Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't remove spyware (seeing "MediaMotor" and others)

Started by popechild , Sep 06 2006 04:35 PM

  • Please log in to reply

#16
popechild
Posted 07 September 2006 - 04:53 PM

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
New HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:46:46 PM, on 9/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SageTV\SageTV\SageTVService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsh1D.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{85FD8C2C-825B-4456-8137-D1F8F8814AEA}: NameServer = 192.168.1.1,192.168.1.2
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SageTV - Frey Technologies, LLC - C:\Program Files\SageTV\SageTV\SageTVService.exe
  • 0

Advertisements

#17
Noviciate
Posted 07 September 2006 - 05:35 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
The reason that you take the PC offline is so that if anything nasty tries to "phone home" during the removal process, it can't get through.
Stick it back online and run it for 24 hours - including at least one reboot. Once you've given it a bit of a workout, let me have one last HJT log and tell me how it's behaving.
  • 0

#18
popechild
Posted 08 September 2006 - 02:27 PM

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Okay, it is definitely better, almost seems clean, but I am still getting occasional popups. I don't seem to be getting multiple popups at a time or redirects anymore. Also, don't know if it matters, but probably 50% or more of the time the popup will be for partypoker.com.

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:25:16 PM, on 9/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SageTV\SageTV\SageTVService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsh1D.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{85FD8C2C-825B-4456-8137-D1F8F8814AEA}: NameServer = 192.168.1.1,192.168.1.2
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SageTV - Frey Technologies, LLC - C:\Program Files\SageTV\SageTV\SageTVService.exe
  • 0

#19
popechild
Posted 08 September 2006 - 02:29 PM

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Also, should I be worried about the line:

O15 - Trusted Zone: *.elitemediagroup.net

I know I've seen that elitemediagroup.net is spyware before...
  • 0

#20
Noviciate
Posted 08 September 2006 - 02:46 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
If you didn't install these, do the following:

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Remove the following folders:

Folders

C:\Program Files\PartyGaming.Net
C:\Program Files\PartyGaming

As an example:
To delete C:\WINDOWS\system32\foldertogo
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on foldertogo and from the menu that appears, click on 'Delete'

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I usually leave the O15s until last because if the malicious file that did this is still present, it will just do it again. As I think you're about done, do the following:

Download DelDomains.inf from here and save it to your Desktop.
* If you use Firefox, right click the link and from the menu that appears, click on Save Link As... *

Right click on DelDomains.inf and from the menu that appears, click on Install.

* Please Note: If you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection *

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run the PC for 48 hours, rebooting at least once, and give it a good workout and then post a fresh HJT log and let me know how it's behaving and we'll take it from there.
  • 0

#21
popechild
Posted 08 September 2006 - 04:13 PM

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I didn't remove the PartyPoker references because I installed those intentionally, and it seemed like you were saying they were probably only representative of a threat if I *hadn't* chosen to install them myself.

I did run the .inf you pointed me to, and will keep tabs on the machine for a few more days. Thanks.
  • 0

#22
popechild
Posted 10 September 2006 - 05:21 PM

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Well, unfortunately there doesn't seem to be a change after running that last program. I'm still getting rouge popups every 10-15 clicks, and occasionally I get a little Google icon that pops up in the quick start bar saying that something is trying to change my homepage, which I don't allow it to do.

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:19:09 PM, on 9/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SageTV\SageTV\SageTVService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsh1D.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{85FD8C2C-825B-4456-8137-D1F8F8814AEA}: NameServer = 192.168.1.1,192.168.1.2
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SageTV - Frey Technologies, LLC - C:\Program Files\SageTV\SageTV\SageTVService.exe
  • 0

#23
Noviciate
Posted 11 September 2006 - 02:36 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
How long were you running the PC without an anti-virus progam installed?
  • 0

#24
popechild
Posted 14 September 2006 - 01:09 AM

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
About a month and a half. Obviously I could've had problems that never revealed themselves before, but until clicking a bad link that I immediately regretted shortly before starting this thread, I never had noticed a single hiccup, popup, redirect, etc. I initially didn't install AV because the Norton that I have makes my other computers slow as dirt and this one's *almost* entirely used as an HTPC, which I can't afford to lose any speed on. Looks like a great decision now though, huh!
  • 0

#25
Noviciate
Posted 14 September 2006 - 02:29 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
The best advice I can give is to reformat the PC as it cannot be guaranteed 100% clean. You also have the problem that malicious files may have made changes to your OS that will make it more likely that it will be infected in the future.
If you don't want to, or can't, then don't use it for anything that involves personal information - bank details, credit card numbers etc... just to be on the safe side.

If you still want to carry on with cleaning it up, do the following:

Download the 14 day trial of Webroot's Spy Sweeper from here.
Once the download has completed, double click the file to begin installation.
During the installation you will be given the option to check for updates - click the button to allow it to do so.
Once the installation has completed, your PC will need to be rebooted.

Once your PC has rebooted, open Spy Sweeper:
  • Click the Options button.
  • Select the Update Tab.
  • Click Update Spy Sweeper.
  • I.E. will open displaying a page from the Spy Sweeper website - you can close this as Spy Sweeper will continue to update regardless.
Once the updates have all been downloaded:
  • Select the Sweep Tab.
  • Check all the boxes under "Items to Sweep" and "Other Options".
  • Now click the Start Sweep button.
Once the scan has completed, Spy Sweeper will display the results of the scan. If anything has been found, click Quarantine Selected.
If you are asked to allow a reboot, do so - if not, manually reboot your PC anyway.

Once the PC has rebooted, open Spy Sweeper:
  • Click the Options button on the left.
  • Select the Sweep Tab again.
  • Click the "View Session Log link in the bottom right hand corner.
  • Click the Save to File button - by default the log will be saved as Spy Sweeper Sessions Log.txt in My Documents.
Copy and paste this into your next reply along with a fresh HJT log AND a description of how your PC is behaving.
  • 0

Advertisements

#26
popechild
Posted 15 September 2006 - 10:02 AM

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I'm pretty hesitant to format at this point and start over, not because of the time involved, but because HTPCs are really tricky to "tweak" properly to get the playback as good as possible - especially with HDTV - and mine's working really well right now. I did run the Spy Sweeper, then ran it again (which found one more result) then ran it a third time (which came up clean) - all with reboots in between. I'll put the two logs that found something in this post and the newest HJT in the next.

In the hour or so I've browsed on this machine since running the multiple Spy Sweeper sweeps, I have yet to notice a problem, so that's good!

First Spy Sweeper Log:

Operation: File Access
Target:
Source: C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0\AVP.EXE
5:09 PM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
5:09 PM: Shield States
5:09 PM: Spyware Definitions: 761
5:09 PM: Spy Sweeper 5.0.5.1286 started
3:50 PM: | End of Session, Thursday, September 14, 2006 |
3:48 PM: Your spyware definitions have been updated.
3:46 PM: IE Hijack Shield: Resetting IE advanced data value.
3:46 PM: IE Hijack Shield: Resetting Search Page value.
Operation: File Access
Target:
Source: C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0\AVP.EXE
3:46 PM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
3:45 PM: Shield States
3:45 PM: Spyware Definitions: 691
3:45 PM: Spy Sweeper 5.0.5.1286 started
3:45 PM: Spy Sweeper 5.0.5.1286 started
3:45 PM: | Start of Session, Thursday, September 14, 2006 |
********
5:05 PM: Removal process completed. Elapsed time 00:00:19
5:05 PM: Quarantining All Traces: monstermarketplace cookie
5:05 PM: Quarantining All Traces: seeq cookie
5:05 PM: Quarantining All Traces: upspiral cookie
5:05 PM: Quarantining All Traces: stlyrics cookie
5:05 PM: Quarantining All Traces: redzip cookie
5:05 PM: Quarantining All Traces: burstbeacon cookie
5:05 PM: Quarantining All Traces: tacoda cookie
5:05 PM: Quarantining All Traces: statcounter cookie
5:05 PM: Quarantining All Traces: serving-sys cookie
5:05 PM: Quarantining All Traces: searchadnetwork cookie
5:05 PM: Quarantining All Traces: search123 cookie
5:05 PM: Quarantining All Traces: pricegrabber cookie
5:05 PM: Quarantining All Traces: partypoker cookie
5:05 PM: Quarantining All Traces: one-time-offer cookie
5:05 PM: Quarantining All Traces: nextag cookie
5:05 PM: Quarantining All Traces: realmedia cookie
5:05 PM: Quarantining All Traces: mygeek cookie
5:05 PM: Quarantining All Traces: maxserving cookie
5:05 PM: Quarantining All Traces: malwarewipe cookie
5:05 PM: Quarantining All Traces: webtrends cookie
5:05 PM: Quarantining All Traces: sex cookie
5:05 PM: Quarantining All Traces: trb.com cookie
5:05 PM: Quarantining All Traces: infospace cookie
5:05 PM: Quarantining All Traces: informit cookie
5:05 PM: Quarantining All Traces: imlive.com cookie
5:05 PM: Quarantining All Traces: ic-live cookie
5:05 PM: Quarantining All Traces: hypertracker.com cookie
5:05 PM: Quarantining All Traces: directtrack cookie
5:05 PM: Quarantining All Traces: danni cookie
5:05 PM: Quarantining All Traces: 360i cookie
5:05 PM: Quarantining All Traces: exitexchange cookie
5:05 PM: Quarantining All Traces: columbiahouse cookie
5:05 PM: Quarantining All Traces: ccbill cookie
5:05 PM: Quarantining All Traces: burstnet cookie
5:05 PM: Quarantining All Traces: bizrate cookie
5:05 PM: Quarantining All Traces: belnk cookie
5:05 PM: Quarantining All Traces: banner cookie
5:05 PM: Quarantining All Traces: a cookie
5:05 PM: Quarantining All Traces: atwola cookie
5:05 PM: Quarantining All Traces: ask cookie
5:05 PM: Quarantining All Traces: associated new media cookie
5:05 PM: Quarantining All Traces: adultfriendfinder cookie
5:05 PM: Quarantining All Traces: cd freaks cookie
5:05 PM: Quarantining All Traces: adrevolver cookie
5:05 PM: Quarantining All Traces: adknowledge cookie
5:05 PM: Quarantining All Traces: adecn cookie
5:05 PM: Quarantining All Traces: yieldmanager cookie
5:05 PM: Quarantining All Traces: about cookie
5:05 PM: Quarantining All Traces: go.com cookie
5:05 PM: Quarantining All Traces: websponsors cookie
5:05 PM: Quarantining All Traces: 3 cookie
5:05 PM: Quarantining All Traces: 80503492 cookie
5:05 PM: Quarantining All Traces: command
5:05 PM: Quarantining All Traces: spyware quake
5:05 PM: Quarantining All Traces: ezula ilookup
5:05 PM: Quarantining All Traces: targetsaver
5:05 PM: Quarantining All Traces: maxifiles
5:05 PM: Quarantining All Traces: elitemediagroup-mediamotor
5:05 PM: Quarantining All Traces: trafficsolution
5:05 PM: Quarantining All Traces: enbrowser
5:05 PM: Quarantining All Traces: trojan agent winlogonhook
5:05 PM: Removal process initiated
5:02 PM: Traces Found: 126
5:02 PM: Full Sweep has completed. Elapsed time 01:12:58
5:02 PM: HKLM\software\microsoft\windows\currentversion\uninstall\adrotator\ (ID = 1538545)
5:02 PM: File Sweep Complete, Elapsed Time: 01:10:54
4:59 PM: Warning: Failed to access drive J:
4:59 PM: Warning: Failed to access drive I:
4:59 PM: Warning: Failed to access drive H:
4:59 PM: Warning: Failed to access drive G:
4:58 PM: C:\WINDOWS\TWF0dCBQb3Bl\nqIXxF1kva15.vbs (ID = 185675)
4:50 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP156\A0028124.exe (ID = 329490)
4:50 PM: Found Adware: targetsaver
4:49 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP156\A0028117.vbs (ID = 231442)
4:49 PM: Found Adware: command
4:47 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP161\A0028369.exe (ID = 335877)
4:47 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP169\A0028545.exe (ID = 346389)
4:45 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP156\A0028208.exe (ID = 344945)
4:26 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP161\A0028371.exe (ID = 336857)
4:15 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP155\A0027823.exe (ID = 322316)
4:09 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP155\A0027826.dll (ID = 339832)
4:05 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP155\A0028055.exe (ID = 322316)
3:58 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP155\A0028038.exe (ID = 322316)
3:58 PM: Found Adware: maxifiles
3:52 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP155\A0027787.ini (ID = 298068)
3:52 PM: Found Adware: spyware quake
3:51 PM: Starting File Sweep
3:51 PM: Warning: Failed to access drive A:
3:51 PM: Cookie Sweep Complete, Elapsed Time: 00:00:07
3:51 PM: c:\documents and settings\localservice\cookies\system@monstermarketplace[1].txt (ID = 3006)
3:51 PM: Found Spy Cookie: monstermarketplace cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 3332)
3:51 PM: Found Spy Cookie: seeq cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 3615)
3:51 PM: Found Spy Cookie: upspiral cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 3462)
3:51 PM: Found Spy Cookie: stlyrics cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 3312)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 3250)
3:51 PM: Found Spy Cookie: redzip cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2337)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2335)
3:51 PM: Found Spy Cookie: burstbeacon cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2038)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\matt@trb[1].txt (ID = 3587)
3:51 PM: c:\documents and settings\matt\cookies\matt@tacoda[1].txt (ID = 6444)
3:51 PM: Found Spy Cookie: tacoda cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@statcounter[1].txt (ID = 3447)
3:51 PM: Found Spy Cookie: statcounter cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\matt@serving-sys[1].txt (ID = 3343)
3:51 PM: Found Spy Cookie: serving-sys cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@searchadnetwork[2].txt (ID = 3311)
3:51 PM: Found Spy Cookie: searchadnetwork cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@search123[1].txt (ID = 3305)
3:51 PM: Found Spy Cookie: search123 cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\matt@realmedia[1].txt (ID = 3235)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2528)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\matt@pricegrabber[2].txt (ID = 3185)
3:51 PM: Found Spy Cookie: pricegrabber cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@partypoker[3].txt (ID = 3111)
3:51 PM: c:\documents and settings\matt\cookies\matt@partypoker[2].txt (ID = 3111)
3:51 PM: Found Spy Cookie: partypoker cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@one-time-offer[1].txt (ID = 3095)
3:51 PM: Found Spy Cookie: one-time-offer cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@nextag[1].txt (ID = 5014)
3:51 PM: Found Spy Cookie: nextag cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 3236)
3:51 PM: Found Spy Cookie: realmedia cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2038)
3:51 PM: c:\documents and settings\matt\cookies\matt@mygeek[1].txt (ID = 3041)
3:51 PM: Found Spy Cookie: mygeek cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\matt@maxserving[2].txt (ID = 2966)
3:51 PM: Found Spy Cookie: maxserving cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@malwarewipe[1].txt (ID = 6467)
3:51 PM: Found Spy Cookie: malwarewipe cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 3669)
3:51 PM: Found Spy Cookie: webtrends cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2866)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 3348)
3:51 PM: Found Spy Cookie: sex cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 3588)
3:51 PM: Found Spy Cookie: trb.com cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\matt@infospace[2].txt (ID = 2865)
3:51 PM: Found Spy Cookie: infospace cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@informit[1].txt (ID = 2863)
3:51 PM: Found Spy Cookie: informit cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@imlive[1].txt (ID = 2843)
3:51 PM: Found Spy Cookie: imlive.com cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@ic-live[1].txt (ID = 2821)
3:51 PM: Found Spy Cookie: ic-live cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@hypertracker[1].txt (ID = 2817)
3:51 PM: Found Spy Cookie: hypertracker.com cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@go[1].txt (ID = 2728)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\matt@exitexchange[1].txt (ID = 2633)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2038)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2293)
3:51 PM: c:\documents and settings\matt\cookies\matt@directtrack[1].txt (ID = 2527)
3:51 PM: Found Spy Cookie: directtrack cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@danni[1].txt (ID = 2493)
3:51 PM: Found Spy Cookie: danni cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 1962)
3:51 PM: Found Spy Cookie: 360i cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2634)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2634)
3:51 PM: Found Spy Cookie: exitexchange cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@columbiahouse[2].txt (ID = 2443)
3:51 PM: Found Spy Cookie: columbiahouse cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2371)
3:51 PM: c:\documents and settings\matt\cookies\matt@cdfreaks[2].txt (ID = 2370)
3:51 PM: c:\documents and settings\matt\cookies\matt@ccbill[1].txt (ID = 2369)
3:51 PM: Found Spy Cookie: ccbill cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@burstnet[1].txt (ID = 2336)
3:51 PM: Found Spy Cookie: burstnet cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\matt@bizrate[2].txt (ID = 2308)
3:51 PM: Found Spy Cookie: bizrate cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@belnk[1].txt (ID = 2292)
3:51 PM: Found Spy Cookie: belnk cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@banner[1].txt (ID = 2276)
3:51 PM: Found Spy Cookie: banner cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@a[1].txt (ID = 2027)
3:51 PM: Found Spy Cookie: a cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@atwola[1].txt (ID = 2255)
3:51 PM: Found Spy Cookie: atwola cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@ask[1].txt (ID = 2245)
3:51 PM: Found Spy Cookie: ask cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2223)
3:51 PM: Found Spy Cookie: associated new media cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2038)
3:51 PM: c:\documents and settings\matt\cookies\matt@adultfriendfinder[2].txt (ID = 2165)
3:51 PM: Found Spy Cookie: adultfriendfinder cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2371)
3:51 PM: Found Spy Cookie: cd freaks cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@adrevolver[2].txt (ID = 2088)
3:51 PM: Found Spy Cookie: adrevolver cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@adknowledge[1].txt (ID = 2072)
3:51 PM: Found Spy Cookie: adknowledge cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@adecn[1].txt (ID = 2063)
3:51 PM: Found Spy Cookie: adecn cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 3751)
3:51 PM: Found Spy Cookie: yieldmanager cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@about[2].txt (ID = 2037)
3:51 PM: Found Spy Cookie: about cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2729)
3:51 PM: Found Spy Cookie: go.com cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 3665)
3:51 PM: Found Spy Cookie: websponsors cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 1960)
3:51 PM: Found Spy Cookie: 3 cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@80503492[1].txt (ID = 2013)
3:51 PM: Found Spy Cookie: 80503492 cookie
3:51 PM: Starting Cookie Sweep
3:51 PM: Registry Sweep Complete, Elapsed Time:00:00:13
3:51 PM: HKU\S-1-5-21-1614895754-1364589140-1801674531-1003\software\system\sysuid\ (ID = 731748)
3:51 PM: HKCR\clsid\{2cab0356-88e3-4902-a85d-379689c625e1}\inprocserver32\ (ID = 1626309)
3:51 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{746455fe-d059-47e7-af0e-140e03f5a447}\ (ID = 1586270)
3:51 PM: HKLM\software\classes\typelib\{fdb10602-aa12-4e76-aae2-2b328a3e950a}\ (ID = 1586223)
3:51 PM: HKLM\software\classes\crypt.core.1\ (ID = 1586219)
3:51 PM: HKLM\software\classes\crypt.core\ (ID = 1586213)
3:51 PM: HKLM\software\classes\clsid\{746455fe-d059-47e7-af0e-140e03f5a447}\ (ID = 1586201)
3:51 PM: HKLM\software\classes\clsid\{2cab0356-88e3-4902-a85d-379689c625e1}\ (ID = 1586189)
3:51 PM: HKCR\typelib\{fdb10602-aa12-4e76-aae2-2b328a3e950a}\ (ID = 1586179)
3:51 PM: HKCR\crypt.core.1\ (ID = 1586175)
3:51 PM: HKCR\crypt.core\ (ID = 1586169)
3:51 PM: HKCR\clsid\{746455fe-d059-47e7-af0e-140e03f5a447}\ (ID = 1586157)
3:51 PM: HKCR\clsid\{2cab0356-88e3-4902-a85d-379689c625e1}\ (ID = 1586145)
3:51 PM: HKCR\bannerrotator.rotator\ (ID = 1538546)
3:51 PM: HKLM\software\classes\interface\{7682c1a6-c500-4c78-93b9-5a76a91520f8}\ (ID = 1502055)
3:51 PM: HKLM\software\classes\interface\{597aa130-f00b-40b8-adaf-529d4da9be52}\ (ID = 1502046)
3:51 PM: HKCR\interface\{7682c1a6-c500-4c78-93b9-5a76a91520f8}\ (ID = 1497902)
3:51 PM: HKCR\interface\{597aa130-f00b-40b8-adaf-529d4da9be52}\ (ID = 1497893)
3:51 PM: Found Adware: elitemediagroup-mediamotor
3:51 PM: HKLM\software\classes\bannerrotator.rotator.1\ (ID = 1337124)
3:51 PM: HKLM\software\classes\bannerrotator.rotator\ (ID = 1337118)
3:51 PM: HKCR\bannerrotator.rotator.1\ (ID = 1337093)
3:51 PM: Found Adware: trafficsolution
3:51 PM: HKLM\software\classes\onone.theimp.1\ (ID = 1221523)
3:51 PM: HKLM\software\classes\onone.theimp\ (ID = 1221515)
3:51 PM: HKCR\onone.theimp.1\ (ID = 1221367)
3:51 PM: HKCR\onone.theimp\ (ID = 1221362)
3:51 PM: HKLM\software\microsoft\mssmgr\ (ID = 937101)
3:51 PM: Found Trojan Horse: trojan agent winlogonhook
3:51 PM: HKLM\software\system\sysold\ (ID = 926808)
3:51 PM: Found Adware: enbrowser
3:51 PM: Starting Registry Sweep
3:51 PM: Memory Sweep Complete, Elapsed Time: 00:01:23
3:50 PM: Starting Memory Sweep
3:50 PM: C:\WINDOWS\system32\nsh1D.dll (ID = 1625910)
3:50 PM: HKCR\clsid\{746455fe-d059-47e7-af0e-140e03f5a447}\inprocserver32\ (ID = 1625910)
3:50 PM: Found Adware: ezula ilookup
3:50 PM: Sweep initiated using definitions version 761
3:50 PM: Spy Sweeper 5.0.5.1286 started
3:50 PM: | Start of Session, Thursday, September 14, 2006 |
********




Second Spy Sweeper Log:

Operation: File Access
Target:
Source: C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0\AVP.EXE
6:28 PM: Tamper Detection
6:28 PM: Warning: The handle is invalid
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
6:28 PM: Warning: The handle is invalid
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
6:28 PM: Shield States
6:28 PM: Spyware Definitions: 761
6:28 PM: Spy Sweeper 5.0.5.1286 started
Operation: File Access
Target:
Source: C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0\AVP.EXE
5:09 PM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
5:09 PM: Shield States
5:09 PM: Spyware Definitions: 761
5:09 PM: Spy Sweeper 5.0.5.1286 started
3:50 PM: | End of Session, Thursday, September 14, 2006 |
3:48 PM: Your spyware definitions have been updated.
3:46 PM: IE Hijack Shield: Resetting IE advanced data value.
3:46 PM: IE Hijack Shield: Resetting Search Page value.
Operation: File Access
Target:
Source: C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS 6.0\AVP.EXE
3:46 PM: Tamper Detection
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
3:45 PM: Shield States
3:45 PM: Spyware Definitions: 691
3:45 PM: Spy Sweeper 5.0.5.1286 started
3:45 PM: Spy Sweeper 5.0.5.1286 started
3:45 PM: | Start of Session, Thursday, September 14, 2006 |
********
5:05 PM: Removal process completed. Elapsed time 00:00:19
5:05 PM: Quarantining All Traces: monstermarketplace cookie
5:05 PM: Quarantining All Traces: seeq cookie
5:05 PM: Quarantining All Traces: upspiral cookie
5:05 PM: Quarantining All Traces: stlyrics cookie
5:05 PM: Quarantining All Traces: redzip cookie
5:05 PM: Quarantining All Traces: burstbeacon cookie
5:05 PM: Quarantining All Traces: tacoda cookie
5:05 PM: Quarantining All Traces: statcounter cookie
5:05 PM: Quarantining All Traces: serving-sys cookie
5:05 PM: Quarantining All Traces: searchadnetwork cookie
5:05 PM: Quarantining All Traces: search123 cookie
5:05 PM: Quarantining All Traces: pricegrabber cookie
5:05 PM: Quarantining All Traces: partypoker cookie
5:05 PM: Quarantining All Traces: one-time-offer cookie
5:05 PM: Quarantining All Traces: nextag cookie
5:05 PM: Quarantining All Traces: realmedia cookie
5:05 PM: Quarantining All Traces: mygeek cookie
5:05 PM: Quarantining All Traces: maxserving cookie
5:05 PM: Quarantining All Traces: malwarewipe cookie
5:05 PM: Quarantining All Traces: webtrends cookie
5:05 PM: Quarantining All Traces: sex cookie
5:05 PM: Quarantining All Traces: trb.com cookie
5:05 PM: Quarantining All Traces: infospace cookie
5:05 PM: Quarantining All Traces: informit cookie
5:05 PM: Quarantining All Traces: imlive.com cookie
5:05 PM: Quarantining All Traces: ic-live cookie
5:05 PM: Quarantining All Traces: hypertracker.com cookie
5:05 PM: Quarantining All Traces: directtrack cookie
5:05 PM: Quarantining All Traces: danni cookie
5:05 PM: Quarantining All Traces: 360i cookie
5:05 PM: Quarantining All Traces: exitexchange cookie
5:05 PM: Quarantining All Traces: columbiahouse cookie
5:05 PM: Quarantining All Traces: ccbill cookie
5:05 PM: Quarantining All Traces: burstnet cookie
5:05 PM: Quarantining All Traces: bizrate cookie
5:05 PM: Quarantining All Traces: belnk cookie
5:05 PM: Quarantining All Traces: banner cookie
5:05 PM: Quarantining All Traces: a cookie
5:05 PM: Quarantining All Traces: atwola cookie
5:05 PM: Quarantining All Traces: ask cookie
5:05 PM: Quarantining All Traces: associated new media cookie
5:05 PM: Quarantining All Traces: adultfriendfinder cookie
5:05 PM: Quarantining All Traces: cd freaks cookie
5:05 PM: Quarantining All Traces: adrevolver cookie
5:05 PM: Quarantining All Traces: adknowledge cookie
5:05 PM: Quarantining All Traces: adecn cookie
5:05 PM: Quarantining All Traces: yieldmanager cookie
5:05 PM: Quarantining All Traces: about cookie
5:05 PM: Quarantining All Traces: go.com cookie
5:05 PM: Quarantining All Traces: websponsors cookie
5:05 PM: Quarantining All Traces: 3 cookie
5:05 PM: Quarantining All Traces: 80503492 cookie
5:05 PM: Quarantining All Traces: command
5:05 PM: Quarantining All Traces: spyware quake
5:05 PM: Quarantining All Traces: ezula ilookup
5:05 PM: Quarantining All Traces: targetsaver
5:05 PM: Quarantining All Traces: maxifiles
5:05 PM: Quarantining All Traces: elitemediagroup-mediamotor
5:05 PM: Quarantining All Traces: trafficsolution
5:05 PM: Quarantining All Traces: enbrowser
5:05 PM: Quarantining All Traces: trojan agent winlogonhook
5:05 PM: Removal process initiated
5:02 PM: Traces Found: 126
5:02 PM: Full Sweep has completed. Elapsed time 01:12:58
5:02 PM: HKLM\software\microsoft\windows\currentversion\uninstall\adrotator\ (ID = 1538545)
5:02 PM: File Sweep Complete, Elapsed Time: 01:10:54
4:59 PM: Warning: Failed to access drive J:
4:59 PM: Warning: Failed to access drive I:
4:59 PM: Warning: Failed to access drive H:
4:59 PM: Warning: Failed to access drive G:
4:58 PM: C:\WINDOWS\TWF0dCBQb3Bl\nqIXxF1kva15.vbs (ID = 185675)
4:50 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP156\A0028124.exe (ID = 329490)
4:50 PM: Found Adware: targetsaver
4:49 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP156\A0028117.vbs (ID = 231442)
4:49 PM: Found Adware: command
4:47 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP161\A0028369.exe (ID = 335877)
4:47 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP169\A0028545.exe (ID = 346389)
4:45 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP156\A0028208.exe (ID = 344945)
4:26 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP161\A0028371.exe (ID = 336857)
4:15 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP155\A0027823.exe (ID = 322316)
4:09 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP155\A0027826.dll (ID = 339832)
4:05 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP155\A0028055.exe (ID = 322316)
3:58 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP155\A0028038.exe (ID = 322316)
3:58 PM: Found Adware: maxifiles
3:52 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP155\A0027787.ini (ID = 298068)
3:52 PM: Found Adware: spyware quake
3:51 PM: Starting File Sweep
3:51 PM: Warning: Failed to access drive A:
3:51 PM: Cookie Sweep Complete, Elapsed Time: 00:00:07
3:51 PM: c:\documents and settings\localservice\cookies\system@monstermarketplace[1].txt (ID = 3006)
3:51 PM: Found Spy Cookie: monstermarketplace cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 3332)
3:51 PM: Found Spy Cookie: seeq cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 3615)
3:51 PM: Found Spy Cookie: upspiral cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 3462)
3:51 PM: Found Spy Cookie: stlyrics cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 3312)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 3250)
3:51 PM: Found Spy Cookie: redzip cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2337)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2335)
3:51 PM: Found Spy Cookie: burstbeacon cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2038)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\matt@trb[1].txt (ID = 3587)
3:51 PM: c:\documents and settings\matt\cookies\matt@tacoda[1].txt (ID = 6444)
3:51 PM: Found Spy Cookie: tacoda cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@statcounter[1].txt (ID = 3447)
3:51 PM: Found Spy Cookie: statcounter cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\matt@serving-sys[1].txt (ID = 3343)
3:51 PM: Found Spy Cookie: serving-sys cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@searchadnetwork[2].txt (ID = 3311)
3:51 PM: Found Spy Cookie: searchadnetwork cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@search123[1].txt (ID = 3305)
3:51 PM: Found Spy Cookie: search123 cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\matt@realmedia[1].txt (ID = 3235)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2528)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\matt@pricegrabber[2].txt (ID = 3185)
3:51 PM: Found Spy Cookie: pricegrabber cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@partypoker[3].txt (ID = 3111)
3:51 PM: c:\documents and settings\matt\cookies\matt@partypoker[2].txt (ID = 3111)
3:51 PM: Found Spy Cookie: partypoker cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@one-time-offer[1].txt (ID = 3095)
3:51 PM: Found Spy Cookie: one-time-offer cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@nextag[1].txt (ID = 5014)
3:51 PM: Found Spy Cookie: nextag cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 3236)
3:51 PM: Found Spy Cookie: realmedia cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2038)
3:51 PM: c:\documents and settings\matt\cookies\matt@mygeek[1].txt (ID = 3041)
3:51 PM: Found Spy Cookie: mygeek cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\matt@maxserving[2].txt (ID = 2966)
3:51 PM: Found Spy Cookie: maxserving cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@malwarewipe[1].txt (ID = 6467)
3:51 PM: Found Spy Cookie: malwarewipe cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 3669)
3:51 PM: Found Spy Cookie: webtrends cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2866)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 3348)
3:51 PM: Found Spy Cookie: sex cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 3588)
3:51 PM: Found Spy Cookie: trb.com cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\matt@infospace[2].txt (ID = 2865)
3:51 PM: Found Spy Cookie: infospace cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@informit[1].txt (ID = 2863)
3:51 PM: Found Spy Cookie: informit cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@imlive[1].txt (ID = 2843)
3:51 PM: Found Spy Cookie: imlive.com cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@ic-live[1].txt (ID = 2821)
3:51 PM: Found Spy Cookie: ic-live cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@hypertracker[1].txt (ID = 2817)
3:51 PM: Found Spy Cookie: hypertracker.com cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@go[1].txt (ID = 2728)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\matt@exitexchange[1].txt (ID = 2633)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2038)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2293)
3:51 PM: c:\documents and settings\matt\cookies\matt@directtrack[1].txt (ID = 2527)
3:51 PM: Found Spy Cookie: directtrack cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@danni[1].txt (ID = 2493)
3:51 PM: Found Spy Cookie: danni cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 1962)
3:51 PM: Found Spy Cookie: 360i cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2634)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2634)
3:51 PM: Found Spy Cookie: exitexchange cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@columbiahouse[2].txt (ID = 2443)
3:51 PM: Found Spy Cookie: columbiahouse cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2371)
3:51 PM: c:\documents and settings\matt\cookies\matt@cdfreaks[2].txt (ID = 2370)
3:51 PM: c:\documents and settings\matt\cookies\matt@ccbill[1].txt (ID = 2369)
3:51 PM: Found Spy Cookie: ccbill cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@burstnet[1].txt (ID = 2336)
3:51 PM: Found Spy Cookie: burstnet cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\matt@bizrate[2].txt (ID = 2308)
3:51 PM: Found Spy Cookie: bizrate cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@belnk[1].txt (ID = 2292)
3:51 PM: Found Spy Cookie: belnk cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@banner[1].txt (ID = 2276)
3:51 PM: Found Spy Cookie: banner cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@a[1].txt (ID = 2027)
3:51 PM: Found Spy Cookie: a cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@atwola[1].txt (ID = 2255)
3:51 PM: Found Spy Cookie: atwola cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@ask[1].txt (ID = 2245)
3:51 PM: Found Spy Cookie: ask cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2223)
3:51 PM: Found Spy Cookie: associated new media cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 2038)
3:51 PM: c:\documents and settings\matt\cookies\matt@adultfriendfinder[2].txt (ID = 2165)
3:51 PM: Found Spy Cookie: adultfriendfinder cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2371)
3:51 PM: Found Spy Cookie: cd freaks cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@adrevolver[2].txt (ID = 2088)
3:51 PM: Found Spy Cookie: adrevolver cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@adknowledge[1].txt (ID = 2072)
3:51 PM: Found Spy Cookie: adknowledge cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@adecn[1].txt (ID = 2063)
3:51 PM: Found Spy Cookie: adecn cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][1].txt (ID = 3751)
3:51 PM: Found Spy Cookie: yieldmanager cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@about[2].txt (ID = 2037)
3:51 PM: Found Spy Cookie: about cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2729)
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 2729)
3:51 PM: Found Spy Cookie: go.com cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 3665)
3:51 PM: Found Spy Cookie: websponsors cookie
3:51 PM: c:\documents and settings\matt\cookies\[email protected][2].txt (ID = 1960)
3:51 PM: Found Spy Cookie: 3 cookie
3:51 PM: c:\documents and settings\matt\cookies\matt@80503492[1].txt (ID = 2013)
3:51 PM: Found Spy Cookie: 80503492 cookie
3:51 PM: Starting Cookie Sweep
3:51 PM: Registry Sweep Complete, Elapsed Time:00:00:13
3:51 PM: HKU\S-1-5-21-1614895754-1364589140-1801674531-1003\software\system\sysuid\ (ID = 731748)
3:51 PM: HKCR\clsid\{2cab0356-88e3-4902-a85d-379689c625e1}\inprocserver32\ (ID = 1626309)
3:51 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{746455fe-d059-47e7-af0e-140e03f5a447}\ (ID = 1586270)
3:51 PM: HKLM\software\classes\typelib\{fdb10602-aa12-4e76-aae2-2b328a3e950a}\ (ID = 1586223)
3:51 PM: HKLM\software\classes\crypt.core.1\ (ID = 1586219)
3:51 PM: HKLM\software\classes\crypt.core\ (ID = 1586213)
3:51 PM: HKLM\software\classes\clsid\{746455fe-d059-47e7-af0e-140e03f5a447}\ (ID = 1586201)
3:51 PM: HKLM\software\classes\clsid\{2cab0356-88e3-4902-a85d-379689c625e1}\ (ID = 1586189)
3:51 PM: HKCR\typelib\{fdb10602-aa12-4e76-aae2-2b328a3e950a}\ (ID = 1586179)
3:51 PM: HKCR\crypt.core.1\ (ID = 1586175)
3:51 PM: HKCR\crypt.core\ (ID = 1586169)
3:51 PM: HKCR\clsid\{746455fe-d059-47e7-af0e-140e03f5a447}\ (ID = 1586157)
3:51 PM: HKCR\clsid\{2cab0356-88e3-4902-a85d-379689c625e1}\ (ID = 1586145)
3:51 PM: HKCR\bannerrotator.rotator\ (ID = 1538546)
3:51 PM: HKLM\software\classes\interface\{7682c1a6-c500-4c78-93b9-5a76a91520f8}\ (ID = 1502055)
3:51 PM: HKLM\software\classes\interface\{597aa130-f00b-40b8-adaf-529d4da9be52}\ (ID = 1502046)
3:51 PM: HKCR\interface\{7682c1a6-c500-4c78-93b9-5a76a91520f8}\ (ID = 1497902)
3:51 PM: HKCR\interface\{597aa130-f00b-40b8-adaf-529d4da9be52}\ (ID = 1497893)
3:51 PM: Found Adware: elitemediagroup-mediamotor
3:51 PM: HKLM\software\classes\bannerrotator.rotator.1\ (ID = 1337124)
3:51 PM: HKLM\software\classes\bannerrotator.rotator\ (ID = 1337118)
3:51 PM: HKCR\bannerrotator.rotator.1\ (ID = 1337093)
3:51 PM: Found Adware: trafficsolution
3:51 PM: HKLM\software\classes\onone.theimp.1\ (ID = 1221523)
3:51 PM: HKLM\software\classes\onone.theimp\ (ID = 1221515)
3:51 PM: HKCR\onone.theimp.1\ (ID = 1221367)
3:51 PM: HKCR\onone.theimp\ (ID = 1221362)
3:51 PM: HKLM\software\microsoft\mssmgr\ (ID = 937101)
3:51 PM: Found Trojan Horse: trojan agent winlogonhook
3:51 PM: HKLM\software\system\sysold\ (ID = 926808)
3:51 PM: Found Adware: enbrowser
3:51 PM: Starting Registry Sweep
3:51 PM: Memory Sweep Complete, Elapsed Time: 00:01:23
3:50 PM: Starting Memory Sweep
3:50 PM: C:\WINDOWS\system32\nsh1D.dll (ID = 1625910)
3:50 PM: HKCR\clsid\{746455fe-d059-47e7-af0e-140e03f5a447}\inprocserver32\ (ID = 1625910)
3:50 PM: Found Adware: ezula ilookup
3:50 PM: Sweep initiated using definitions version 761
3:50 PM: Spy Sweeper 5.0.5.1286 started
3:50 PM: | Start of Session, Thursday, September 14, 2006 |
********
6:25 PM: Removal process completed. Elapsed time 00:00:02
6:25 PM: Quarantining All Traces: command
6:25 PM: Removal process initiated
6:18 PM: Traces Found: 1
6:18 PM: Full Sweep has completed. Elapsed time 01:07:18
6:18 PM: File Sweep Complete, Elapsed Time: 01:05:25
6:16 PM: Warning: Failed to access drive J:
6:16 PM: Warning: Failed to access drive I:
6:16 PM: Warning: Failed to access drive H:
6:16 PM: Warning: Failed to access drive G:
6:14 PM: C:\System Volume Information\_restore{c3c9beb6-afeb-4296-83ae-9a641b4edbed}\RP197\A0030324.vbs (ID = 185675)
6:14 PM: Found Adware: command
5:13 PM: Starting File Sweep
5:13 PM: Warning: Failed to access drive A:
5:13 PM: Cookie Sweep Complete, Elapsed Time: 00:00:06
5:12 PM: Starting Cookie Sweep
5:12 PM: Registry Sweep Complete, Elapsed Time:00:00:13
5:12 PM: Starting Registry Sweep
5:12 PM: Memory Sweep Complete, Elapsed Time: 00:01:20
5:11 PM: Starting Memory Sweep
5:11 PM: Sweep initiated using definitions version 761
5:11 PM: Spy Sweeper 5.0.5.1286 started
5:11 PM: | Start of Session, Thursday, September 14, 2006 |
********
  • 0

#27
popechild
Posted 15 September 2006 - 10:04 AM

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Newest HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:03:19 AM, on 9/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SageTV\SageTV\SageTVService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] "C:\Program Files\Logitech\iTouch\iTouch.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{85FD8C2C-825B-4456-8137-D1F8F8814AEA}: NameServer = 192.168.1.1,192.168.1.2
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SageTV - Frey Technologies, LLC - C:\Program Files\SageTV\SageTV\SageTVService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
  • 0

#28
Noviciate
Posted 15 September 2006 - 02:01 PM

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
The HJT log looks OK, and if the PC's playing nicely then i'd say that it was about done.
Do be aware that with the length of time that it spent without protection, there may have been system changes that make it more likely that it will be infected in the future.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

KAV will run out shortly and you'll need a decent firewall as well, so read on:

Avg Free Edition: Available here.
avast! 4 Home Edition: Available here
AntiVir PersonalEdition Classic :Available here

While you can download them all to see which one you prefer, only install one at a time - running two or more anti-virus programs simultaneously can cause conflicts resulting in less, not more, protection.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.
There are a couple of free firewalls available.
Zone Alarm: Available here.
Kerio: Available here.

Again, while you can download both to see which one you prefer, only install one at a time - running two or more firewalls simultaneously can cause conflicts resulting in less, not more, protection.

Download the installation files and then log off from the internet before you uninstall KAV and stick your choice on.
I've used AVG in the past and both my PC's are using Zone Alarm at the moment without issues, but any combination will do.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You are running an old version of Sun Java which needs updating:
  • Go here and click on the Download button to the right of Java Runtime Environment (JRE) 5.0 Update 8.
  • Accept the license agreement by clicking the radio button.
  • Under Windows Platform - J2SE™ Runtime Enviroment 5.0 Update 8, click the Windows Offline Installation, Multi-language link.
  • Go to Add/Remove Programs and remove any entries that refer to Java 2 Runtime Enviroment and then reboot your PC.
  • Navigate to and delete the following folder, if it exists: C:\Program Files\Java.
  • Finally double click the installation file that you downloaded earlier.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

As long as the above goes OK, I want you to run your PC as normal for a few days. When you are happy that everything is fine, do the following:

Update your anti-virus program,
Disable System Restore,
Boot into Safe Mode,
Scan your computer for viruses.
When you get the all clear, reboot into Normal Mode.
Re-enable System Restore,
Create a Restore Point.
This will give a clean Restore Point should you need it in the future.
A tutorial for System Restore is available here.

The reason for waiting is that if removing the malware has caused a problem, which it occasionally does, you can put your PC back to how it was before the fix. This will re-install the malware, but an infected PC is better than an expensive paperweight!

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.
  • 0

#29
popechild
Posted 15 September 2006 - 04:27 PM

popechild

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Wow, what an excellent help you have been! I'll do as you say and post back next week sometime with the latest update... The only thing I'm likely to hold off on for now (unless there's a serious problem in doing so) is updating Java, simply because the Java installation is *very* key to proper playback issues with the HTPC. Otherwise, thanks so much for the links to the AV and FW products. I may try installing NAV again (which I already have a current copy of sitting around) now that the computer seems "clean" to see if it'll install now. If not, I'll check out the options you listed.

Thanks again! Cheers to you... :whistling:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP