uninstall MS-Antispyware as it is outdated. Microsoft Antispyware is still in beta. The name has been changed to Windows Defender. The beta you have is very much outdated so my best advice here is to uninstall it and if you want to try the new beta of Windows Defender, you can download it later.



* Go to Add/Remove programs and uninstall these:

MyWebSearch.
Viewpoint Toolbar
Viewpoint Media Player
Viewpoint Manager
Zango Toolbar or anything you see with "Zango" in it's title.


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINNT\System32\nsk4F7.dll

O3 - Toolbar: Zango Toolbar - {EA0D26BD-9029-431A-86E0-83152D67828A} - C:\Program Files\Zango Programs\Zango Toolbar\ZangoTB.dll

O4 - HKCU\..\Run: [*Microsoft Update] wstcl.exe

O4 - HKCU\..\Run: [alter service] hub132.exe

O4 - HKCU\..\Run: [System32 TCP Manager] systerm.exe

O4 - HKCU\..\Run: [irssyncd] C:\WINNT\System32\irssyncd.exe

O4 - Startup: MyWebSearch Email Plugin.lnk = ?

O4 - Startup: Z_Start.lnk = ?

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:


    C:\Program Files\Zango Programs

    C:\WINNT\System32\wstcl.exe

    C:\WINNT\System32\hub132.exe

    C:\WINNT\System32\systerm.exe

    C:\WINNT\System32\irssyncd.exe

  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confimation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
  • Killbox may tell you that one or more files do not exist.
  • If that happens, just continue on with all the files. Be sure you don't miss any.
  • Exit the Killbox.
* Run ATF Cleaner:
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
  • If you use Firefox:
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera:
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[*]Click Exit on the Main menu to close the program.
[/list]* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, click on the "Save Report" button an save the results of the scan to your desktop.

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from ActiveScan

* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.

Edited by Flrman1, 15 July 2006 - 08:56 PM.

  • 0

#3
Caco
Posted 15 July 2006 - 10:54 PM

Caco

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Wow! my IE is working again :whistling:

i didnt know malware could do that


when i went to remove the lines instructed using HJT a window popped up with the following statement:


Unexpected error occurred!
Error #52 (Bad file name or number) in Sub GetLongPath(?.exe).

Please send a report to [email protected], mentioning what you were doing, and what version of Windows you have.

This message has been copied to your clipboard.




here is the activeScan report:


Incident Status Location

Adware:adware/transponder Not disinfected c:\winnt\lastgood\inf\ceres.inf
Adware:adware/ipinsight Not disinfected c:\winnt\lastgood\inf\farmmext.inf
Spyware:spyware/betterinet Not disinfected c:\winnt\lastgood\inf\payload2.inf
Adware:adware/ncase Not disinfected c:\temp\salm.log
Adware:adware/gator Not disinfected c:\winnt\downloaded program files\HDPlugin1101.dll
Adware:adware/qoologic Not disinfected c:\winnt\downloaded program files\installer.exe
Adware:adware/elitebar Not disinfected c:\winnt\downloaded program files\OSD149F.OSD
Dialer:dialer.fjk Not disinfected c:\winnt\downloaded program files\se001.exe
Adware:adware/exact.bargainbuddy Not disinfected c:\winnt\system32\bbchk.exe
Spyware:spyware/safesurf Not disinfected c:\winnt\system32\irsmrcec.dll
Hacktool:hacktool/rootkit.a!cme-96 Not disinfected c:\winnt\system32\rdriv.sys
Adware:adware/dealhelper Not disinfected c:\winnt\dhp2.dll
Adware:adware/downloadware Not disinfected c:\winnt\Digital Signature 20050314.htm
Adware:adware/ieplugin Not disinfected c:\winnt\kwv2.dat
Dialer:dialer.bny Not disinfected c:\winnt\pcconfig.dat
Potentially unwanted tool:application/errorsafe Not disinfected c:\program files\common files\ErrorSafe
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\program files\common files\WinSoftware
Adware:adware/wupd Not disinfected c:\program files\AdTools Service
Adware:adware/searchexe Not disinfected c:\program files\se
Potentially unwanted tool:application/zango Not disinfected c:\program files\Zango
Adware:adware program Not disinfected c:\winnt\system32\cache32dsrf4535dfs
Adware:adware/pacimedia Not disinfected C:\Documents and Settings\Scotty\Favorites\1111
Adware:adware/xupiter Not disinfected C:\Documents and Settings\Scotty\Favorites\Free Stuff
Adware:adware/cws Not disinfected C:\Documents and Settings\Scotty\Favorites\Health
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/beginto Not disinfected Windows Registry
Adware:adware/ist.sidefind Not disinfected Windows Registry
Spyware:spyware/apropos Not disinfected Windows Registry
Adware:adware/wintools Not disinfected Windows Registry
Adware:adware/webext Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/ist.yoursitebar Not disinfected Windows Registry
Adware:adware/bigtrafficnet Not disinfected Windows Registry
Adware:adware/mirar Not disinfected Windows Registry
Adware:adware/sbsoft Not disinfected Windows Registry
Adware:adware/ist.xxxtoolbar Not disinfected Windows Registry
Spyware:Spyware/SafeSurf Not disinfected C:\!KillBox\irssyncd.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected]eclick[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Friends\Cookies\[email protected][1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
Adware:Adware/WinAD Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\95I7NL8P\Bridge-c139[1].cab
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJ0J9D55\lc[1].exe[re11.REG]
Adware:Adware/WUpd Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJ0J9D55\lc[1].exe[update.html]
Adware:Adware/nCase Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJ0J9D55\prompt_ie_win[1].js
Adware:Adware/Beginto Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RWBW08YS\gpstool[1].exe[winbbb.dat]
Adware:Adware/PopupSearches Not disinfected C:\Documents and Settings\Scotty\Desktop\backups\backup-20060716-000430-563.dll












here is the fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:45:24 AM, on 7/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\keyhook.exe
C:\WINNT\System32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Scotty\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINNT\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NI.UERS] "C:\WINNT\Downloaded Program Files\CONFLICT.2\UERSNetInstaller.exe"/BEFOREINSTALL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk595BMUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125393029312
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/...5/aolcdt175.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C237A9-D4E1-4E29-8192-6F6077BF82C8}: NameServer = 151.203.0.84 151.197.0.38
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: sqlsrvd (sqlsrvdaemon) - Unknown owner - C:\WINNT\_sqlexec.exe (file missing)















here is the other list you requested, the un-install list:



Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0
AIM Toolbar
AOL Instant Messenger
CardRd81
CCScore
C-Media WDM Audio Driver
CR2
elitemediagroup
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
ESSvpaht
ESSvpot
HijackThis 1.99.1
HLPIndex
HLPPDOCK
HLPRFO
IRISmon
J2SE Runtime Environment 5.0 Update 6
Kodak EasyShare software
KSU
Logitech QuickCam
Macromedia Flash Player 8
Macromedia Shockwave Player
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003
Microsoft Windows Journal Viewer
mIRC
Mozilla Firefox (1.5.0.4)
MSN
MSN Music Assistant
Nero Media Player
Nero OEM
Notifier
Omerta Script v1.0
OpenMG Jukebox
OpenMG Secure Module 3.0.03
OTtBP
OTtBPSDK
Panda ActiveScan
Paradise Poker
QuickTime
RealPlayer
Roll
SFR
SHASTA
SiS 661FX_760_741_M661FX_M760_M741
SiS 900 PCI Fast Ethernet Adapter Driver
SKIN0001
SKINXSDK
Spybot - Search & Destroy 1.4
TimeSync 1.0.0.10
Update for Windows XP (KB898461)
Verizon Online Support Center
VPRINTOL
WildTangent Web Driver
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinZip
WIRELESS
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar
  • 0

#4
Flrman1
Posted 15 July 2006 - 11:12 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* Copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Go to Add/Remove programs and uninstall these:

elitemediagroup
J2SE Runtime Environment 5.0 Update 6


* Now go here and install the latest version of Java.


* Run Hijack This again and put a check by this entry. Close ALL windows except HijackThis and click "Fix checked"

R3 - Default URLSearchHook is missing


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    c:\winnt\lastgood\inf\ceres.inf

    c:\winnt\lastgood\inf\farmmext.inf

    c:\winnt\lastgood\inf\payload2.inf

    c:\temp\salm.log

    c:\winnt\downloaded program files\HDPlugin1101.dll

    c:\winnt\downloaded program files\installer.exe

    c:\winnt\downloaded program files\OSD149F.OSD

    c:\winnt\downloaded program files\se001.exe

    c:\winnt\system32\bbchk.exe

    c:\winnt\system32\irsmrcec.dll

    c:\winnt\system32\rdriv.sys

    c:\winnt\dhp2.dll

    c:\winnt\Digital Signature 20050314.htm

    c:\winnt\kwv2.dat

    c:\winnt\pcconfig.dat

    c:\program files\common files\ErrorSafe

    c:\program files\common files\WinSoftware

    c:\program files\AdTools Service

    c:\program files\se

    c:\program files\Zango

    c:\winnt\system32\cache32dsrf4535dfs

    C:\Documents and Settings\Scotty\Favorites\1111

    C:\Documents and Settings\Scotty\Favorites\Free Stuff

    C:\Documents and Settings\Scotty\Favorites\Health

  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confimation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
  • Killbox may tell you that one or more files do not exist.
  • If that happens, just continue on with all the files. Be sure you don't miss any.
  • Exit the Killbox.
* Run ATF Cleaner:
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
  • If you use Firefox:
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera:
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[*]Click Exit on the Main menu to close the program.
[/list]
* Restart back into Windows normally now.


* Go here and do the BitDefender online virus scan.
  • Click "I Agree" to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on "Click here to export the scan results"
  • Save the report to your desktop then come back here and attach it to your next reply along with a new Hijack This log..
Note: You have to use Internet Explorer to do the online scan.
  • 0

#5
Caco
Posted 16 July 2006 - 01:20 AM

Caco

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ok, i did as you have requested, but i am slightly confused

as the bitfinder was doing its thing, it said that it had automatically removed certain files, but the main ones that it was taking out was killbox files.... should it have done that?


also, as i was doing that scan, my VirusScan On-Access scan "detected" three new things in the temp folders and moved them all to quarenteen files. These are the following file names:

C:\quarantine\tmp0002a887.Vir
C:\Documents and Settings\Scotty\Local Settings\Temp\tmp0000113c\tmp0005a8ff
C:\quarantine\tmp0005a8ff.Vir

it had attempted to automatically clean these files, but could not. It also notes that they were detected as New Poly Win32. I would assume that it was just a part of the scan, but thought i should mention it and let you be the one to determine that :whistling:


fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:19:26 AM, on 7/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\keyhook.exe
C:\WINNT\System32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Scotty\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINNT\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NI.UERS] "C:\WINNT\Downloaded Program Files\CONFLICT.2\UERSNetInstaller.exe"/BEFOREINSTALL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk595BMUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125393029312
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/...5/aolcdt175.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C237A9-D4E1-4E29-8192-6F6077BF82C8}: NameServer = 151.203.0.84 151.197.0.38
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: sqlsrvd (sqlsrvdaemon) - Unknown owner - C:\WINNT\_sqlexec.exe (file missing)

Attached Files


  • 0

#6
Flrman1
Posted 16 July 2006 - 06:05 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
It is fine that the scan deleted the files in the C:\!Killbox folder. Those were merely backups of the bad file we had previously deleted with Killbox.

You are correct that those tmp0005a8ff.Vir etc... file were part of the scan and of no concern.


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [NI.UERS] "C:\WINNT\Downloaded Program Files\CONFLICT.2\UERSNetInstaller.exe"/BEFOREINSTALL

O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxmk595BMUS


* Close Hijack This.


* Double-click on Killbox.exe to run it.
  • Put a tick by Delete on Reboot.
  • In the "Full Path of File to Delete" box, copy and paste the following line:

    C:\WINNT\Downloaded Program Files\CONFLICT.2\UERSNetInstaller.exe

  • Click on the button that has the red circle with the X in the middle.
  • It will ask for confimation to delete the file on next reboot and ask you if you want to reboot now.
  • Click Yes and let the computer reboot.
* After it reboots, run Kaspersky online virus scan here.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from Kaspersky scan
  • 0

#7
Caco
Posted 16 July 2006 - 06:16 PM

Caco

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
i removed the entries in HJT, and was going to remove the file on reboot with killbox, but when the countdown reached zero, a window popped up and said "PendingFileRenameOperations Registry Data has been Removed by External Process"


not exactly sure weather that meant that the file was re-named or what it means, all i know is the computer didnt reboot and i tried it again a few times with the same outcome, should i just contine on to the online scan?
  • 0

#8
Flrman1
Posted 17 July 2006 - 06:40 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Restart to safe mode and use Killbox on the file in safe mode.

* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste the following line:

    C:\WINNT\Downloaded Program Files\CONFLICT.2\UERSNetInstaller.exe

  • Click on the button that has the red circle with the X in the middle.
  • It will ask for confimation to delete the file.
  • Click Yes.
  • Exit the Killbox.

* Restart back into Windows normally now.


* Run Kaspersky online virus scan here.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from Kaspersky scan
  • 0

#9
Caco
Posted 17 July 2006 - 07:00 PM

Caco

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
got that File Doesnt Seem to Exist message,

so im moving on to the online scan now
  • 0

#10
Flrman1
Posted 17 July 2006 - 08:27 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
:whistling:
  • 0

#11
Caco
Posted 17 July 2006 - 08:51 PM

Caco

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
online scan:

KASPERSKY ONLINE SCANNER REPORT
Monday, July 17, 2006 10:50:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 18/07/2006
Kaspersky Anti-Virus database records: 208003
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 76415
Number of viruses found 39
Number of infected objects 98 / 0
Number of suspicious objects 0
Duration of the scan process 01:29:48

Infected Object Name Virus Name Last Action
C:\!KillBox\dhp2.dll Infected: not-a-virus:AdWare.Win32.DealHelper.j skipped
C:\!KillBox\HDPlugin1101.dll Infected: not-a-virus:AdWare.Win32.Gator.1101 skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20060717_Time-205402937_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20060717_Time-205402937_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_HOME-230FFEEA48.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_HOME-230FFEEA48.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\95I7NL8P\Bridge-c139[1].cab/MediaAccX.dll Infected: not-a-virus:AdWare.Win32.WinAD.ak skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\95I7NL8P\Bridge-c139[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJ0J9D55\lc[1].exe/data.rar/re11.REG Infected: Trojan.WinREG.LowZones.a skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJ0J9D55\lc[1].exe/data.rar Infected: Trojan.WinREG.LowZones.a skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FJ0J9D55\lc[1].exe RarSFX: infected - 2 skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RWBW08YS\gpstool[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.Beginto.d skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RWBW08YS\gpstool[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Scotty\Application Data\Mozilla\Firefox\Profiles\u5d3hgow.default\cert8.db Object is locked skipped
C:\Documents and Settings\Scotty\Application Data\Mozilla\Firefox\Profiles\u5d3hgow.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Scotty\Application Data\Mozilla\Firefox\Profiles\u5d3hgow.default\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\Scotty\Application Data\Mozilla\Firefox\Profiles\u5d3hgow.default\history.dat Object is locked skipped
C:\Documents and Settings\Scotty\Application Data\Mozilla\Firefox\Profiles\u5d3hgow.default\key3.db Object is locked skipped
C:\Documents and Settings\Scotty\Application Data\Mozilla\Firefox\Profiles\u5d3hgow.default\parent.lock Object is locked skipped
C:\Documents and Settings\Scotty\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Scotty\Desktop\Anti-Malware tools... dont touch unless i tell you\backups\backup-20060716-000430-563.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\Documents and Settings\Scotty\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Scotty\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Scotty\Local Settings\Application Data\Mozilla\Firefox\Profiles\u5d3hgow.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Scotty\Local Settings\Application Data\Mozilla\Firefox\Profiles\u5d3hgow.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Scotty\Local Settings\Application Data\Mozilla\Firefox\Profiles\u5d3hgow.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Scotty\Local Settings\Application Data\Mozilla\Firefox\Profiles\u5d3hgow.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Scotty\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Scotty\Local Settings\Temp\me_11VE4moNEvnhtnu Object is locked skipped
C:\Documents and Settings\Scotty\Local Settings\Temp\me_79N2APy9fOfq7AP Object is locked skipped
C:\Documents and Settings\Scotty\Local Settings\Temp\me_RkkehbCONTwzKZO Object is locked skipped
C:\Documents and Settings\Scotty\Local Settings\Temp\me_tbI5fqikulrYn4m Object is locked skipped
C:\Documents and Settings\Scotty\Local Settings\Temp\me_vD7aiiYl6AslcEr Object is locked skipped
C:\Documents and Settings\Scotty\Local Settings\Temp\THI13.tmp\farmmext.cab/farmmext.exe Infected: Trojan-Downloader.Win32.Stubby.c skipped
C:\Documents and Settings\Scotty\Local Settings\Temp\THI13.tmp\farmmext.cab CAB: infected - 1 skipped
C:\Documents and Settings\Scotty\Local Settings\Temp\THI2AF7.tmp\ceres.cab/ceres.dll Infected: not-a-virus:AdWare.Win32.BetterInternet skipped
C:\Documents and Settings\Scotty\Local Settings\Temp\THI2AF7.tmp\ceres.cab CAB: infected - 1 skipped
C:\Documents and Settings\Scotty\Local Settings\Temp\THI74A6.tmp\ceres.cab/ceres.dll Infected: not-a-virus:AdWare.Win32.BetterInternet skipped
C:\Documents and Settings\Scotty\Local Settings\Temp\THI74A6.tmp\ceres.cab CAB: infected - 1 skipped
C:\Documents and Settings\Scotty\Local Settings\Temp\ZangoTBInstaller.exe Infected: not-a-virus:AdWare.Win32.Agent.s skipped
C:\Documents and Settings\Scotty\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Scotty\My Documents\download\Omerta.exe/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Documents and Settings\Scotty\My Documents\download\Omerta.exe Inno: infected - 1 skipped
C:\Documents and Settings\Scotty\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Scotty\ntuser.dat.LOG Object is locked skipped
C:\lc.exe/data.rar/re11.REG Infected: Trojan.WinREG.LowZones.a skipped
C:\lc.exe/data.rar Infected: Trojan.WinREG.LowZones.a skipped
C:\lc.exe RarSFX: infected - 2 skipped
C:\lhgfhg.exe/data.rar/re11.REG Infected: Trojan.WinREG.LowZones.a skipped
C:\lhgfhg.exe/data.rar Infected: Trojan.WinREG.LowZones.a skipped
C:\lhgfhg.exe RarSFX: infected - 2 skipped
C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.me Object is locked skipped
C:\Program Files\Kodak\Kodak EasyShare software\bin\Catalog\EasyShare.mm Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\BWKDLogs\BWTargetInf.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\L0000006.FCS Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Kodak\KODAK Software Updater\7288971\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\0BBB8025-AB5E-46BE-9751-2D5AF6\BDC64222-552B-4C3F-9757-6993A8 Infected: not-a-virus:AdWare.Win32.180Solutions.q skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\0BBB8025-AB5E-46BE-9751-2D5AF6\BF2DE599-753A-4949-ADCA-7D1E04 Infected: not-a-virus:AdWare.Win32.180Solutions.s skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\0BBB8025-AB5E-46BE-9751-2D5AF6\D4580D05-F265-40EF-9F6D-2C7512 Infected: not-a-virus:AdWare.Win32.WinAD.bv skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\10635C93-8BF0-4C5D-8FB6-9EFC35\F4CF5869-CE96-4205-93FC-10BF95 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\293FA2C5-C89C-4081-82BD-8F0B62\96AE2FE0-127A-4749-A554-66AA1D Infected: not-a-virus:AdWare.Win32.WindowEnhancer skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\7848A2F6-7255-44BE-B388-D694FC\0619E4A9-88A4-44E2-863F-751DAB Infected: Trojan-Dropper.Win32.Agent.abb skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\850D463A-AFEF-4720-A8CC-CFBE2A\1519C05E-172F-486E-AEDB-6BF5CF Infected: not-a-virus:AdWare.Win32.Beginto.d skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\A0A3E332-52EA-451F-884A-EA96A8\D1212E45-D1E5-432F-B7A0-EEFF1A Infected: not-a-virus:AdWare.Win32.180Solutions.q skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\FB7ED2FD-B126-4B5D-BB4D-C6600E\C78578D3-96CF-4739-94C8-B17EB5 Infected: not-a-virus:AdWare.Win32.Beginto.d skipped
C:\Program Files\Omerta Script\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\Program Files\Verizon Online\SupportCenter\log\mpbtn.log Object is locked skipped
C:\Program Files\Verizon Online\SupportCenter\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\Verizon Online\SupportCenter\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\Verizon Online\SupportCenter\SmartBridge\SmartBridge.log Object is locked skipped
C:\quarantine\thnall2c.exe.Vir Object is locked skipped
C:\quarantine\tmp0002a887.Vir Object is locked skipped
C:\quarantine\tmp0005a8ff.Vir Object is locked skipped
C:\sidebDD.exe Infected: not-a-virus:AdWare.Win32.EliteBar.z skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138414.scr Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138416.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.d skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138417.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138418.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138419.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138420.SCR Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138421.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138422.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138423.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138424.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138425.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138426.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.f skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138427.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138428.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138429.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138430.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.s skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138431.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138432.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.m skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138433.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138434.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138435.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.d skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138436.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138437.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138438.SCR Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138439.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138440.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138441.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138442.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138443.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138444.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.f skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138445.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138446.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138447.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138448.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138499.dll Infected: not-a-virus:AdWare.Win32.Agent.c skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138500.exe Infected: not-a-virus:AdWare.Win32.180Solutions.an skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138501.dll Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138509.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138510.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138511.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.s skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138512.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP264\A0138514.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP266\A0138650.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.s skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP266\A0138670.dll Infected: not-a-virus:AdWare.Win32.DealHelper.j skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP266\A0138691.exe Infected: not-a-virus:AdWare.Win32.WinAD.z skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP266\A0138693.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP266\A0138694.exe Infected: Backdoor.Win32.Rbot.gen skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP266\A0138696.exe Infected: Trojan-Downloader.Win32.IstBar.gv skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP266\A0138698.exe Infected: not-a-virus:Server-FTP.Win32.SlimFTPd.312b skipped
C:\System Volume Information\_restore{D6A92E18-C346-4AEE-84C3-773DF0BFCC17}\RP274\change.log Object is locked skipped
C:\WINNT\876057.exe Infected: not-a-virus:AdWare.Win32.Mirar.d skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\justin.exe Infected: not-a-virus:AdWare.Win32.EZula.bn skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\B1A7IOT6\0006_regular[1].cab/istactivex.dll Infected: Trojan-Downloader.Win32.IstBar.hg skipped
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\B1A7IOT6\0006_regular[1].cab CAB: infected - 1 skipped
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\B1A7IOT6\v3cab[1].cab/v3.dll Infected: Trojan-Downloader.Win32.Small.xo skipped
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\B1A7IOT6\v3cab[1].cab CAB: infected - 1 skipped
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ZZHQM0IE\js[1].htm Infected: Exploit.HTML.CodeBaseExec skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\irismon.dll Infected: not-a-virus:AdWare.Win32.SafeSurfing.a skipped
C:\WINNT\system32\nso397.dll Infected: not-a-virus:AdWare.Win32.EZula.ca skipped
C:\WINNT\system32\unirimon.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.l skipped
C:\WINNT\system32\unirimon.exe NSIS: infected - 1 skipped
C:\WINNT\system32\vert\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\WINNT\system32\vert\titlex.exe Infected: not-a-virus:RiskTool.Win32.PsExec.131 skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\wiadebug.log Object is locked skipped
C:\WINNT\wiaservc.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
Scan process completed.











fresh HJT:

Logfile of HijackThis v1.99.1
Scan saved at 10:51:50 PM, on 7/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\keyhook.exe
C:\WINNT\System32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Scotty\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINNT\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125393029312
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/...5/aolcdt175.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C237A9-D4E1-4E29-8192-6F6077BF82C8}: NameServer = 151.203.0.84 151.197.0.38
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: sqlsrvd (sqlsrvdaemon) - Unknown owner - C:\WINNT\_sqlexec.exe (file missing)
  • 0

#12
Flrman1
Posted 19 July 2006 - 03:27 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
I apologize for the delay in response. I had back problems yesterday and just couldn't sit here in front of the computer.


* Copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    C:\lc.exe

    C:\lhgfhg.exe

    C:\sidebDD.exe

    C:\WINNT\876057.exe

    C:\WINNT\system32\irismon.dll

    C:\WINNT\system32\nso397.dll

    C:\WINNT\system32\unirimon.exe

  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confimation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
  • Killbox may tell you that one or more files do not exist.
  • If that happens, just continue on with all the files. Be sure you don't miss any.
  • Exit the Killbox.
* Run ATF Cleaner:
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
  • If you use Firefox:
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera:
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
[*]Click Exit on the Main menu to close the program.
[/list]* Restart back into Windows normally now.


* Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it.

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log and report back what the Housecall scan found.

Also let me know how the computer is running now.

Edited by Flrman1, 19 July 2006 - 03:28 PM.

  • 0

#13
Caco
Posted 19 July 2006 - 11:48 PM

Caco

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
well, i got through the scan, and did the killbox as you requested, but unfortunately, when i got to the page that listed the files infected and what to do with them, i went to clean and/or delete all of them, and the page would no longer work... i am forced to start over. i HAD saved the webpage but now i cant locate it so im unable to show you the results... time to start over i suppose.. :whistling: What had happened was it began to clean files, and then it went to "preparing" under the status bar. I do not believe any of the files were actually cleaned or deleted



**update: The Trend Micro site is now not able to scan my computer anymore...it just sits and nothing loads, im attempted it again after a re-boot but had the same results. All of the same things were there, so it confirmed my suspicions that there were no files cleaned and/or deleted... ... maybe there is something else other than an online scan?


i took the time to type out of of the listed objects found. unfortunately, they did not list the locations or ways of finding the files, and there must be an easier way of doing it anyways.


here is the list. I copied it the way it was listed, and the number after the infection name signifies the number of infections listed.





Detected Malware:

TSPY_DLOADER.DH 1

WORM_GENERIC 1

TROJ_ISTBAR.BJ 1


Detected grayware/spyware:

ADW_MIRAR.B 1

ADW_DHELPER.B 1

ADW_GAIN.D 1

ADW_SAFESURF.D 1

ADW_WINAD.X 1

ADW_SAFESURF.J 1

ADW_BETTERNET.A 2

ADW_ZANGO180.C 1

ADW_SOLU180.Z 2

ADW_ZANGO180.B 1

ADW_WINAD.BC 1

ADW_BARGBUDDY.C 2

ADW_FIXER.A 2

ADW_ADAN.AA 2

ADW_SAFESURF.AC 1

ADWARE_YOUSITEBAR 1

ADWARE_ISTBAR 1

ADWARE_IEPLUGIN 1

ADWARE_GAIN 1

ADWARE_AVENUEMEDIANV 1

FREELOADER_ERRORSAFE 1

ADWARE_ELITEMEDIAGROUP 1

ADWARE_WINAD 1

ADWARE_BEGIN2SEARCH 1

ADWARE_EZULA 1

DIALER_FCI 1

ADWARE_DEALHELPER 1

ADWARE_FUNWEBPRODUCTS 1

ADWARE_EZULA.TRAFFICSECTOR 1

ADWARE_180SOLUTIONS 1

ADWARE_SEARCHEXPLORER 1

ADWARE_APROPOS 1

ADWARE_ABETTERINTERNET 1

ADWARE_ELITEBAR 1

ADWARE_BHOT_MIRAR 1

ADWARE_ADCLICKER 1

ADWARE_180SOLUTIONS.SEARCHASSISTANT 1

ADWARE_BHO_MYSEARCH 1

ADWARE_SHOPATHOME 1

ADWARE_IBIS.WEBSEARCH 1

FREELOADER_WINFIXER 1

ADWARE_DOTCOMBAR 1

ADWARE_BOOKEDSPACE 1

TSPY_SMALL.SN 1

ADWARE_SCBAR 1

ADWARE_SAFESURF 1

HTTP cookies 4



there were also many vulnerabilities mentioned at the bottom, but i honestly didnt feel like typing all of them out... but, this is the only way i could get them onto here. The website will not save to my computer, and i am not allowed to copy and past because it is all in the form of images, rather than text-based.
















note, i was using IE to do this, and i dont know weather the problem lies within my computer or trend micro's website











new HJT:
Logfile of HijackThis v1.99.1
Scan saved at 3:16:46 PM, on 7/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINNT\System32\keyhook.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Scotty\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myspace.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINNT\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Verizon Online Dialer.lnk = C:\Program Files\Common Files\Verizon Online\ConnMgr\Verizon Online.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125393029312
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/...5/aolcdt175.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9C237A9-D4E1-4E29-8192-6F6077BF82C8}: NameServer = 151.203.0.84 151.197.0.38
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: sqlsrvd (sqlsrvdaemon) - Unknown owner - C:\WINNT\_sqlexec.exe (file missing)

Edited by Caco, 20 July 2006 - 01:18 PM.

  • 0

#14
Flrman1
Posted 20 July 2006 - 05:38 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Go to Start > Run and type in cmd

Click OK

This will open a command shell. In the command window Copy and Paste the following commands one at a time exactly as the appear below and hit the Enter key after each one:

Copy and paste:

sc stop sqlsrvdaemon

Hiy Enter

Copy and Paste:

sc delete sqlsrvdaemon

Hit Enter.

Type exit to exit the command prompt.

Restart and post a new log.

How is the computer running now?

Edited by Flrman1, 20 July 2006 - 05:39 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP