System Alert, Critical System Warning, Virus, Trojan

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

System Alert, Critical System Warning, Virus, Trojan I don't understand any of the "read this....." I'm c

#1 mcshps

Group: Member
Posts: 1
Joined: 27-February 07

Posted 27 February 2007 - 12:51 PM

All of a sudden yesterday, my XP had all these security warnings and alerts. ie. Security Center spyware threat, System Alert Trojan-spy.win32@mx, Critical system warning, spyware.cyberlog.x, blinking baloons, Microsoft Internet Explorer Virus w32.myzor.fx@yf. Spydawn. Not sure if my Symantec Antivirus is still on (and I don't have the CD). Computer tells me MFC71.Dll not found (I think I quarantined this with Adware, it was connected to WinAntivirusPro2007, and scan said it was a threat). Page blocked by adware/spywared remove with system doctor. Clicking onto the internet opens www.asecuritypaper., rather than my homepage. I only use my computer for email and a I search the web a little bit. It's for home use, I am a stay at home Mom and I am clueless about everything computer. My neighbor recommended GeekstoGo, and she said to download SpyBot1.4. I scanned computer with SpyBot and Ad-ware Personal. I am about to cry, I am really stressed over the hours I have spent. I read GeekstoGo "You must read this before posting..." And I really don't know what to do. I confused and afraid. I wish I could turn back time. Any advice you could offer, would be TRULY APPRECIATED. Melissa

#2 Crustyoldbloke

Group: Retired Staff
Posts: 15,130
Joined: 20-March 05

Posted 27 February 2007 - 02:30 PM

Hello Melissa

I will try and take you through the necessary steps to happy surfing again. Before I can give you instructions, I need to be able to see what is happening on your PC.

Please go to step 5 of the article under CLICK HERE above, it will explain about HJT.

I will assume you to be of a novice level and give you clear concise instructions.

Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\HijackThis.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch HijackThis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

#3 Crustyoldbloke

Group: Retired Staff
Posts: 15,130
Joined: 20-March 05

Posted 28 February 2007 - 06:34 PM

For those of you who track topics, this is the content of a PM from the original tpic starter, Melissa

Hi crustyoldbloke! Thanks for your prompt reply to my troubles. Well, here it is. You might see I have done more damage than good trying to get rid of spy ware.
I have included 3 additonal reports which I hope help you, help me. I can't thank you enough for your time. I hope I am doing this properly, emailing you. Should I also post somewhere? Sorry, I am so clueless.
It's wonderful to know that there are people who really want to help others. Oh, when I go to re-boot my computer message tells me ISAMNTR.exe not found failed to initialize.
Things are getting worse. Perhaps, I have confused things. Should I resore what I put into quarantine and then do HJT again?
Also, I tried and tried to connect to the internet, shut everything down, and here I finally am.
I truly appreciate your time. Melissa

Logfile of HijackThis v1.99.1
Scan saved at 2:08:03 AM, on 3/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Security\isamntr.exe
C:\Program Files\Internet Security\pmsnrr.exe
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\Internet Security\pmmnt.exe
C:\Program Files\Internet Security\isamini.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Security\isamini.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Security\isamini.exe
C:\Program Files\Internet Security\isamini.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Internet Security\isadd.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {84938242-5C5B-4A55-B6B9-A1507543B418} - (no file)
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [spywarebot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1158817124171
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: didynamia - {8329660f-e248-4872-98cc-fb9c4fec7ba8} - C:\WINDOWS\system32\xkrdk.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

AVG Anti-Spyware log
---------------------------------------------------------
AVG Anti-Spyware - Scan Report (which, keeps coming up on my screen and I can't close until I choose to quarantine or ignore.)
---------------------------------------------------------
***
*** Below info may not be complete because I cancelled scan. I paniced because I don't know about disabling MSconfig or any other startup manager????
***
+ Created at: 10:10:04 PM 2/28/2007

C:\Program Files\Common Files\WinAntiVirus Pro 2007\WAPChk.dll -> Adware.Companion : No action taken.
C:\System Volume Information\_restore{F68749B8-3BB0-4BCD-88C9-33C922A008C6}\RP42\A0004463.dll -> Adware.Companion : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 -> Adware.Generic : No action taken.
HKU\S-1-5-21-507921405-1547161642-682003330-500\Software\Internet Security -> Adware.Generic : No action taken.
HKU\S-1-5-21-507921405-1547161642-682003330-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : No action taken.
C:\System Volume Information\_restore{F68749B8-3BB0-4BCD-88C9-33C922A008C6}\RP42\A0003422.ini -> Adware.Qworke : No action taken.
[752] C:\WINDOWS\system32\xkrdk.dll -> Adware.WorldSecurityOnline : No action taken.
C:\Program Files\Internet Security\pmmnt.exe -> Downloader.Zlob.bcz : No action taken.
C:\System Volume Information\_restore{F68749B8-3BB0-4BCD-88C9-33C922A008C6}\RP42\A0003397.exe -> Downloader.Zlob.bcz : No action taken.
C:\System Volume Information\_restore{F68749B8-3BB0-4BCD-88C9-33C922A008C6}\RP42\A0003408.exe -> Downloader.Zlob.bcz : No action taken.
C:\System Volume Information\_restore{F68749B8-3BB0-4BCD-88C9-33C922A008C6}\RP42\A0003438.exe -> Downloader.Zlob.bcz : No action taken.
C:\System Volume Information\_restore{F68749B8-3BB0-4BCD-88C9-33C922A008C6}\RP42\A0003449.exe -> Downloader.Zlob.bcz : No action taken.
C:\System Volume Information\_restore{F68749B8-3BB0-4BCD-88C9-33C922A008C6}\RP42\A0003458.exe -> Downloader.Zlob.bcz : No action taken.
C:\System Volume Information\_restore{F68749B8-3BB0-4BCD-88C9-33C922A008C6}\RP42\A0004458.exe -> Downloader.Zlob.bcz : No action taken.
C:\System Volume Information\_restore{F68749B8-3BB0-4BCD-88C9-33C922A008C6}\RP42\A0004486.exe -> Downloader.Zlob.bcz : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.addynamix[1].txt -> TrackingCookie.Addynamix : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@searchportal.information[1].txt -> TrackingCookie.Information : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[2].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[1].txt -> TrackingCookie.Realmedia : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@revenue[2].txt -> TrackingCookie.Revenue : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[1].txt -> TrackingCookie.Ru4 : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@specificclick[1].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.

*** I scanned and deleted from Ad-aware.
*** Below shows what I quarantined (sorry), so hopefully, I can recover if need be.

ArchiveData(auto-quarantine- 2007-02-27 22-44-47.bckp)
Referencefile : SE1R155 26.02.2007
======================================================

WIN32.TROJANDOWNLOADER.ZLOB
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : clsid\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d}

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[1]=IECache Entry : Cookie:administrator@mediaplex.com/
obj[2]=IECache Entry : Cookie:administrator@adopt.euroclick.com/

SPYDAWN
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[3]=File : C:\System Volume Information\_restore{F68749B8-3BB0-4BCD-88C9-33C922A008C6}\RP42\A0003414.exe

ArchiveData(auto-quarantine- 2007-02-27 22-25-23.bckp)
Referencefile : SE1R155 26.02.2007
======================================================

WIN32.TROJANDOWNLOADER.ZLOB
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d}
obj[1]=RegValue : software\microsoft\windows\currentversion\explorer\browser helper objects\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d} ""
obj[2]=Regkey : software\internet security
obj[3]=RegValue : software\internet security "65005"

ArchiveData(auto-quarantine- 2007-02-28 03-13-18.bckp)
Referencefile : SE1R155 26.02.2007
======================================================

WIN32.TROJANDOWNLOADER.ZLOB
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : clsid\{84938242-5c5b-4a55-b6b9-a1507543b418}
obj[1]=RegValue : clsid\{84938242-5c5b-4a55-b6b9-a1507543b418} ""
obj[2]=Regkey : clsid\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d}
obj[3]=RegValue : clsid\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d} ""
obj[4]=RegValue : clsid\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d} "@="
obj[7]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d}
obj[8]=RegValue : software\microsoft\windows\currentversion\explorer\browser helper objects\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d} ""
obj[9]=RegValue : software\microsoft\windows\currentversion\explorer\browser helper objects\{67982bb7-0f95-44c5-92dc-e3af3dc19d6d} "@="
obj[17]=Regkey : software\internet security
obj[18]=RegValue : software\internet security "65005"
obj[19]=RegValue : software\internet security "65006"
obj[20]=Regkey : software\microsoft\windows\currentversion\uninstall\internet security add-on
obj[21]=RegValue : software\microsoft\windows\currentversion\uninstall\internet security add-on "DisplayName"
obj[22]=RegValue : software\microsoft\windows\currentversion\uninstall\internet security add-on "UninstallString"
obj[23]=Regkey : software\microsoft\windows\currentversion\uninstall\internet explorer security plugin 2006
obj[24]=RegValue : software\microsoft\windows\currentversion\uninstall\internet explorer security plugin 2006 "DisplayName"
obj[25]=RegValue : software\microsoft\windows\currentversion\uninstall\internet explorer security plugin 2006 "UninstallString"
obj[63]=File : c:\documents and settings\all users\start menu\Security Troubleshooting.url
obj[64]=File : c:\documents and settings\all users\start menu\Online Security Guide.url

WINANTIVIRUSPRO
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[5]=Regkey : clsid\{bba0c39a-46d8-436d-bf53-6fb84997bc6e}
obj[6]=Regkey : clsid\{f93c5bff-16f9-4dc5-b78c-ec46f896ee56}
obj[13]=Regkey : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f93c5bff-16f9-4dc5-b78c-ec46f896ee56}
obj[26]=Regkey : software\winantivirus pro 2007
obj[27]=RegValue : software\winantivirus pro 2007 "DefaultAction"
obj[28]=RegValue : software\winantivirus pro 2007 "Active"
obj[29]=RegValue : software\winantivirus pro 2007 "BlockDomainOnPopups"
obj[30]=RegValue : software\winantivirus pro 2007 "BlockDomainPopupLimit"
obj[31]=RegValue : software\winantivirus pro 2007 "StartBlockOnTimedPopups"
obj[32]=RegValue : software\winantivirus pro 2007 "TimedPopupLimit"
obj[33]=RegValue : software\winantivirus pro 2007 "NormalizeAddMenuAndToolbar"
obj[34]=RegValue : software\winantivirus pro 2007 "NormalizeFitToDesktop"
obj[35]=RegValue : software\winantivirus pro 2007 "NormalizeAddBorders"
obj[36]=RegValue : software\winantivirus pro 2007 "NormalizeOpenedPopups"
obj[37]=RegValue : software\winantivirus pro 2007 "AllowPopupClickType"
obj[38]=RegValue : software\winantivirus pro 2007 "StoreHistory"
obj[39]=RegValue : software\winantivirus pro 2007 "IEPage"
obj[40]=Regkey : software\microsoft\windows\currentversion\uninstall\install provider
obj[41]=RegValue : software\microsoft\windows\currentversion\uninstall\install provider "DisplayName"
obj[42]=RegValue : software\microsoft\windows\currentversion\uninstall\install provider "UninstallString"
obj[43]=RegValue : software\microsoft\windows\currentversion\uninstall\install provider "Path"
obj[44]=Regkey : system\controlset001\services\vxd
obj[45]=Regkey : system\currentcontrolset\services\vxd
obj[46]=Folder : c:\documents and settings\administrator\application data\WinAntiVirus Pro 2007
obj[47]=Folder : c:\program files\Install Provider
obj[48]=Folder : c:\docume~1\admini~1\locals~1\temp\InstallProvider
obj[49]=Folder : c:\documents and settings\administrator\start menu\programs\Install Provider

SPYDAWN
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[10]=Regkey : SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpyDawn.exe
obj[11]=RegValue : SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SpyDawn.exe ""
obj[12]=RegValue : Software\Microsoft\Windows\CurrentVersion\Run "SpyDawn"
obj[50]=Regkey : software\microsoft\windows\currentversion\uninstall\spydawn
obj[51]=RegValue : software\microsoft\windows\currentversion\uninstall\spydawn "DisplayName"
obj[52]=RegValue : software\microsoft\windows\currentversion\uninstall\spydawn "UninstallString"
obj[53]=RegValue : software\microsoft\windows\currentversion\uninstall\spydawn "DisplayIcon"
obj[54]=RegValue : software\microsoft\windows\currentversion\uninstall\spydawn "DisplayVersion"
obj[55]=RegValue : software\microsoft\windows\currentversion\uninstall\spydawn "NSIS:StartMenuDir"
obj[56]=RegValue : software\microsoft\windows\currentversion\uninstall\spydawn "URLInfoAbout"
obj[57]=RegValue : software\microsoft\windows\currentversion\uninstall\spydawn "Publisher"
obj[58]=Regkey : software\spydawn
obj[59]=RegValue : software\spydawn "refid"
obj[60]=Folder : c:\documents and settings\administrator\start menu\programs\SpyDawn
obj[61]=Folder : c:\program files\spydawn
obj[62]=File : c:\program files\spydawn\spydawn.exe
obj[65]=File : c:\documents and settings\administrator\start menu\SpyDawn 3.1.lnk
obj[66]=File : c:\documents and settings\administrator\application data\microsoft\internet explorer\quick launch\SpyDawn 3.1.lnk
obj[67]=File : C:\Documents and Settings\Administrator\Start Menu\Programs\SpyDawn\SpyDawn 3.1.lnk
obj[68]=File : C:\Documents and Settings\Administrator\Start Menu\SpyDawn 3.1.lnk

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[14]=IECache Entry : Cookie:administrator@2o7.net/
obj[15]=IECache Entry : Cookie:administrator@ads.addynamix.com/
obj[16]=IECache Entry : Cookie:administrator@advertising.com/

OTHER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[69]=File : C:\WINDOWS\prefetch\SPYDAWN.EXE-392875B2.pf

***** Below show what I scanned and quarantined from SPY-Bot 14.

SPYBOT SD.REPORT notepad

--- Search result list ---

--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)

--- Startup entries list ---
Located: HK_LM:Run, !AVG Anti-Spyware
command: "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
file: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
size: 6266880
MD5: 01d90ae5dccbce0c7b52874fec35a608

Located: HK_LM:Run, Adobe Photo Downloader
command: "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
file: C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
size: 57344
MD5: 617fa5be646b5e8d6670fd4710acd2d3

Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 53408
MD5: 8c5d5b71e4e8a1fb8f1fa6cc57fe411e

Located: HK_LM:Run, InCD
command: C:\Program Files\Ahead\InCD\InCD.exe
file: C:\Program Files\Ahead\InCD\InCD.exe
size: 1397760
MD5: cf508a3971deceec1ce575dddca4a019

Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, RemoteControl
command: "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
file: C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
size: 32768
MD5: 8fb740d758b14b1bc950cc347c21e461

Located: HK_LM:Run, SiS Windows KeyHook
command: C:\WINDOWS\system32\keyhook.exe
file: C:\WINDOWS\system32\keyhook.exe
size: 249856
MD5: a064c7c657538c565484c0f3b5f341ea

Located: HK_LM:Run, SiSUSBRG
command: C:\WINDOWS\SiSUSBrg.exe
file: C:\WINDOWS\SiSUSBrg.exe
size: 106496
MD5: eccdcf23cd86f033274306790a4e23e3

Located: HK_LM:Run, spywarebot
command: C:\Program Files\SpywareBot\SpywareBot.exe -boot
file:

Located: HK_LM:Run, vptray
command: C:\PROGRA~1\SYMANT~1\VPTray.exe
file: C:\PROGRA~1\SYMANT~1\VPTray.exe
size: 124656
MD5: ac5c9722233b07c8196f0d5d0fd85c21

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 151364
MD5: f2dab85c5d02399cef730d91485f1e8f

Located: HK_CU:Run, hdlfoe df98ndf
command: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svchots.exe
file: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svchots.exe
size: 10000
MD5: 81199ad74822e26a291d27f96f3fd2fe

Located: HK_CU:Run, MSMSGS
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1694208
MD5: 74e6e96c6f0e2eca4edbb7f7a468f259

Located: HK_CU:Run, PowerBar
command:
file:

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, NavLogon
command: C:\WINDOWS\system32\NavLogon.dll
file: C:\WINDOWS\system32\NavLogon.dll
size: 43760
MD5: 7b5fb0e0a5fbddf32a3a13581e5e50d5

Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll

Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll

--- Browser helper object list ---
{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} ()
BHO name:
CLSID name:
Path: C:\Program Files\Internet Security\
Long name: isadd.dll
Short name:
Date (created): 2/27/2007 10:45:02 PM
Date (last access): 3/1/2007 4:43:50 AM
Date (last write): 3/1/2007 4:43:50 AM
Filesize: 13312
Attributes: archive
MD5: 436A1C89446A3A718C4D69C9B52BB349
CRC32: 01EAB5CC

{8D5849C4-93F3-429D-FF34-260A2068897C} (C:\WINDOWS\system32\zch29sr.dll)
BHO name:
CLSID name: C:\WINDOWS\system32\zch29sr.dll
Path: C:\WINDOWS\system32\
Long name: zch29sr.dll
Short name:
Date (created): 3/1/2007 3:10:06 AM
Date (last access): 3/1/2007 4:30:44 AM
Date (last write): 3/1/2007 3:10:06 AM
Filesize: 10000
Attributes: archive
MD5: 88AB93B5A0C217ACFA3A0090E9CB4379
CRC32: B1CAD110

--- ActiveX list ---
{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://update.micros...b?1158817124171
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 9/20/2006 8:56:52 AM
Date (last access): 3/1/2007 3:09:40 AM
Date (last write): 5/26/2005 6:19:32 AM
Filesize: 173536
Attributes: archive
MD5: C459F2D5E64C942F3F66E1CD7F1C4C00
CRC32: EEF66B50
Version: 5.8.0.2469

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload.ma...ent/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash9b.ocx
Short name:
Date (created): 11/9/2006 5:46:28 PM
Date (last access): 3/1/2007 2:41:40 AM
Date (last write): 11/9/2006 5:46:28 PM
Filesize: 2262648
Attributes: readonly archive
MD5: F3B3EE66CA76C94510555ABE9D00A353
CRC32: A51F3CB4
Version: 9.0.28.0

--- Process list ---
PID: 0 ( 0) [System]
PID: 428 ( 4) \SystemRoot\System32\smss.exe
PID: 488 ( 428) \??\C:\WINDOWS\system32\csrss.exe
PID: 512 ( 428) \??\C:\WINDOWS\system32\winlogon.exe
PID: 556 ( 512) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 568 ( 512) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 732 ( 556) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 792 ( 556) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 880 ( 556) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 928 ( 556) C:\Program Files\Ahead\InCD\InCDsrv.exe
size: 871424
MD5: E9372A17C22FC4E5C9FD8798A97775FC
PID: 1092 (1072) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 1168 ( 556) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1232 ( 556) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1404 ( 556) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: 7435B108B935E42EA92CA94F59C8E717
PID: 1776 (1092) C:\Program Files\Internet Security\isamntr.exe
size: 31744
MD5: 2521E09650746ACA54772EF928F828DE
PID: 1808 (1092) C:\Program Files\Internet Security\pmsnrr.exe
size: 32768
MD5: A5FBAFFC5614E313D389448BBB36C382
PID: 1820 (1092) C:\WINDOWS\system32\keyhook.exe
size: 249856
MD5: A064C7C657538C565484C0F3B5F341EA
PID: 1844 (1092) C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
size: 57344
MD5: 617FA5BE646B5E8D6670FD4710ACD2D3
PID: 1856 (1092) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 53408
MD5: 8C5D5B71E4E8A1FB8F1FA6CC57FE411E
PID: 1868 (1092) C:\PROGRA~1\SYMANT~1\VPTray.exe
size: 124656
MD5: AC5C9722233B07C8196F0D5D0FD85C21
PID: 1876 (1092) C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
size: 32768
MD5: 8FB740D758B14B1BC950CC347C21E461
PID: 1884 (1092) C:\Program Files\Ahead\InCD\InCD.exe
size: 1397760
MD5: CF508A3971DECEEC1CE575DDDCA4A019
PID: 1904 (1092) C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
size: 6266880
MD5: 01D90AE5DCCBCE0C7B52874FEC35A608
PID: 1936 (1808) C:\Program Files\Internet Security\pmmnt.exe
size: 9728
MD5: 9A8A97B5C48421B089DB29240710DEE7
PID: 1984 (1092) C:\WINDOWS\system32\ctfmon.exe
size: 151364
MD5: F2DAB85C5D02399CEF730D91485F1E8F
PID: 2004 (1092) C:\Program Files\Messenger\msmsgs.exe
size: 1694208
MD5: 74E6E96C6F0E2ECA4EDBB7F7A468F259
PID: 2040 (1092) C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svchots.exe
size: 10000
MD5: 81199AD74822E26A291D27F96F3FD2FE
PID: 200 (1776) C:\Program Files\Internet Security\isamini.exe
size: 5632
MD5: B87CCF066C8E2CE25AC7EC929A1F34D2
PID: 272 ( 556) C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
size: 204800
MD5: E8FBDCC8D618D1BB84B828F247A6244B
PID: 360 ( 556) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
size: 169632
MD5: 92C27887787E637185FEC2EE43DA390F
PID: 412 ( 556) C:\Program Files\Symantec AntiVirus\DefWatch.exe
size: 31472
MD5: 929F2C62EA350785E3A2F40E97E78863
PID: 848 ( 556) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
size: 322120
MD5: 11F714F85530A2BD134074DC30E99FCA
PID: 1044 ( 556) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
size: 1160848
MD5: C830007369E18A54AED23B5BB3AFA2BA
PID: 1436 ( 556) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1532 ( 556) C:\Program Files\Symantec AntiVirus\Rtvscan.exe
size: 1805552
MD5: 1B0BF2B60E6ED4D22285A1528134B0F2
PID: 1672 ( 556) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
size: 192160
MD5: FF7DAA264887E850ABFDB8167A8685C9
PID: 1724 (1776) C:\Program Files\Internet Security\isamini.exe
size: 5632
MD5: B87CCF066C8E2CE25AC7EC929A1F34D2
PID: 2180 (2144) C:\WINDOWS\system32\cmd.exe
size: 388608
MD5: EEB024F2C81F0D55936FB825D21A91D6
PID: 2240 (2220) C:\WINDOWS\system32\cmd.exe
size: 388608
MD5: EEB024F2C81F0D55936FB825D21A91D6
PID: 2400 (2380) C:\WINDOWS\system32\cmd.exe
size: 388608
MD5: EEB024F2C81F0D55936FB825D21A91D6
PID: 2768 ( 556) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 3124 (1092) C:\WINDOWS\system32\notepad.exe
size: 69120
MD5: 388B8FBC36A8558587AFC90FB23A3B99
PID: 1476 (1776) C:\Program Files\Internet Security\isamini.exe
size: 5632
MD5: B87CCF066C8E2CE25AC7EC929A1F34D2
PID: 968 (1776) C:\Program Files\Internet Security\isamini.exe
size: 5632
MD5: B87CCF066C8E2CE25AC7EC929A1F34D2
PID: 2972 (1092) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 2856 (1776) C:\Program Files\Internet Security\isamini.exe
size: 5632
MD5: B87CCF066C8E2CE25AC7EC929A1F34D2
PID: 3628 ( 880) C:\WINDOWS\system32\wuauclt.exe
size: 111104
MD5: 4126D27CECE4471E00E425411F7306B5
PID: 4 ( 0) System

--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 3/1/2007 5:22:55 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft...amp;ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.optonline.net/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft...amp;ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft...p...ER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft...p...&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft...amp;ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn...st/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn...st/srchcust.htm

--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2B2F72CD-3139-4CF1-BEA9-AFFE12C13A87}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2B2F72CD-3139-4CF1-BEA9-AFFE12C13A87}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{996AAFB9-FEC1-493A-9E11-8243592F09DC}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{996AAFB9-FEC1-493A-9E11-8243592F09DC}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F960F24C-2A90-4CB5-9AE5-1F85BE576AEF}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F960F24C-2A90-4CB5-9AE5-1F85BE576AEF}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CA79E07A-C5C8-4CF5-ADBB-C9AC4C12BD0E}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CA79E07A-C5C8-4CF5-ADBB-C9AC4C12BD0E}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

--- Uninstall list ---
Ad-Aware SE Personal (Ad-Aware SE Personal)
uninstall cmd: C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
publisher: Lavasoft
help link: http://www.lavasoft.de

(AddressBook)

Adobe Download Manager 2.0 (Remove Only) 2.0 (AdobeESD)
uninstall cmd: "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"

(Antispyware Soldier_is1)

AVG Anti-Spyware 7.5 (AVGAntiSpyware75)
install location: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5
uninstall cmd: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
publisher: Grisoft Ltd.
help link: http://www.grisoft.com

(Branding)

(Connection Manager)

(DirectAnimation)

(DirectDrawEx)

(DXM_Runtime)

(Fontcore)

HijackThis 1.99.1 1.99.1 (HijackThis)
uninstall cmd: C:\Program Files\Hijackthis\HijackThis.exe /uninstall
publisher: Soeperman Enterprises Ltd.

Hijackthis 1.99.1 (Hijackthis_is1)
install location: C:\Program Files\Hijackthis\
uninstall cmd: "C:\Program Files\Hijackthis\unins000.exe"
publisher: Soeperman Enterprises Ltd
help link: http://www.merijn.org

(ICW)

(IE40)

(IE4Data)

(IE5BAKEX)

(IEData)

InCD 4.3.18.0 (InCD!UninstallKey)
uninstall cmd: C:\WINDOWS\NuNInst.exe /UNINSTALL

(KB884016)

(KB893803)

Security Update for Windows XP (KB913433) (KB913433)
uninstall cmd: C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB913433.inf
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=913433

LiveUpdate 3.0 (Symantec Corporation) 3.0.0.160 (LiveUpdate)
install location: "C:\Program Files\Symantec\LiveUpdate"
uninstall cmd: "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
publisher: Symantec Corporation

MiraScan (MiraScan)
uninstall cmd: C:\WINDOWS\uninst.exe -fC:\WINDOWS\twain_32\MiraScan\DeIsL1.isu

(MobileOptionPack)

(MPlayer2)

(MSI30-Beta1)

(MSI30-Beta2)

(MSI30-KB884016)

(MSI30-RC1)

(MSI30-RC2)

(MSI30a-KB884016)

(MSI31-Beta)

(MSI31-RC1)

Nero OEM (Nero - Burning Rom!UninstallKey)
uninstall cmd: C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL

(NetMeeting)

OLYMPUS CAMEDIA Master 1.2 (OLYMPUS CAMEDIA Master 1.2)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\OLYMPUS\CAMEDIA Master\Uninst.isu"

(OutlookExpress)

(PCHealth)
uninstall cmd: rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Public Messenger ver 2.03 (Public Messenger ver 2.03)
uninstall cmd: "C:\Program Files\Internet Security\pmunst.exe"

(SchedulingAgent)

(Sevinst)

Shockwave (Shockwave)
uninstall cmd: C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log

Adobe Flash Player 9 ActiveX 9 (ShockwaveFlash)
uninstall cmd: C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
publisher: Adobe Systems
help link: http://www.adobe.com...player_support/

SiS VGA Utilities (SiS VGA Driver)
uninstall cmd: Rundll32 SiSInst.dll,Uninstall VGA,R

Spybot - Search & Destroy 1.4 1.4 (Spybot - Search & Destroy_is1)
install location: C:\Program Files\Spybot - Search & Destroy\
uninstall cmd: "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited

(SpywareSheriff_is1)

System Alert Popup (System Alert Popup)
uninstall cmd: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\laf345.tmp /del

The Print Shop Premier Edition 5.0 (The Print Shop Premier Edition 5.0)
uninstall cmd: C:\WINDOWS\uninst.exe -f"C:\The Print Shop Products\The Print Shop Premier Edition 5.0\DeIsL1.isu" -c"C:\The Print Shop Products\The Print Shop Premier Edition 5.0\psfinst.dll"

The Print Shop PressWriter 1.5 (The Print Shop PressWriter 1.5)
uninstall cmd: C:\WINDOWS\uninst.exe -f"C:\The Print Shop Products\The Print Shop PressWriter 1.5\DeIsL1.isu" -c"C:\The Print Shop Products\The Print Shop PressWriter 1.5\psfinst.dll"

(TitanShield Antispyware_is1)

Ulead iPhoto Plus 4.0 (Ulead iPhoto Plus 4.0)
uninstall cmd: C:\WINDOWS\uninst.exe -f"C:\Program Files\Ulead iPhoto Plus 4\DeIsL1.isu"

Windows Genuine Advantage Validation Tool (KB892130) 1.5.0530.0 (WGA)
install date: 20060921
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=892130

Windows Genuine Advantage Notifications (KB905474) 1.5.0540.0 (WgaNotify)
install date: 20060921
publisher: Microsoft Corporation
help link: http://support.micro...com?kbid=905474

WinZip (WinZip)
uninstall cmd: "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall

Yahoo! Toolbar (Yahoo! Companion)
uninstall cmd: C:\PROGRA~1\Yahoo!\Common\unyt.exe

Yahoo! Toolbar (Yahoo! Toolbar)

Multimedia Launcher ({1FBF6C24-C1FD-4101-A42B-0C564F9E8E79})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall

WebFldrs XP 9.50.7523 ({350C97B0-3D7C-4EE8-BAA9-00BCB3D54227})
version: 154279267
version (major): 9
version (minor): 50
estimated size: 2472
install date: 20060920
install source: C:\WINDOWS\system32\
publisher: Microsoft Corporation
help link: http://www.microsoft.com/windows

Adobe® Photoshop® Album Starter Edition 3.0 3.0.1 ({4BDFD2CE-6329-42E4-9801-9B3D1F10D79B})
version: 50331648
version (major): 3
estimated size: 16725
install date: 20060921
install location: C:\Program Files\Adobe\Photoshop Album Starter Edition\
install source: C:\WINDOWS\Downloaded Installations\{8379D168-79F6-4394-81A2-BB1944E8F892}\
uninstall cmd: MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
publisher: Adobe Systems, Inc.
readme: C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\ReadMe.txt

PowerDVD ({6811CAA0-BF12-11D4-9EA1-0050BAE317E1})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
publisher: CyberLink Corporation
help link: http://support.gocyberlink.com/
help telephone: +886-2-86671298

Symantec AntiVirus 10.1.4000.4 ({78D891EF-9E2D-4FC8-A71F-E6F897BA1B21})
version: 167841696
version (major): 10
version (minor): 1
estimated size: 90183
install date: 20060921
install location: C:\Program Files\Symantec AntiVirus\
install source: D:\SAV\
uninstall cmd: MsiExec.exe /I{78D891EF-9E2D-4FC8-A71F-E6F897BA1B21}
publisher: Symantec Corporation
comments: Thank you for using Symantec security products.
contact: Technical Support
help link: http://www.symantec.com/techsupp
help telephone: 1 (800) 721-3934

Microsoft Office Professional Edition 2003 11.0.5614.0 ({90110409-6000-11D3-8CFE-0150048383C9})
version: 184554990
version (major): 11
estimated size: 653110
install date: 20060920
install location: C:\Program Files\Microsoft Office\
install source: C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\
uninstall cmd: MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
publisher: Microsoft Corporation
help link: http://www.microsoft.com/support
readme: C:\Program Files\Microsoft Office\OFFICE11\1033\OFREADME.HTM

Adobe Reader 7.0.8 7.0.8 ({AC76BA86-7AD7-1033-7B44-A70800000002})
version: 117440520
version (major): 7
estimated size: 66675
install date: 20060921
install location: C:\Program Files\Adobe\Acrobat 7.0\Reader\
install source: C:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig708\ENU_\
uninstall cmd: MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
publisher: Adobe Systems Incorporated
comments:
contact:
help link: http://www.adobe.com/support/main.html
help telephone:
readme: C:\Program Files\Adobe\Acrobat 7.0\Reader\Readme.htm

PowerProducer ({B7A0CE06-068E-11D6-97FD-0050BACBF861})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall

DVD Solution ({B97CF5C3-0487-11D8-A36E-0050BAE317E1})
uninstall cmd: "C:\Program Files\Uninstall_CDS.exe"

Adobe® Photoshop® Album Starter Edition 3.0.1 3.0.1 ({C9618743-1A5C-461E-91C4-E013A3D70F3C})
version: 50331649
install location: C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\Tools
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9618743-1A5C-461E-91C4-E013A3D70F3C}\Setup.exe" -l0x9
publisher: Adobe Systems, Inc.

3.60 ({E06E4F4E-72D6-4497-BFFD-BCB43077C2F4})
version: 54263808
install location: C:\Program Files\SiS VGA Utilities V3.60
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E06E4F4E-72D6-4497-BFFD-BCB43077C2F4}\setup.exe" -l0x9 -uninst

--- System Services ---
Service (registry key): Abiosdsk
Start: 4
Type: 1
Error Control: 0

Service (registry key): abp480n5
Start: 4
Type: 1
Error Control: 1

Service (registry key): ACPI
Display name: Microsoft ACPI Driver
Image path: system32\DRIVERS\ACPI.sys
Image size: 187776
Image MD5: A10C7534F7223F4A73A948967D00E69B
Start: 0
Type: 1
Error Control: 1

Service (registry key): ACPIEC
Start: 4
Type: 1
Error Control: 1

Service (registry key): adpu160m
Start: 4
Type: 1
Error Control: 1

Service (registry key): aec
Display name: Microsoft Kernel Acoustic Echo Canceller
Image path: system32\drivers\aec.sys
Image size: 142464
Image MD5: 841F385C6CFAF66B58FBD898722BB4F0
Start: 3
Type: 1
Error Control: 1

Service (registry key): AFD
Display name: AFD
Description: AFD Networking Support Environment
Image path: \SystemRoot\System32\drivers\afd.sys
Start: 1
Type: 1
Error Control: 1

Service (registry key): Aha154x
Start: 4
Type: 1
Error Control: 1

Service (registry key): aic78u2
Start: 4
Type: 1
Error Control: 1

Service (registry key): aic78xx
Start: 4
Type: 1
Error Control: 1

Service (registry key): Alerter
Display name: Alerter
Description: Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\system32\svchost.exe -k LocalService
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Start: 4
Type: 32
Error Control: 1
Depends On services: LanmanWorkstation

Service (registry key): ALG
Display name: Application Layer Gateway Service
Description: Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.
Object name: NT AUTHORITY\LocalService
Image path: %SystemRoot%\System32\alg.exe
Image size: 44544
Image MD5: F1958FBF86D5C004CF19A5951A9514B7
Start: 3
Type: 16
Error Control: 1

Service (registry key): AliIde
Start: 4
Type: 1
Error Control: 1

Service (registry key): amsint
Start: 4
Type: 1
Error Control: 1

Service (registry key): AppMgmt
Display name: Application Management
Description: Provides software installation services such as Assign, Publish, and Remove.
Object name: LocalSystem
Image path: %SystemRoot%\system32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Start: 3
Type: 32
Error Control: 1

Service (registry key): asc
Start: 4
Type: 1
Error Control: 1

Service (registry key): asc3350p
Start: 4
Type: 1
Error Control: 1

Service (registry key): asc3550
Start: 4
Type: 1
Error Control: 1

Service (registry key): AsyncMac
Display name: RAS Asynchronous Media Driver
Description: RAS Asynchronous Media Driver
Image path: system32\DRIVERS\asyncmac.sys
Image size: 14336
Image MD5: 02000ABF34AF4C218C35D257024807D6
Start: 3
Type: 1
Error Control: 1

Service (registry key): atapi
Display name: Standard IDE/ESDI Hard Disk Controller
Image path: system32\DRIVERS\atapi.sys
Image size: 95360
Image MD5: CDFE4411A69C224BD1D11B2DA92DAC51
Start: 0
Type: 1
Error Control: 1

Service (registry key): Atdisk
Start: 4
Type: 1
Error Control: 0

Service (registry key): Atmarpc
Display name: ATM ARP Client Protocol
Description: ATM ARP Client Protocol
Image path: system32\DRIVERS\atmarpc.sys
Image size: 59904
Image MD5: EC88DA854AB7D7752EC8BE11A741BB7F
Start: 3
Type: 1
Error Control: 1
Depends On services: Tcpip

Service (registry key): AudioSrv
Display name: Windows Audio
Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Object name: LocalSystem
Image path: %SystemRoot%\System32\svchost.exe -k netsvcs
Image size: 14336
Image MD5: 8F078AE4ED187AAABC0A305146DE6716
Start: 2
Type: 32
Error Control: 1
Depends On services: PlugPlay,RpcSs

Service (registry key): audstub
Display name: Audio Stub Driver
Image path: system32\DRIVERS\audstub.sys
Image size: 3072
Image MD5: D9F724AA26C010A217C97606B160ED68
Start: 3
Type: 1
Error Control: 1

Service (registry key): AVG Anti-Spyware Driver
Display name: AVG Anti-Spyware Driver
Image path: \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Image size: 4096
Image MD5: 7D78B7FD0EBE00F177B053A08C78E35B
Start: 1
Type: 1
Error Control: 1

Service (registry key): AVG Anti-Spyware Guard
Display name: AVG Anti-Spyware Guard

#4 Crustyoldbloke

Group: Retired Staff
Posts: 15,130
Joined: 20-March 05

Posted 28 February 2007 - 06:41 PM

Hello again Melissa

All of our cases are dealt with openly within the forum. This enables people in training to view what is happening, it also helps people like you suffering whatever the chance to view a solution.

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

ALL staff here at Geeks To Go are volunteers, please bear that in mind if I don’t answer your post as quickly as you’d like; I give what time I can.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

You have a Puper infection. Let’s see what we can do.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

A. Please download open AVG Anti Spyware[/color][/url]

Load AVGas/Ewido and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"
- Close AVGas/Ewido. Do not run it yet.

B. Next, please reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

C. Open the SmitfraudFix Folder, (right click and choose Extract All) then double-click smitfraudfix.cmd file to start the tool. Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

D. Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

E. Close ALL open Windows / Programmes / Folders.

In Safe Mode, load AVGas/Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
AVGas/Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).

Close AVGas/Ewido and Reboot in Normal Mode.
______________________________

F. Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the Programme and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

G. Please post:

c:\rapport.txt
AVGas/Ewido log
A new HijackThis log (from normal mode).

You may need more than one reply to post the requested logs, otherwise they might get cut off.

#5 Crustyoldbloke

Group: Retired Staff
Posts: 15,130
Joined: 20-March 05

Posted 11 March 2007 - 03:43 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

System Alert, Critical System Warning, Virus, Trojan - Geeks to Go Forums